![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / share / man / man5
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.602 / (download) - annotate - [select for diffs], Mon Apr 15 14:06:52 2024 UTC (7 weeks, 2 days ago) by jmc
Branch: MAIN
CVS Tags: HEAD
Changes since 1.601: +6 -2 lines
Diff to previous 1.601 (colored)
hint that the tcp timeout values can be adjusted collectively via "set optimization"; from jesper wallin ok bluhm
Revision 1.601 / (download) - annotate - [select for diffs], Mon Apr 15 14:04:49 2024 UTC (7 weeks, 2 days ago) by jmc
Branch: MAIN
Changes since 1.600: +5 -3 lines
Diff to previous 1.600 (colored)
document tcp.tsdiff; from jesper wallin ok bluhm
Revision 1.600 / (download) - annotate - [select for diffs], Fri Nov 18 18:11:10 2022 UTC (18 months, 2 weeks ago) by kn
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
OPENBSD_7_4_BASE,
OPENBSD_7_4,
OPENBSD_7_3_BASE,
OPENBSD_7_3
Changes since 1.599: +6 -7 lines
Diff to previous 1.599 (colored)
Improve "once" bits - use imperative tense in the pf.conf(5) "once" part - leave printing implementation details to pfctl(8)'s "-s rules" part - use more markup - debug mode also prints expired rules OK jmc sashan
Revision 1.599 / (download) - annotate - [select for diffs], Thu Nov 10 19:07:21 2022 UTC (18 months, 3 weeks ago) by jmc
Branch: MAIN
Changes since 1.598: +7 -9 lines
Diff to previous 1.598 (colored)
tweak the "once" text; ok sashan
Revision 1.598 / (download) - annotate - [select for diffs], Wed Nov 9 23:00:00 2022 UTC (18 months, 3 weeks ago) by sashan
Branch: MAIN
Changes since 1.597: +10 -6 lines
Diff to previous 1.597 (colored)
simplify expiration of 'once' rules. let packet to mark 'once' rule as expired. The rule will be removed by pfctl(8) when rules are updated. OK kn@
Revision 1.597 / (download) - annotate - [select for diffs], Sun Jul 24 12:22:12 2022 UTC (22 months, 1 week ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_7_2_BASE,
OPENBSD_7_2
Changes since 1.596: +40 -50 lines
Diff to previous 1.596 (colored)
document limit-item "anchors"; from martin vahlensieck while here, rework the "set limit" section: - use a simple list - add some missing defaults and limit-item mbuhl helped fill in some of the blanks ok kn
Revision 1.596 / (download) - annotate - [select for diffs], Fri May 27 15:45:02 2022 UTC (2 years ago) by jmc
Branch: MAIN
Changes since 1.595: +10 -2 lines
Diff to previous 1.595 (colored)
rework the text on mtu and mss, according to some notes from sthen; ok sthen
Revision 1.595 / (download) - annotate - [select for diffs], Mon May 9 21:48:00 2022 UTC (2 years ago) by sthen
Branch: MAIN
Changes since 1.594: +12 -4 lines
Diff to previous 1.594 (colored)
Mention in the "proto icmp" section that standard stateful rules (i.e. the default type of PF rule) don't allow ICMP responses unless they match an existing state - tweak "keep state (sloppy)" to suggest from the first sentence of the paragraph that it affects more than TCP. ok sashan@ bluhm@
Revision 1.594 / (download) - annotate - [select for diffs], Mon May 9 20:29:23 2022 UTC (2 years ago) by sashan
Branch: MAIN
Changes since 1.593: +3 -2 lines
Diff to previous 1.593 (colored)
pf.conf(5) should mention impact of sloppy state handling on ICMP OK @bluhm
Revision 1.593 / (download) - annotate - [select for diffs], Thu Mar 31 17:27:23 2022 UTC (2 years, 2 months ago) by naddy
Branch: MAIN
CVS Tags: OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.592: +4 -4 lines
Diff to previous 1.592 (colored)
man pages: add missing commas between subordinate and main clauses jmc@ dislikes a comma before "then" in a conditional, so leave those untouched. ok jmc@
Revision 1.592 / (download) - annotate - [select for diffs], Wed Feb 23 13:37:06 2022 UTC (2 years, 3 months ago) by dlg
Branch: MAIN
Changes since 1.591: +19 -5 lines
Diff to previous 1.591 (colored)
better help for getting addresses for dgrams received with divert-to. getsockname is for connected sockets, not all sockets. dgrams need to use some setsockopt stuff and cmsgs to get packet info like that. suggested by K R on bugs@
Revision 1.591 / (download) - annotate - [select for diffs], Fri Feb 18 23:17:15 2022 UTC (2 years, 3 months ago) by jsg
Branch: MAIN
Changes since 1.590: +4 -4 lines
Diff to previous 1.590 (colored)
Avoid gendered language in man pages when not referring to a specific person. Rewrite or use singular they. ok thfr@ sthen@ daniel@ ian@ job@ kmos@ jcs@ ratchov@ phessler@ and others I'm likely missing on an earlier version. feedback tj@, feedback and ok jmc@
Revision 1.590 / (download) - annotate - [select for diffs], Sun Dec 26 01:00:32 2021 UTC (2 years, 5 months ago) by sashan
Branch: MAIN
Changes since 1.589: +2 -5 lines
Diff to previous 1.589 (colored)
make 'set skip on ...' in pf.conf dynamic This is an old issue in pf(4): whenever new interface appears in IP stack, we must reload pf.conf to apply 'set skip on ...' to newly plumbed network interfaces. Time has come to fix it. The idea is to also create pfi_kif for interfaces, which are referred by 'set skip on ...'. Such pfi_kif instances are created/destroyed by pfi_set_flags()/pfi_clear_flags(). claudio@ dragged my attention to this in Gouveia. Also his feedback helped me to put change into shape. OK claudio@
Revision 1.589 / (download) - annotate - [select for diffs], Tue Dec 21 00:23:15 2021 UTC (2 years, 5 months ago) by jmatthew
Branch: MAIN
Changes since 1.588: +3 -3 lines
Diff to previous 1.588 (colored)
Multiply the number of states in the example adaptive timeout calculation by 10 so it works with the numbers in the config, which were previously multiplied. ok dlg@
Revision 1.588 / (download) - annotate - [select for diffs], Mon Nov 1 07:51:51 2021 UTC (2 years, 7 months ago) by landry
Branch: MAIN
Changes since 1.587: +7 -6 lines
Diff to previous 1.587 (colored)
pf.conf.5: improve reply-to documentation reply-to uses addresses, not interfaces anymore since https://marc.info/?l=openbsd-cvs&m=161213948819452&w=2 make it clearer that reply-to allows for symmetric routing enforcement, eg replying via a specific gateway when having multiple paths. wording from sthen@, vastly improving my initial suggestion. ok jmc@ dlg@
Revision 1.587 / (download) - annotate - [select for diffs], Mon Jul 19 16:23:56 2021 UTC (2 years, 10 months ago) by kn
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0
Changes since 1.586: +4 -4 lines
Diff to previous 1.586 (colored)
Markup optional ICMP/ICMP6 codes as such Only icmp(4)/icmp6(4) types are required for `icmp-type'/`icmp6-type' rules while codes are optional. From Martin Vahlensieck < openbsd at academicsolutions dot ch >, thanks!
Revision 1.586 / (download) - annotate - [select for diffs], Mon Feb 1 00:31:04 2021 UTC (3 years, 4 months ago) by dlg
Branch: MAIN
CVS Tags: OPENBSD_6_9_BASE,
OPENBSD_6_9
Changes since 1.585: +5 -9 lines
Diff to previous 1.585 (colored)
change route-to so it sends packets to IPs instead of interfaces. this is a significant (and breaking) reworking of the policy based routing that pf can do. the intention is to make it as easy as nat/rdr to use, and more robust when it's operating. the main reasons for this change are: - route-to, reply-to, and dup-to do not work with pfsync this is because the information about where to route-to is stored in rules, and it is hard to have a ruleset synced between firewalls, and impossible to have them synced 100% of the time. - i can make my boxes panic in certain situations using route-to yeah... - the configuration and syntax for route-to rules are confusing. the argument to route-to and co is an interace name with an optional ip address. there are several problems with this. one is that people tend to think about routing as sending packets to peers by their address, not by the interface they're reachable on. another is that we currently have no way to synchronise interface topology information between firewalls, so using an interface to say where packets go means we can't do failover of these states with pfsync. another is that a change in routing topology means a host may become reachable over a different interface. tying routing policy to interfaces gets in the way of failover and load balancing. this change does the following: - stores the route info in the state instead of the pf rule this allows route-to to keep working when the ruleset changes, and allows route-to info to be sent over pfsync. there's enough spare bits in pfsync messages that the protocol doesnt break. the caveat is that route-to becomes tied to pass rules that create state, like rdr-to and nat-to. - the argument to route-to etc is a destination ip address it's not limited to a next-hop address (thought a next-hop can be a destination address). this allows for the failover and load balancing referred to above. - deprecates the address@interface host syntax in pfctl because routing is done entirely by IPs, the interface is derived from the route lookup, not pf. any attempt to use the @interface syntax will fail now in all contexts. there's enthusiasm from proctor@ jmatthew@ and others ok sashan@ bluhm@
Revision 1.585 / (download) - annotate - [select for diffs], Mon Dec 7 08:29:41 2020 UTC (3 years, 5 months ago) by sashan
Branch: MAIN
Changes since 1.584: +3 -2 lines
Diff to previous 1.584 (colored)
synproxy should be processing incoming SYN packets only. issue noticed by sthen@. fix discussed with bluhm@ and procter@ OK bluhm@, kn@, procter@
Revision 1.584 / (download) - annotate - [select for diffs], Mon Feb 10 13:18:20 2020 UTC (4 years, 3 months ago) by schwarze
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8,
OPENBSD_6_7_BASE,
OPENBSD_6_7
Changes since 1.583: +6 -4 lines
Diff to previous 1.583 (colored)
briefly mention /etc/examples/ in the FILES section of all the manual pages that document the corresponding configuration files; OK jmc@, and general direction discussed with many
Revision 1.583 / (download) - annotate - [select for diffs], Fri Jan 17 09:07:35 2020 UTC (4 years, 4 months ago) by sashan
Branch: MAIN
Changes since 1.582: +17 -2 lines
Diff to previous 1.582 (colored)
- pf.conf(5) should clearly state range match operator ':' does not work for uid/gid. OK @kn, OK @sthen
Revision 1.582 / (download) - annotate - [select for diffs], Wed Oct 23 23:02:55 2019 UTC (4 years, 7 months ago) by kn
Branch: MAIN
Changes since 1.581: +8 -8 lines
Diff to previous 1.581 (colored)
Fix swapped default values of adaptive.start and adaptive.end timeouts While here, enlist start before end to restore intuitive order. Spotted by someone on IRC who's name I cannot recall, sorry. OK sashan
Revision 1.581 / (download) - annotate - [select for diffs], Fri Aug 30 17:51:47 2019 UTC (4 years, 9 months ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.580: +3 -5 lines
Diff to previous 1.580 (colored)
mop up for the pcap.3 rename; help/ok deraadt
Revision 1.580 / (download) - annotate - [select for diffs], Sun May 26 01:16:08 2019 UTC (5 years ago) by naddy
Branch: MAIN
Changes since 1.579: +4 -3 lines
Diff to previous 1.579 (colored)
use proper crossreferences
Revision 1.579 / (download) - annotate - [select for diffs], Wed May 8 21:09:57 2019 UTC (5 years, 1 month ago) by sashan
Branch: MAIN
Changes since 1.578: +58 -21 lines
Diff to previous 1.578 (colored)
update to PF pfctl(8) and pf.conf(5) manpages great input by Ingo, Jason and Klemens OK schwarze@, OK kn@, OK jmc@
Revision 1.578 / (download) - annotate - [select for diffs], Thu Apr 25 10:05:12 2019 UTC (5 years, 1 month ago) by yasuoka
Branch: MAIN
Changes since 1.577: +5 -3 lines
Diff to previous 1.577 (colored)
sticky-address is working with source-hash. ok deraadt
Revision 1.577 / (download) - annotate - [select for diffs], Thu Jul 12 05:54:49 2018 UTC (5 years, 10 months ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_6_5_BASE,
OPENBSD_6_5,
OPENBSD_6_4_BASE,
OPENBSD_6_4
Changes since 1.576: +2 -2 lines
Diff to previous 1.576 (colored)
syncookies never is the default; from paul de weerd ok henning
Revision 1.576 / (download) - annotate - [select for diffs], Tue Jul 10 19:27:11 2018 UTC (5 years, 10 months ago) by henning
Branch: MAIN
Changes since 1.575: +3 -3 lines
Diff to previous 1.575 (colored)
where we were showing "set limit states 10000" make that 100k as well, and adjust adaptive.start/end as well (just like in the code)
Revision 1.575 / (download) - annotate - [select for diffs], Tue Jul 10 09:31:07 2018 UTC (5 years, 10 months ago) by henning
Branch: MAIN
Changes since 1.574: +6 -1 lines
Diff to previous 1.574 (colored)
document set delay
Revision 1.574 / (download) - annotate - [select for diffs], Fri Feb 9 07:14:17 2018 UTC (6 years, 3 months ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_6_3_BASE,
OPENBSD_6_3
Changes since 1.573: +3 -3 lines
Diff to previous 1.573 (colored)
a little more adjustment, after discussing with henning;
Revision 1.573 / (download) - annotate - [select for diffs], Thu Feb 8 17:51:43 2018 UTC (6 years, 3 months ago) by jmc
Branch: MAIN
Changes since 1.572: +12 -12 lines
Diff to previous 1.572 (colored)
tweak previous; ok henning
Revision 1.572 / (download) - annotate - [select for diffs], Thu Feb 8 09:14:19 2018 UTC (6 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.571: +29 -0 lines
Diff to previous 1.571 (colored)
give jmc another chance to "fix previous" - document syncookies (thanks jmc!)
Revision 1.571 / (download) - annotate - [select for diffs], Mon Nov 13 18:18:53 2017 UTC (6 years, 6 months ago) by jmc
Branch: MAIN
Changes since 1.570: +6 -7 lines
Diff to previous 1.570 (colored)
tweak previous;
Revision 1.570 / (download) - annotate - [select for diffs], Mon Nov 13 11:30:11 2017 UTC (6 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.569: +18 -1 lines
Diff to previous 1.569 (colored)
add a generic packet rate matching filter. allows things like pass in proto icmp max-pkt-rate 100/10 all packets matching the rule in the direction the state was created are taken into consideration (typically: requests, but not replies). Just like with the other max-*, the rule stops matching if the maximum is reached, so in typical scenarios the default block rule would kick in then. with input from Holger Mikolon ok mikeb
Revision 1.569 / (download) - annotate - [select for diffs], Sat Oct 14 06:50:21 2017 UTC (6 years, 7 months ago) by jmc
Branch: MAIN
Changes since 1.568: +8 -8 lines
Diff to previous 1.568 (colored)
tweak previous;
Revision 1.568 / (download) - annotate - [select for diffs], Fri Oct 13 23:41:34 2017 UTC (6 years, 7 months ago) by mikeb
Branch: MAIN
Changes since 1.567: +46 -40 lines
Diff to previous 1.567 (colored)
Integrate the description of flow queues into the main body of text
Revision 1.567 / (download) - annotate - [select for diffs], Thu Jul 13 14:41:17 2017 UTC (6 years, 10 months ago) by schwarze
Branch: MAIN
CVS Tags: OPENBSD_6_2_BASE,
OPENBSD_6_2
Changes since 1.566: +10 -7 lines
Diff to previous 1.566 (colored)
* Clarify that filter rules are evaluated once per packet and interface,
not only once per packet.
* Clarify that the syntax anchor "name" { ... } both loads and
evaluates the anchor, rather than merely loading it.
Triggered by questions from Benedikt Neuffer <bene at usta dot de>.
OK mikeb@
Revision 1.566 / (download) - annotate - [select for diffs], Thu Jun 8 15:39:38 2017 UTC (6 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.565: +4 -3 lines
Diff to previous 1.565 (colored)
clarify set prio: the second prio given applies to 1) TCP ACKs 2) packets with ToS=lowdelay and not TCP ACKs that have ToS=lowdelay confusion discovered during bsdcan pf tutorial
Revision 1.565 / (download) - annotate - [select for diffs], Wed May 31 09:30:38 2017 UTC (7 years ago) by henning
Branch: MAIN
Changes since 1.564: +5 -3 lines
Diff to previous 1.564 (colored)
clarify that translations happen immediately on match rules, not generally Tony Gong <tony.y.gong at gmail>
Revision 1.564 / (download) - annotate - [select for diffs], Wed May 31 09:19:10 2017 UTC (7 years ago) by bluhm
Branch: MAIN
Changes since 1.563: +8 -7 lines
Diff to previous 1.563 (colored)
Block IPv6 packets in pf(4) that have hop-by-hop options header or destination options header. Such packets can be passed by adding "allow-opts" to the rule. So IPv6 options are handled like their counterpart in IPv4 now. tested by benno@; OK henning@
Revision 1.563 / (download) - annotate - [select for diffs], Mon May 22 19:15:29 2017 UTC (7 years ago) by jmc
Branch: MAIN
Changes since 1.562: +24 -32 lines
Diff to previous 1.562 (colored)
some tweaks to the QUEUEING section; from mikeb and myself
Revision 1.562 / (download) - annotate - [select for diffs], Fri May 19 09:06:39 2017 UTC (7 years ago) by jmc
Branch: MAIN
Changes since 1.561: +15 -15 lines
Diff to previous 1.561 (colored)
replace tabs with spaces, for consistency, in the BNF display; from michal mazurek
Revision 1.561 / (download) - annotate - [select for diffs], Thu May 18 11:50:47 2017 UTC (7 years ago) by jmc
Branch: MAIN
Changes since 1.560: +7 -10 lines
Diff to previous 1.560 (colored)
better describe "!"; from michal mazurek, tweaked a bit by myself
Revision 1.560 / (download) - annotate - [select for diffs], Tue May 16 22:29:02 2017 UTC (7 years ago) by jmc
Branch: MAIN
Changes since 1.559: +3 -5 lines
Diff to previous 1.559 (colored)
tweak the bandwidth description; help/ok mikeb
Revision 1.559 / (download) - annotate - [select for diffs], Mon May 15 17:16:31 2017 UTC (7 years ago) by jmc
Branch: MAIN
Changes since 1.558: +5 -6 lines
Diff to previous 1.558 (colored)
tweak previous; ok mikeb
Revision 1.558 / (download) - annotate - [select for diffs], Mon May 15 11:24:37 2017 UTC (7 years ago) by mikeb
Branch: MAIN
Changes since 1.557: +46 -5 lines
Diff to previous 1.557 (colored)
Document the new flow queue specification With input and OK sthen
Revision 1.557 / (download) - annotate - [select for diffs], Tue Jan 17 21:08:34 2017 UTC (7 years, 4 months ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_6_1_BASE,
OPENBSD_6_1
Changes since 1.556: +3 -3 lines
Diff to previous 1.556 (colored)
"hosts" is optional; from matthew martin ok henning
Revision 1.556 / (download) - annotate - [select for diffs], Wed Jan 4 09:56:08 2017 UTC (7 years, 5 months ago) by tb
Branch: MAIN
Changes since 1.555: +3 -3 lines
Diff to previous 1.555 (colored)
modfier -> modifier From Dimitris Papastamos.
Revision 1.555 / (download) - annotate - [select for diffs], Mon Jan 2 22:24:28 2017 UTC (7 years, 5 months ago) by jmc
Branch: MAIN
Changes since 1.554: +3 -3 lines
Diff to previous 1.554 (colored)
diff from jesper wallin to remove commas in one of the queue examples; since the comma is optional i chose to remove them because: - within the block it looks more consistent - less to type - the bnf doesn;t even appear to show the commas (not that i can read bnf) - i prefer it without commas
Revision 1.554 / (download) - annotate - [select for diffs], Sat Sep 24 10:10:58 2016 UTC (7 years, 8 months ago) by sthen
Branch: MAIN
Changes since 1.553: +6 -4 lines
Diff to previous 1.553 (colored)
Specify "to" addresses in one of the examples that shows use of af-to for inet6->inet. Without this, local network traffic (including neighbour discovery etc) will also get translated. From Peter J. Philipp, with a tweak to break long lines.
Revision 1.553 / (download) - annotate - [select for diffs], Tue Sep 13 19:15:50 2016 UTC (7 years, 8 months ago) by jmc
Branch: MAIN
Changes since 1.552: +5 -5 lines
Diff to previous 1.552 (colored)
make it clearer that log options require (); requested by janne johansson ok henning
Revision 1.552 / (download) - annotate - [select for diffs], Sat May 14 08:21:40 2016 UTC (8 years ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_6_0_BASE,
OPENBSD_6_0
Changes since 1.551: +3 -3 lines
Diff to previous 1.551 (colored)
unhphenate the world: re-order -> reorder sthen does not object
Revision 1.551 / (download) - annotate - [select for diffs], Tue Jan 5 22:51:38 2016 UTC (8 years, 5 months ago) by benno
Branch: MAIN
CVS Tags: OPENBSD_5_9_BASE,
OPENBSD_5_9
Changes since 1.550: +4 -3 lines
Diff to previous 1.550 (colored)
remove long deprecated "set debug "none|urgent|misc|loud" levels in pf.conf. Change this before upgrade or pf.conf won't load. florian@ henning@ phessler@ jung@
Revision 1.550 / (download) - annotate - [select for diffs], Tue Nov 3 11:21:16 2015 UTC (8 years, 7 months ago) by sobrado
Branch: MAIN
Changes since 1.549: +3 -3 lines
Diff to previous 1.549 (colored)
we need an unbreakable space in O(log2 n). ok jmc@
Revision 1.549 / (download) - annotate - [select for diffs], Mon Oct 26 00:49:34 2015 UTC (8 years, 7 months ago) by schwarze
Branch: MAIN
Changes since 1.548: +483 -481 lines
Diff to previous 1.548 (colored)
adjust macro usage to the usual conventions
Revision 1.548 / (download) - annotate - [select for diffs], Thu Oct 22 11:02:48 2015 UTC (8 years, 7 months ago) by sobrado
Branch: MAIN
Changes since 1.547: +3 -3 lines
Diff to previous 1.547 (colored)
improve indentation in list block. ok jmc@
Revision 1.547 / (download) - annotate - [select for diffs], Wed Sep 30 16:35:53 2015 UTC (8 years, 8 months ago) by sobrado
Branch: MAIN
Changes since 1.546: +4 -4 lines
Diff to previous 1.546 (colored)
fix some spelling messes. ok jmc@
Revision 1.546 / (download) - annotate - [select for diffs], Mon Sep 14 20:06:59 2015 UTC (8 years, 8 months ago) by schwarze
Branch: MAIN
Changes since 1.545: +2 -5 lines
Diff to previous 1.545 (colored)
Avoid .Ns right after .Pf, it's pointless. In some cases, do additional cleanup in the immediate vicinity.
Revision 1.545 / (download) - annotate - [select for diffs], Mon Feb 16 21:43:10 2015 UTC (9 years, 3 months ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8,
OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.544: +35 -25 lines
Diff to previous 1.544 (colored)
after some discussion with henning, document the various log options as one section; some text was altered to make it read better; ok henning
Revision 1.544 / (download) - annotate - [select for diffs], Mon Feb 16 16:21:25 2015 UTC (9 years, 3 months ago) by bentley
Branch: MAIN
Changes since 1.543: +34 -34 lines
Diff to previous 1.543 (colored)
Don't use greater-equal/less-equal symbols where "<="/">=" are intended. Also, clean up some usage of predefined strings (which are discouraged by mandoc_char(7) for portability reasons) and improve spacing in hostapd.conf(5). ok schwarze@
Revision 1.543 / (download) - annotate - [select for diffs], Thu Feb 12 01:29:14 2015 UTC (9 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.542: +4 -2 lines
Diff to previous 1.542 (colored)
a shot at documenting the changed log(matches) semantics
Revision 1.542 / (download) - annotate - [select for diffs], Tue Feb 10 06:47:08 2015 UTC (9 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.541: +5 -2 lines
Diff to previous 1.541 (colored)
document matching on prio
Revision 1.541 / (download) - annotate - [select for diffs], Fri Jan 16 17:20:24 2015 UTC (9 years, 4 months ago) by schwarze
Branch: MAIN
Changes since 1.540: +13 -9 lines
Diff to previous 1.540 (colored)
properly handle opening parentheses, correctly quote vertical bars, and do not use the legacy predefined string \*(Ba
Revision 1.540 / (download) - annotate - [select for diffs], Fri Dec 19 13:04:08 2014 UTC (9 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.539: +6 -10 lines
Diff to previous 1.539 (colored)
Support source-hash and random with tables and dynifs; not just pools. This finally allows to use source-hash for dynamic loadbalancing, eg. "rdr-to <hosts> source-hash", instead of just round-robin and least-states. An older pre-siphash version of this diff was tested by many people. OK tedu@ benno@
Revision 1.539 / (download) - annotate - [select for diffs], Thu Oct 23 20:38:37 2014 UTC (9 years, 7 months ago) by kspillner
Branch: MAIN
Changes since 1.538: +3 -1 lines
Diff to previous 1.538 (colored)
Add GRAMMAR to list of sections. ok jmc@, deraadt@ (begrudgingly)
Revision 1.538 / (download) - annotate - [select for diffs], Wed May 28 21:13:21 2014 UTC (10 years ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6
Changes since 1.537: +4 -4 lines
Diff to previous 1.537 (colored)
tweak previous;
Revision 1.537 / (download) - annotate - [select for diffs], Wed May 28 19:45:04 2014 UTC (10 years ago) by henning
Branch: MAIN
Changes since 1.536: +5 -4 lines
Diff to previous 1.536 (colored)
prio is meaningless when bandwidth shaping is in use, fix example noticed by Marko Cupać <marko.cupac at mimar dot rs>
Revision 1.536 / (download) - annotate - [select for diffs], Tue Jan 21 03:15:46 2014 UTC (10 years, 4 months ago) by schwarze
Branch: MAIN
CVS Tags: OPENBSD_5_5_BASE,
OPENBSD_5_5
Changes since 1.535: +3 -3 lines
Diff to previous 1.535 (colored)
obvious .Pa fixes; found with mandocdb(8)
Revision 1.535 / (download) - annotate - [select for diffs], Tue Jan 21 01:52:18 2014 UTC (10 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.534: +6 -2 lines
Diff to previous 1.534 (colored)
document how any matches any non-loopback interface, ok benno
Revision 1.534 / (download) - annotate - [select for diffs], Mon Jan 20 02:59:55 2014 UTC (10 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.533: +2 -2 lines
Diff to previous 1.533 (colored)
document !received-on, ok dlg benno
Revision 1.533 / (download) - annotate - [select for diffs], Fri Jan 10 12:07:19 2014 UTC (10 years, 4 months ago) by sobrado
Branch: MAIN
Changes since 1.532: +3 -3 lines
Diff to previous 1.532 (colored)
Using random-id is recommended in combination with no-df to ensure unique IP identifiers. ok henning@
Revision 1.532 / (download) - annotate - [select for diffs], Sat Dec 21 20:57:01 2013 UTC (10 years, 5 months ago) by camield
Branch: MAIN
Changes since 1.531: +12 -28 lines
Diff to previous 1.531 (colored)
Document that the "user" socket check is not reliable with wildcard listeners. Update the example to reflect this. Deprecate usage of user "unknown" too, same reason. Noted by Maxim Khitrov on bugs ok henning, jmc
Revision 1.531 / (download) - annotate - [select for diffs], Wed Nov 27 15:16:29 2013 UTC (10 years, 6 months ago) by jmc
Branch: MAIN
Changes since 1.530: +5 -2 lines
Diff to previous 1.530 (colored)
document better how priorities work, and fix an example; diff originally from timo myyra, but tweaked according to henning (equal prio packets are fifo, not round-robin); ok henning
Revision 1.530 / (download) - annotate - [select for diffs], Sat Oct 12 21:44:57 2013 UTC (10 years, 7 months ago) by jmc
Branch: MAIN
Changes since 1.529: +2 -2 lines
Diff to previous 1.529 (colored)
i. e. -> i.e.
Revision 1.529 / (download) - annotate - [select for diffs], Sat Oct 12 12:44:24 2013 UTC (10 years, 7 months ago) by sthen
Branch: MAIN
Changes since 1.528: +3 -3 lines
Diff to previous 1.528 (colored)
explicitely->explicitly
Revision 1.528 / (download) - annotate - [select for diffs], Sat Oct 12 12:31:37 2013 UTC (10 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.527: +76 -245 lines
Diff to previous 1.527 (colored)
document new queueing. with lots of help from jmc. glanced over by many, ok phessler sthen
Revision 1.527 / (download) - annotate - [select for diffs], Thu Apr 25 16:53:11 2013 UTC (11 years, 1 month ago) by sobrado
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE,
OPENBSD_5_4
Changes since 1.526: +4 -4 lines
Diff to previous 1.526 (colored)
fix range for assigned ports managed by the IANA (see RFC 1700). ok sthen@
Revision 1.526 / (download) - annotate - [select for diffs], Tue Feb 19 23:01:15 2013 UTC (11 years, 3 months ago) by sthen
Branch: MAIN
CVS Tags: OPENBSD_5_3_BASE,
OPENBSD_5_3
Changes since 1.525: +2 -2 lines
Diff to previous 1.525 (colored)
Make it clear that the default implicit 'pass' rule does not create state, make sense to deraadt@, ok/wording tweak from mikeb.
Revision 1.525 / (download) - annotate - [select for diffs], Wed Jan 16 02:43:24 2013 UTC (11 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.524: +20 -20 lines
Diff to previous 1.524 (colored)
move the "set queue" block a bit down so that a) things are in alphabetical order again b) the "described below" in the set prio section actually refers to a block of text below and not above it... ok jsing
Revision 1.524 / (download) - annotate - [select for diffs], Wed Jan 16 01:49:20 2013 UTC (11 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.523: +10 -10 lines
Diff to previous 1.523 (colored)
for consistency with prio etc, the queue assignment really belongs into the set block. so make pfctl accept, print and the manpage document . match set queue foo instead of . match queue foo but keep accepting the old way without the explicit set. ok bob, man jmc
Revision 1.523 / (download) - annotate - [select for diffs], Thu Oct 18 15:18:56 2012 UTC (11 years, 7 months ago) by reyk
Branch: MAIN
Changes since 1.522: +2 -2 lines
Diff to previous 1.522 (colored)
Disallow tables and interface address pools for rdr-to, nat-to and route-to with any other scheduling algorithms than round-robin or least-states. Before this change, pfctl accepted and loaded invalid address pools, eg. "rdr-to <table> source-hash", but it is not supported by the kernel and was silently ignored in operation. Also clarify the manpage a bit by mentioning that tables are only valid with round-robin or least-states. ok zinke@
Revision 1.522 / (download) - annotate - [select for diffs], Thu Sep 20 11:52:46 2012 UTC (11 years, 8 months ago) by jmc
Branch: MAIN
Changes since 1.521: +2 -3 lines
Diff to previous 1.521 (colored)
remove unneccessary macro;
Revision 1.521 / (download) - annotate - [select for diffs], Thu Sep 20 09:43:49 2012 UTC (11 years, 8 months ago) by camield
Branch: MAIN
Changes since 1.520: +9 -4 lines
Diff to previous 1.520 (colored)
Lower pf frags limit to not risk running out of mbuf clusters when dealing with lots of IP fragments. This sets the default to 25% of the mbuf cluster maximum (hint from beck). And the example in the manpage is sane now. ok mikeb henning beck deraadt
Revision 1.520 / (download) - annotate - [select for diffs], Tue Jul 10 17:22:52 2012 UTC (11 years, 10 months ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_5_2_BASE,
OPENBSD_5_2
Changes since 1.519: +51 -49 lines
Diff to previous 1.519 (colored)
it seems previous was wrong, so move prio/tos out of OPTIONS, and put them into the main filtering section, at least for now; ok henning
Revision 1.519 / (download) - annotate - [select for diffs], Tue Jul 10 09:40:35 2012 UTC (11 years, 10 months ago) by jmc
Branch: MAIN
Changes since 1.518: +46 -47 lines
Diff to previous 1.518 (colored)
move set prio/tos into OPTIONS; ok henning
Revision 1.518 / (download) - annotate - [select for diffs], Mon Jul 9 20:52:59 2012 UTC (11 years, 10 months ago) by jmc
Branch: MAIN
Changes since 1.517: +2 -2 lines
Diff to previous 1.517 (colored)
one more prio -> set prio; ok henning
Revision 1.517 / (download) - annotate - [select for diffs], Mon Jul 9 15:20:57 2012 UTC (11 years, 11 months ago) by zinke
Branch: MAIN
Changes since 1.516: +6 -3 lines
Diff to previous 1.516 (colored)
Enable support for the 'weight' keyword in the 'least-states' load balancing case, this allows Weighted Least States (WLS). Everything prepared on c2k11 with help from mcbride@. This finally makes PF ready for the cloud. ok henning@ mikeb@ pyr@
Revision 1.516 / (download) - annotate - [select for diffs], Mon Jul 9 14:05:35 2012 UTC (11 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.515: +8 -8 lines
Diff to previous 1.515 (colored)
fix some of the confusion we have in pf regarding filter criteria vs
options that "write" to the packet by putting the latter in a set { } block.
for now prio and tos, maintain set-tos backwards compat for the moment.
"match set { prio 6, tos lowdelay }"
"match set prio 6"
from a discussion with ryan in tokyo a while ago, ok ryan phessler
Revision 1.515 / (download) - annotate - [select for diffs], Fri Jun 29 12:56:20 2012 UTC (11 years, 11 months ago) by jmc
Branch: MAIN
Changes since 1.514: +3 -4 lines
Diff to previous 1.514 (colored)
tcp/udp mandatory for "user"; from ti zed ok henning
Revision 1.514 / (download) - annotate - [select for diffs], Tue Apr 24 14:56:08 2012 UTC (12 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.513: +7 -4 lines
Diff to previous 1.513 (colored)
take a stab at documenting when arguments need quoted, and valid macro characters; prompted by a diff from robert peichaer org thanks gilles and henning for feedback ok deraadt zinke
Revision 1.513 / (download) - annotate - [select for diffs], Tue Jan 31 07:46:32 2012 UTC (12 years, 4 months ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_5_1_BASE,
OPENBSD_5_1
Changes since 1.512: +4 -4 lines
Diff to previous 1.512 (colored)
tweak previous;
Revision 1.512 / (download) - annotate - [select for diffs], Mon Jan 30 21:56:48 2012 UTC (12 years, 4 months ago) by mikeb
Branch: MAIN
Changes since 1.511: +70 -2 lines
Diff to previous 1.511 (colored)
document af-to (aka nat64) the patch was started by todd about a year ago and have been finally finished by phessler and myself today; discussed with and tweaks from jmc, ok sthen, henning
Revision 1.511 / (download) - annotate - [select for diffs], Mon Jan 16 01:18:31 2012 UTC (12 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.510: +4 -3 lines
Diff to previous 1.510 (colored)
Fix description for tcp.opening timeout in pf.conf(5). Issue reported by Felix Rust; ok jmc@
Revision 1.510 / (download) - annotate - [select for diffs], Wed Jan 11 15:57:19 2012 UTC (12 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.509: +7 -3 lines
Diff to previous 1.509 (colored)
make "self" a bit more visible from Sebastian Benoit <benoit-lists at fb12.de>, ok/input jmc, reminder/input deraadt and too much of a trail to mention all of it, thx everybody involved
Revision 1.509 / (download) - annotate - [select for diffs], Sun Nov 27 19:55:18 2011 UTC (12 years, 6 months ago) by haesbaert
Branch: MAIN
Changes since 1.508: +6 -2 lines
Diff to previous 1.508 (colored)
Manpage bits for the recent changes in vlan(4) prio handling. ok jmc henning sthen claudio
Revision 1.508 / (download) - annotate - [select for diffs], Tue Aug 30 00:47:16 2011 UTC (12 years, 9 months ago) by mikeb
Branch: MAIN
Changes since 1.507: +9 -3 lines
Diff to previous 1.507 (colored)
Document a "once" filter option used to create one shot rules. ok henning, mcbride, jmc
Revision 1.507 / (download) - annotate - [select for diffs], Thu Aug 18 10:49:40 2011 UTC (12 years, 9 months ago) by henning
Branch: MAIN
Changes since 1.506: +3 -3 lines
Diff to previous 1.506 (colored)
fix overload table BNF From: william dunand <william.dunand at gmail.com>
Revision 1.506 / (download) - annotate - [select for diffs], Tue Aug 16 14:48:39 2011 UTC (12 years, 9 months ago) by mikeb
Branch: MAIN
Changes since 1.505: +6 -3 lines
Diff to previous 1.505 (colored)
Sync documentation with code on the matter of max state limit behavior. When one of the state limits is reached, further packets that would create state are dropped, until existing states time out. Discussed with mcbride, ok henning, jmc
Revision 1.505 / (download) - annotate - [select for diffs], Mon Aug 8 02:50:57 2011 UTC (12 years, 10 months ago) by mcbride
Branch: MAIN
CVS Tags: OPENBSD_5_0_BASE,
OPENBSD_5_0
Changes since 1.504: +10 -4 lines
Diff to previous 1.504 (colored)
sync 'set-tos' with 'tos' keyword (DiffServ is supported by both) ok deraadt
Revision 1.504 / (download) - annotate - [select for diffs], Fri Jul 29 10:51:46 2011 UTC (12 years, 10 months ago) by mcbride
Branch: MAIN
Changes since 1.503: +1 -4 lines
Diff to previous 1.503 (colored)
Remove requirement to quote 'debug' loglevel for the 'debug' option. ok henning
Revision 1.503 / (download) - annotate - [select for diffs], Wed Jul 27 07:16:08 2011 UTC (12 years, 10 months ago) by jmc
Branch: MAIN
Changes since 1.502: +10 -9 lines
Diff to previous 1.502 (colored)
- new sentence, new line - zap trailing whitespace
Revision 1.502 / (download) - annotate - [select for diffs], Wed Jul 27 00:26:10 2011 UTC (12 years, 10 months ago) by mcbride
Branch: MAIN
Changes since 1.501: +25 -21 lines
Diff to previous 1.501 (colored)
Add support for weighted round-robin in load balancing pools and tables. Diff from zinke@ with a some minor cleanup. ok henning claudio deraadt
Revision 1.501 / (download) - annotate - [select for diffs], Sat Jul 9 00:20:18 2011 UTC (12 years, 11 months ago) by jmc
Branch: MAIN
Changes since 1.500: +4 -4 lines
Diff to previous 1.500 (colored)
zap trailing whitespace;
Revision 1.500 / (download) - annotate - [select for diffs], Fri Jul 8 22:20:56 2011 UTC (12 years, 11 months ago) by mcbride
Branch: MAIN
Changes since 1.499: +26 -1 lines
Diff to previous 1.499 (colored)
Initial description of 'prio' keyword. ok henning
Revision 1.499 / (download) - annotate - [select for diffs], Mon Jul 4 05:59:38 2011 UTC (12 years, 11 months ago) by tedu
Branch: MAIN
Changes since 1.498: +4 -8 lines
Diff to previous 1.498 (colored)
jmc found a few more mentions of RIO here
Revision 1.498 / (download) - annotate - [select for diffs], Mon Jul 4 05:49:00 2011 UTC (12 years, 11 months ago) by jmc
Branch: MAIN
Changes since 1.497: +6 -6 lines
Diff to previous 1.497 (colored)
tweak previous;
Revision 1.497 / (download) - annotate - [select for diffs], Mon Jul 4 03:36:14 2011 UTC (12 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.496: +2 -14 lines
Diff to previous 1.496 (colored)
bye bye require-order. i added that button many many many years ago since the order (options, scrub, nat, filter) was enforced back then, which I hated. now we had that turned off for ages, and with the scrub and nat rulesets being gone, there is very little reason to enforce an order at all. so let's get rid of it. introducing this button was one of my very early commits to openbsd... feels a bit strange to remove it now :) ok ryan dlg theo
Revision 1.496 / (download) - annotate - [select for diffs], Sun Jul 3 23:37:55 2011 UTC (12 years, 11 months ago) by zinke
Branch: MAIN
Changes since 1.495: +20 -6 lines
Diff to previous 1.495 (colored)
bring in least-states load balancing algorithm ok mcbride@ henning@
Revision 1.495 / (download) - annotate - [select for diffs], Thu Jun 23 20:35:22 2011 UTC (12 years, 11 months ago) by sthen
Branch: MAIN
Changes since 1.494: +7 -2 lines
Diff to previous 1.494 (colored)
Use a common text explaining how the various configuration parsers using the standard OpenBSD-style parse.y handle continuing lines with backslashes, paying particular attention to how comments are handled (which can cause nasty side-effects if you're not expecting it). Most wording from jmc@, with suggestions from fgsch@, marc@, Richard Toohey, patrick keshishian and Florian Obser, ok jmc@.
Revision 1.494 / (download) - annotate - [select for diffs], Fri May 20 22:57:20 2011 UTC (13 years ago) by sthen
Branch: MAIN
Changes since 1.493: +5 -2 lines
Diff to previous 1.493 (colored)
Point out that the 'set skip' interfaces are currently only evaluated at config load time. This may change in future but for now it's better to document it.
Revision 1.493 / (download) - annotate - [select for diffs], Mon May 2 07:04:59 2011 UTC (13 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.492: +4 -3 lines
Diff to previous 1.492 (colored)
update BNF for "set limit"; from Lawrence Teo ok henning
Revision 1.492 / (download) - annotate - [select for diffs], Wed Apr 6 13:20:44 2011 UTC (13 years, 2 months ago) by claudio
Branch: MAIN
Changes since 1.491: +7 -3 lines
Diff to previous 1.491 (colored)
Documentation for "on rdomain <number>". OK henning@
Revision 1.491 / (download) - annotate - [select for diffs], Tue Apr 5 14:05:45 2011 UTC (13 years, 2 months ago) by jsg
Branch: MAIN
Changes since 1.490: +3 -7 lines
Diff to previous 1.490 (colored)
remove mention of fastroute here as well 'you are not allowed to speak until you commit' mikeb@
Revision 1.490 / (download) - annotate - [select for diffs], Fri Mar 25 11:09:38 2011 UTC (13 years, 2 months ago) by bluhm
Branch: MAIN
Changes since 1.489: +6 -4 lines
Diff to previous 1.489 (colored)
Pf can reassemble IPv6 fragments now. ok jmc@
Revision 1.489 / (download) - annotate - [select for diffs], Tue Feb 1 17:31:47 2011 UTC (13 years, 4 months ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_4_9_BASE,
OPENBSD_4_9
Changes since 1.488: +10 -4 lines
Diff to previous 1.488 (colored)
- remove an ambiguity regarding the state description. i used part of a diff from patrick keshishian on misc for this - document that packets passed by default, matching neither block nor pass rules, are effectively created with "no state"; as discovered by tedu ...after much discussion on misc and with henning
Revision 1.488 / (download) - annotate - [select for diffs], Sun Jan 23 23:34:18 2011 UTC (13 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.487: +12 -2 lines
Diff to previous 1.487 (colored)
bit more on reflection, From: James Jerkins <jjerkins at una.edu> with tweaks from jmc
Revision 1.487 / (download) - annotate - [select for diffs], Thu Jan 20 08:44:12 2011 UTC (13 years, 4 months ago) by sthen
Branch: MAIN
Changes since 1.486: +3 -3 lines
Diff to previous 1.486 (colored)
Fix an example using rdr-to where a couple of hosts were exempted from the redirect; the sample rule used "match" for the general case which negated the exemptions. From Harald Dunkel.
Revision 1.486 / (download) - annotate - [select for diffs], Fri Dec 31 12:15:31 2010 UTC (13 years, 5 months ago) by bluhm
Branch: MAIN
Changes since 1.485: +5 -5 lines
Diff to previous 1.485 (colored)
According to pf_scrub_ip6() pf does not support the scrub options no-df, random-id, set-tos for IPv6 rules. Check this in pfctl and document it in pf.conf(5). ok henning@ jmc@
Revision 1.485 / (download) - annotate - [select for diffs], Thu Dec 23 14:39:21 2010 UTC (13 years, 5 months ago) by jmc
Branch: MAIN
Changes since 1.484: +5 -3 lines
Diff to previous 1.484 (colored)
fix my last (sloppy) fix; from Thomas Pfaff ok henning
Revision 1.484 / (download) - annotate - [select for diffs], Wed Dec 22 22:20:36 2010 UTC (13 years, 5 months ago) by jmc
Branch: MAIN
Changes since 1.483: +20 -7 lines
Diff to previous 1.483 (colored)
fix sloppy paste in;
Revision 1.483 / (download) - annotate - [select for diffs], Wed Dec 22 21:05:19 2010 UTC (13 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.482: +8 -16 lines
Diff to previous 1.482 (colored)
adjust set debug description to reality From: Thomas Pfaff <tpfaff@tp76.info>
Revision 1.482 / (download) - annotate - [select for diffs], Wed Dec 15 14:06:05 2010 UTC (13 years, 5 months ago) by jmc
Branch: MAIN
Changes since 1.481: +4 -6 lines
Diff to previous 1.481 (colored)
- clarify the "probability" text; based on a diff from Thomas Pfaff ok henning - while here, knock out a bad .Pp
Revision 1.481 / (download) - annotate - [select for diffs], Fri Sep 24 10:57:16 2010 UTC (13 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.480: +7 -7 lines
Diff to previous 1.480 (colored)
oups. the notes i just added looked like shit because i'm too smart too actually look at the manpage when changing it. ok jmc
Revision 1.480 / (download) - annotate - [select for diffs], Fri Sep 24 10:41:36 2010 UTC (13 years, 8 months ago) by jmc
Branch: MAIN
Changes since 1.479: +10 -6 lines
Diff to previous 1.479 (colored)
tweak previous;
Revision 1.479 / (download) - annotate - [select for diffs], Fri Sep 24 09:19:04 2010 UTC (13 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.478: +6 -2 lines
Diff to previous 1.478 (colored)
for rdr-to and nat-to, mention in which direction they are usually used and mention the constraints for use in the "unnatural" direction ok claudio ryan dlg
Revision 1.478 / (download) - annotate - [select for diffs], Wed Sep 22 06:03:32 2010 UTC (13 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.477: +5 -3 lines
Diff to previous 1.477 (colored)
document hwo to play with matches
Revision 1.477 / (download) - annotate - [select for diffs], Fri Aug 20 13:01:43 2010 UTC (13 years, 9 months ago) by henning
Branch: MAIN
Changes since 1.476: +4 -4 lines
Diff to previous 1.476 (colored)
sync divert-packet documentation with reality PR 6448 pjp at centroid dot eu
Revision 1.476 / (download) - annotate - [select for diffs], Wed May 19 13:51:37 2010 UTC (14 years ago) by sthen
Branch: MAIN
CVS Tags: OPENBSD_4_8_BASE,
OPENBSD_4_8
Changes since 1.475: +6 -8 lines
Diff to previous 1.475 (colored)
redo the list of "sticky" parameters for match rules; - include translation options - include "scrub" - don't include max-mss etc, which aren't used directly rather they are written like 'match ... scrub (max-mss xxx)' ok jmc@ henning@
Revision 1.475 / (download) - annotate - [select for diffs], Thu Apr 1 19:09:36 2010 UTC (14 years, 2 months ago) by jsg
Branch: MAIN
Changes since 1.474: +2 -3 lines
Diff to previous 1.474 (colored)
Don't mention translation in the require-order blurb as it is now part of filtering. ok henning@
Revision 1.474 / (download) - annotate - [select for diffs], Thu Mar 18 21:49:20 2010 UTC (14 years, 2 months ago) by jmc
Branch: MAIN
Changes since 1.473: +4 -2 lines
Diff to previous 1.473 (colored)
add divert-* to bnf; from Dave Anderson ok henning
Revision 1.473 / (download) - annotate - [select for diffs], Fri Feb 19 12:29:06 2010 UTC (14 years, 3 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_4_7_BASE,
OPENBSD_4_7
Changes since 1.472: +3 -3 lines
Diff to previous 1.472 (colored)
missing " From: Aivar Jaakson <aivar@cirt.pri.ee>
Revision 1.472 / (download) - annotate - [select for diffs], Thu Feb 18 16:29:40 2010 UTC (14 years, 3 months ago) by jmc
Branch: MAIN
Changes since 1.471: +3 -3 lines
Diff to previous 1.471 (colored)
missing `]'; from Aivar Jaakson
Revision 1.471 / (download) - annotate - [select for diffs], Tue Feb 2 19:16:50 2010 UTC (14 years, 4 months ago) by sthen
Branch: MAIN
Changes since 1.470: +2 -2 lines
Diff to previous 1.470 (colored)
Add missing 'in' in sample rdr-to rule. Noted by Steve Williams.
Revision 1.470 / (download) - annotate - [select for diffs], Tue Jan 12 18:42:36 2010 UTC (14 years, 4 months ago) by jmc
Branch: MAIN
Changes since 1.469: +3 -3 lines
Diff to previous 1.469 (colored)
better word MSS in pf.conf.5, from Lars Nooden; the changes in pppoe.4 are just to keep things consistent...
Revision 1.469 / (download) - annotate - [select for diffs], Tue Jan 12 03:20:51 2010 UTC (14 years, 4 months ago) by mcbride
Branch: MAIN
Changes since 1.468: +3 -2 lines
Diff to previous 1.468 (colored)
First pass at removing the 'pf_pool' mechanism for translation and routing actions. Allow interfaces to be specified in special table entries for the routing actions. Lists of addresses can now only be done using tables, which pfctl will generate automatically from the existing syntax. Functionally, this deprecates the use of multiple tables or dynamic interfaces in a single nat or rdr rule. ok henning dlg claudio
Revision 1.468 / (download) - annotate - [select for diffs], Thu Dec 24 17:00:48 2009 UTC (14 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.467: +4 -7 lines
Diff to previous 1.467 (colored)
correct the text for received-on; ok dlg
Revision 1.467 / (download) - annotate - [select for diffs], Thu Dec 24 09:35:33 2009 UTC (14 years, 5 months ago) by jmc
Branch: MAIN
Changes since 1.466: +3 -3 lines
Diff to previous 1.466 (colored)
tweak previous;
Revision 1.466 / (download) - annotate - [select for diffs], Thu Dec 24 07:14:46 2009 UTC (14 years, 5 months ago) by dlg
Branch: MAIN
Changes since 1.465: +12 -3 lines
Diff to previous 1.465 (colored)
try to document received-on.
Revision 1.465 / (download) - annotate - [select for diffs], Mon Nov 30 18:51:57 2009 UTC (14 years, 6 months ago) by sthen
Branch: MAIN
Changes since 1.464: +2 -7 lines
Diff to previous 1.464 (colored)
It doesn't make sense to talk about doing packet tagging "during nat-to or rdr-to in addition to filter rules".
Revision 1.464 / (download) - annotate - [select for diffs], Tue Nov 10 09:10:11 2009 UTC (14 years, 6 months ago) by sthen
Branch: MAIN
Changes since 1.463: +8 -6 lines
Diff to previous 1.463 (colored)
adjust one of the examples/descriptions for nat-to; it used to be 'nat pass' and nearest equivalent now is to use 'pass quick...nat-to' not just 'pass...nat-to'. ok henning@ jmc@
Revision 1.463 / (download) - annotate - [select for diffs], Fri Nov 6 11:44:15 2009 UTC (14 years, 7 months ago) by eric
Branch: MAIN
Changes since 1.462: +4 -4 lines
Diff to previous 1.462 (colored)
correct values for set reassemble ok henning@ pyr@
Revision 1.462 / (download) - annotate - [select for diffs], Thu Nov 5 16:01:36 2009 UTC (14 years, 7 months ago) by sthen
Branch: MAIN
Changes since 1.461: +9 -21 lines
Diff to previous 1.461 (colored)
Adjust the description of network translation to match the code following the nat-to changes. Reworked slightly from a diff from eric@. ok henning jmc
Revision 1.461 / (download) - annotate - [select for diffs], Wed Oct 14 14:17:53 2009 UTC (14 years, 7 months ago) by jmeltzer
Branch: MAIN
Changes since 1.460: +3 -3 lines
Diff to previous 1.460 (colored)
Second example discussing the pass modifier with rdr-to should actually use the pass modifier. ok henning jmc
Revision 1.460 / (download) - annotate - [select for diffs], Sun Oct 4 16:08:37 2009 UTC (14 years, 8 months ago) by michele
Branch: MAIN
Changes since 1.459: +13 -2 lines
Diff to previous 1.459 (colored)
Add (again) support for divert sockets. They allow you to: - queue packets from pf(4) to a userspace application - reinject packets from the application into the kernel stack. The divert socket can be bound to a special "divert port" and will receive every packet diverted to that port by pf(4). The pf syntax is pretty simple, e.g.: pass on em0 inet proto tcp from any to any port 80 divert-packet port 1 A lot of discussion have happened since my last commit that resulted in many changes and improvements. I would *really* like to thank everyone who took part in the discussion especially canacar@ who spotted out which are the limitations of this approach. OpenBSD divert(4) is meant to be compatible with software running on top of FreeBSD's divert sockets even though they are pretty different and will become even more with time. discusses with many, but mainly reyk@ canacar@ deraadt@ dlg@ claudio@ beck@ tested by reyk@ and myself ok reyk@ claudio@ beck@ manpage help and ok by jmc@
Revision 1.459 / (download) - annotate - [select for diffs], Fri Sep 25 14:08:04 2009 UTC (14 years, 8 months ago) by jmc
Branch: MAIN
Changes since 1.458: +14 -11 lines
Diff to previous 1.458 (colored)
some clarification of "set reassemble" and "no-df"; help/ok henning
Revision 1.458 / (download) - annotate - [select for diffs], Tue Sep 22 10:42:08 2009 UTC (14 years, 8 months ago) by jmc
Branch: MAIN
Changes since 1.457: +15 -7 lines
Diff to previous 1.457 (colored)
floating/if-bound may be used per-rule; ok henning
Revision 1.457 / (download) - annotate - [select for diffs], Tue Sep 8 17:52:17 2009 UTC (14 years, 9 months ago) by michele
Branch: MAIN
Changes since 1.456: +0 -6 lines
Diff to previous 1.456 (colored)
I had not enough oks to commit this diff. Sorry.
Revision 1.456 / (download) - annotate - [select for diffs], Tue Sep 8 17:00:41 2009 UTC (14 years, 9 months ago) by michele
Branch: MAIN
Changes since 1.455: +7 -1 lines
Diff to previous 1.455 (colored)
Add support for divert sockets. They allow you to: - queue packets from pf(4) to a userspace application - reinject packets from the application into the kernel stack. The divert socket can be bound to a special "divert port" and will receive every packet diverted to that port by pf(4). The pf syntax is pretty simple, e.g.: pass on em0 inet proto tcp from any to any port 80 divert-packet port 8000 test, bugfix and ok by reyk@ manpage help and ok by jmc@ no objections from many others.
Revision 1.455 / (download) - annotate - [select for diffs], Mon Sep 7 12:21:10 2009 UTC (14 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.454: +35 -2 lines
Diff to previous 1.454 (colored)
implement binat-to as a macro-like rule: a rule using the new binat-to syntax will be expanded by the parser to a nat-to+rdr-to combination to be loaded into the kernel. this simplifies the migration from old binat rules and is less error-prone. feedback from many, manpage bits from jmc@ ok henning@
Revision 1.454 / (download) - annotate - [select for diffs], Mon Sep 7 11:28:34 2009 UTC (14 years, 9 months ago) by jmc
Branch: MAIN
Changes since 1.453: +4 -5 lines
Diff to previous 1.453 (colored)
remove the trans-anchors bnf entry too; ok sthen henning
Revision 1.453 / (download) - annotate - [select for diffs], Mon Sep 7 10:36:13 2009 UTC (14 years, 9 months ago) by jmc
Branch: MAIN
Changes since 1.452: +2 -5 lines
Diff to previous 1.452 (colored)
remove *-anchor bits from BNF; ok sthen
Revision 1.452 / (download) - annotate - [select for diffs], Thu Sep 3 17:53:25 2009 UTC (14 years, 9 months ago) by jmc
Branch: MAIN
Changes since 1.451: +1279 -1282 lines
Diff to previous 1.451 (colored)
the recent changes to translation make the ordering of this document slightly redundant: move the packet filtering section to the top, and make translation a subsection; ok henning
Revision 1.451 / (download) - annotate - [select for diffs], Wed Sep 2 14:50:01 2009 UTC (14 years, 9 months ago) by henning
Branch: MAIN
Changes since 1.450: +3 -3 lines
Diff to previous 1.450 (colored)
match in pass is bullshit (conversion error from nat pass), spotted by phessler
Revision 1.450 / (download) - annotate - [select for diffs], Wed Sep 2 13:28:02 2009 UTC (14 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.449: +4 -4 lines
Diff to previous 1.449 (colored)
all the new *-to options are part of the "filteropts" section at the end of a pf rule (nat-to, divert-to, rdr-to, ...). take the historical chance to upgrade the grammar and move the route options to the filteropts section as well. for example, pass in on em0 route-to (em1 192.168.1.1) from 10.1.1.1 becomes pass in on em0 from 10.1.1.1 route-to (em1 192.168.1.1) many people like this including pyr@ mk@ kettenis@ todd@ and others ok henning@
Revision 1.449 / (download) - annotate - [select for diffs], Tue Sep 1 13:43:15 2009 UTC (14 years, 9 months ago) by henning
Branch: MAIN
Changes since 1.448: +74 -139 lines
Diff to previous 1.448 (colored)
document new pf. mostly from igor, input and bnf by me
Revision 1.448 / (download) - annotate - [select for diffs], Tue Jul 28 13:29:45 2009 UTC (14 years, 10 months ago) by claudio
Branch: MAIN
Changes since 1.447: +10 -4 lines
Diff to previous 1.447 (colored)
Recommit rev. 1.446 it is again possible to use DSCP names in tos and settos statements.
Revision 1.447 / (download) - annotate - [select for diffs], Mon Jul 27 19:04:30 2009 UTC (14 years, 10 months ago) by deraadt
Branch: MAIN
Changes since 1.446: +2 -8 lines
Diff to previous 1.446 (colored)
Please don't commit documentation for changes which don't compile in the tree. Surely you were involved and noticed that the tree was being broken.
Revision 1.446 / (download) - annotate - [select for diffs], Mon Jul 27 13:39:03 2009 UTC (14 years, 10 months ago) by sthen
Branch: MAIN
Changes since 1.445: +10 -4 lines
Diff to previous 1.445 (colored)
List the additional TOS values and DiffServ Code Points now recognised by pfctl(8).
Revision 1.445 / (download) - annotate - [select for diffs], Sun Jul 19 14:05:36 2009 UTC (14 years, 10 months ago) by sobrado
Branch: MAIN
Changes since 1.444: +7 -7 lines
Diff to previous 1.444 (colored)
take out a few .Ar macros from the examples. pointed out by jmc@
Revision 1.444 / (download) - annotate - [select for diffs], Sat Jul 18 20:28:15 2009 UTC (14 years, 10 months ago) by sobrado
Branch: MAIN
Changes since 1.443: +9 -5 lines
Diff to previous 1.443 (colored)
use a better layout to improve readability. ok henning@
Revision 1.443 / (download) - annotate - [select for diffs], Sat May 30 16:56:17 2009 UTC (15 years ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_4_6_BASE,
OPENBSD_4_6
Changes since 1.442: +7 -3 lines
Diff to previous 1.442 (colored)
correct the bnf for return-rst, and describe the optional ttl parameter for it; started by a mail from Laurent Ghigonis ok fgsch henning
Revision 1.442 / (download) - annotate - [select for diffs], Fri May 1 09:01:26 2009 UTC (15 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.441: +3 -3 lines
Diff to previous 1.441 (colored)
use printf instead of echo for one of the anchor examples - this allows it to work for users of csh and /bin/echo;
Revision 1.441 / (download) - annotate - [select for diffs], Mon Apr 27 21:52:26 2009 UTC (15 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.440: +385 -384 lines
Diff to previous 1.440 (colored)
now that require-order is no longer on by default, we can relax the ordering of this page a little; instead of talking about statement types, just provide a brief overview of the page;
Revision 1.440 / (download) - annotate - [select for diffs], Mon Apr 27 19:04:42 2009 UTC (15 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.439: +38 -52 lines
Diff to previous 1.439 (colored)
- use .Dl for short displays - .Nm does not require args
Revision 1.439 / (download) - annotate - [select for diffs], Mon Apr 27 15:32:52 2009 UTC (15 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.438: +87 -102 lines
Diff to previous 1.438 (colored)
- restructure the ANCHORS section - no need to escape quotes within displays
Revision 1.438 / (download) - annotate - [select for diffs], Sun Apr 26 12:30:20 2009 UTC (15 years, 1 month ago) by sthen
Branch: MAIN
Changes since 1.437: +7 -22 lines
Diff to previous 1.437 (colored)
switch the require-order default to "no". regression tests still pass. ok henning@ deraadt@
Revision 1.437 / (download) - annotate - [select for diffs], Fri Apr 24 20:35:01 2009 UTC (15 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.436: +16 -20 lines
Diff to previous 1.436 (colored)
tweak ANCHORS;
Revision 1.436 / (download) - annotate - [select for diffs], Fri Apr 24 15:40:02 2009 UTC (15 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.435: +105 -142 lines
Diff to previous 1.435 (colored)
reduce the verbosity of the two examples sections, and provide some indent; ok henning
Revision 1.435 / (download) - annotate - [select for diffs], Fri Apr 24 05:44:39 2009 UTC (15 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.434: +437 -429 lines
Diff to previous 1.434 (colored)
rearrange/merge the various sections to impose some structure on this page; ok henning
Revision 1.434 / (download) - annotate - [select for diffs], Wed Apr 22 13:32:25 2009 UTC (15 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.433: +80 -121 lines
Diff to previous 1.433 (colored)
tweaks for the final sections;
Revision 1.433 / (download) - annotate - [select for diffs], Tue Apr 21 16:11:51 2009 UTC (15 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.432: +56 -56 lines
Diff to previous 1.432 (colored)
final sort;
Revision 1.432 / (download) - annotate - [select for diffs], Tue Apr 21 16:04:27 2009 UTC (15 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.431: +13 -15 lines
Diff to previous 1.431 (colored)
tweak NORMALIZATION;
Revision 1.431 / (download) - annotate - [select for diffs], Tue Apr 21 14:08:18 2009 UTC (15 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.430: +4 -6 lines
Diff to previous 1.430 (colored)
simplify "log (user)"; help/ok henning
Revision 1.430 / (download) - annotate - [select for diffs], Tue Apr 21 12:41:48 2009 UTC (15 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.429: +52 -61 lines
Diff to previous 1.429 (colored)
tweak PARAMETERS;
Revision 1.429 / (download) - annotate - [select for diffs], Tue Apr 21 11:33:42 2009 UTC (15 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.428: +154 -134 lines
Diff to previous 1.428 (colored)
sort PARAMETERS; also split the list in two, to make it more manageable; ok henning deraadt
Revision 1.428 / (download) - annotate - [select for diffs], Mon Apr 20 20:42:49 2009 UTC (15 years, 1 month ago) by sthen
Branch: MAIN
Changes since 1.427: +5 -5 lines
Diff to previous 1.427 (colored)
Don't talk about a "scrub reassemble tcp" rule, talk about "reassemble tcp" parameter. ok henning@
Revision 1.427 / (download) - annotate - [select for diffs], Fri Apr 17 07:00:26 2009 UTC (15 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.426: +8 -11 lines
Diff to previous 1.426 (colored)
tweak PACKET FILTERING;
Revision 1.426 / (download) - annotate - [select for diffs], Thu Apr 16 07:31:51 2009 UTC (15 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.425: +24 -32 lines
Diff to previous 1.425 (colored)
tweak TRANSLATION;
Revision 1.425 / (download) - annotate - [select for diffs], Wed Apr 15 09:54:29 2009 UTC (15 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.424: +5 -6 lines
Diff to previous 1.424 (colored)
comment out the RIO stuff until such a time as it is enabled; ok henning
Revision 1.424 / (download) - annotate - [select for diffs], Wed Apr 15 08:27:08 2009 UTC (15 years, 1 month ago) by sobrado
Branch: MAIN
Changes since 1.423: +21 -21 lines
Diff to previous 1.423 (colored)
code and Backus-Naur Form specification rules must fit on 80-column displays; while here, remove a few superfluous line breaks in examples. ok henning@, jmc@
Revision 1.423 / (download) - annotate - [select for diffs], Wed Apr 15 07:21:26 2009 UTC (15 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.422: +39 -86 lines
Diff to previous 1.422 (colored)
tweak QUEUEING;
Revision 1.422 / (download) - annotate - [select for diffs], Wed Apr 15 06:08:27 2009 UTC (15 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.421: +27 -25 lines
Diff to previous 1.421 (colored)
sort QUEUEING, and a little list tweaking;
Revision 1.421 / (download) - annotate - [select for diffs], Tue Apr 14 14:03:53 2009 UTC (15 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.420: +7 -12 lines
Diff to previous 1.420 (colored)
tweak TABLES;
Revision 1.420 / (download) - annotate - [select for diffs], Tue Apr 14 08:29:06 2009 UTC (15 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.419: +21 -52 lines
Diff to previous 1.419 (colored)
tweak OPTIONS; also there is no need to given an example of every "set" argument, so remove any examples that were not particularly illustrative; ok henning
Revision 1.419 / (download) - annotate - [select for diffs], Mon Apr 13 19:08:49 2009 UTC (15 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.418: +239 -246 lines
Diff to previous 1.418 (colored)
sort OPTIONS;
Revision 1.418 / (download) - annotate - [select for diffs], Fri Apr 10 21:43:37 2009 UTC (15 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.417: +22 -18 lines
Diff to previous 1.417 (colored)
tweak TABLES;
Revision 1.417 / (download) - annotate - [select for diffs], Fri Apr 10 21:27:04 2009 UTC (15 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.416: +37 -40 lines
Diff to previous 1.416 (colored)
some improvements for the PACKET FILTERING section; feedback (i.e. much tearing of hair) and ok henning
Revision 1.416 / (download) - annotate - [select for diffs], Tue Apr 7 13:52:29 2009 UTC (15 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.415: +10 -10 lines
Diff to previous 1.415 (colored)
bnf-tweaks
Revision 1.415 / (download) - annotate - [select for diffs], Tue Apr 7 13:48:38 2009 UTC (15 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.414: +10 -10 lines
Diff to previous 1.414 (colored)
don't we all love BNF? make it lie less
Revision 1.414 / (download) - annotate - [select for diffs], Tue Apr 7 13:40:18 2009 UTC (15 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.413: +2 -2 lines
Diff to previous 1.413 (colored)
nits
Revision 1.413 / (download) - annotate - [select for diffs], Tue Apr 7 13:27:32 2009 UTC (15 years, 2 months ago) by jmc
Branch: MAIN
Changes since 1.412: +141 -161 lines
Diff to previous 1.412 (colored)
catch up with recent changes (scrub, match, ...); still a ways to go ok henning
Revision 1.412 / (download) - annotate - [select for diffs], Tue Apr 7 12:52:57 2009 UTC (15 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.411: +3 -2 lines
Diff to previous 1.411 (colored)
fragment reassembly on by default
Revision 1.411 / (download) - annotate - [select for diffs], Tue Apr 7 12:50:44 2009 UTC (15 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.410: +2 -2 lines
Diff to previous 1.410 (colored)
bit more precise
Revision 1.410 / (download) - annotate - [select for diffs], Mon Apr 6 17:33:21 2009 UTC (15 years, 2 months ago) by sobrado
Branch: MAIN
Changes since 1.409: +24 -10 lines
Diff to previous 1.409 (colored)
rewrite the description for the recently added "match" action. ok henning@
Revision 1.409 / (download) - annotate - [select for diffs], Mon Apr 6 17:22:02 2009 UTC (15 years, 2 months ago) by sthen
Branch: MAIN
Changes since 1.408: +1 -2 lines
Diff to previous 1.408 (colored)
no more normalization statements, remove it from require-order description. ok henning
Revision 1.408 / (download) - annotate - [select for diffs], Mon Apr 6 16:30:20 2009 UTC (15 years, 2 months ago) by sobrado
Branch: MAIN
Changes since 1.407: +33 -61 lines
Diff to previous 1.407 (colored)
documentation changes related with the monster pf diff from basel; we are mostly documenting that fragment reassembly has nothing to do with scrubbing anymore; there is room for a lot of improvements yet. "commit it and we work on it in-tree. it is certainly well, better than what there is now" henning@
Revision 1.407 / (download) - annotate - [select for diffs], Mon Apr 6 12:05:55 2009 UTC (15 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.406: +12 -3 lines
Diff to previous 1.406 (colored)
1) scrub rules are completely gone. 2) packet reassembly: only one method remains, full reassembly. crop and drop-ovl are gone. . set reassemble yes|no [no-df] if no-df is given fragments (and only fragments!) with the df bit set have it cleared before entering the fragment cache, and thus the reassembled packet doesn't have df set either. it does NOT touch non-fragmented packets. 3) regular rules can have scrub options. . pass scrub(no-df, min-ttl 64, max-mss 1400, set-tos lowdelay) . match scrub(reassemble tcp, random-id) of course all options are optional. the individual options still do what they used to do on scrub rules, but everything is stateful now. 4) match rules "match" is a new action, just like pass and block are, and can be used like they do. opposed to pass or block, they do NOT change the pass/block state of a packet. i. e. . pass . match passes the packet, and . block . match blocks it. Every time (!) a match rule matches, i. e. not only when it is the last matching rule, the following actions are set: -queue assignment. can be overwritten later, the last rule that set a queue wins. note how this is different from the last matching rule wins, if the last matching rule has no queue assignments and the second last matching rule was a match rule with queue assignments, these assignments are taken. -rtable assignments. works the same as queue assignments. -set-tos, min-ttl, max-mss, no-df, random-id, reassemble tcp, all work like the above -logging. every matching rule causes the packet to be logged. this means a single packet can get logged more than once (think multiple log interfaces with different receivers, like pflogd and spamlogd) . almost entirely hacked at n2k9 in basel, could not be committed close to release. this really should have been multiple diffs, but splitting them now is not feasible any more. input from mcbride and dlg, and frantzen about the fragment handling. speedup around 7% for the common case, the more the more scrub rules were in use. manpage not up to date, being worked on.
Revision 1.406 / (download) - annotate - [select for diffs], Sat Jan 31 19:37:12 2009 UTC (15 years, 4 months ago) by sobrado
Branch: MAIN
CVS Tags: OPENBSD_4_5_BASE,
OPENBSD_4_5
Changes since 1.405: +3 -3 lines
Diff to previous 1.405 (colored)
write point-to-point in a consistent way. jmc@ has provided a complete list of manual pages to be fixed, and suggested using uppercase (i.e., Point-to-Point) when discussing the protocol, and lowercase (point-to-point) otherwise. ok jmc@
Revision 1.405 / (download) - annotate - [select for diffs], Thu Oct 2 12:36:32 2008 UTC (15 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.404: +13 -2 lines
Diff to previous 1.404 (colored)
document state-defaults option
Revision 1.404 / (download) - annotate - [select for diffs], Thu Sep 11 17:57:45 2008 UTC (15 years, 8 months ago) by brad
Branch: MAIN
Changes since 1.403: +3 -3 lines
Diff to previous 1.403 (colored)
Mbit/s -> Mbps pointed out by jmc@
Revision 1.403 / (download) - annotate - [select for diffs], Wed Sep 10 15:07:47 2008 UTC (15 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.402: +8 -3 lines
Diff to previous 1.402 (colored)
pflow related stuff, reminded by jmc
Revision 1.402 / (download) - annotate - [select for diffs], Wed Jun 11 07:21:00 2008 UTC (15 years, 11 months ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_4_4_BASE,
OPENBSD_4_4
Changes since 1.401: +3 -3 lines
Diff to previous 1.401 (colored)
tweak previous;
Revision 1.401 / (download) - annotate - [select for diffs], Tue Jun 10 20:55:01 2008 UTC (15 years, 11 months ago) by mcbride
Branch: MAIN
Changes since 1.400: +7 -2 lines
Diff to previous 1.400 (colored)
Make counters on table addresses optional and disabled by default. Use the 'counters' table option in pf.conf if you actually need them. If enabled, memory is not allocated until packets match an address. This saves about 40% memory if counters are not being used, and paves the way for some more significant cleanups coming soon. ok henning mpf deraadt
Revision 1.400 / (download) - annotate - [select for diffs], Tue Jun 10 16:52:10 2008 UTC (15 years, 11 months ago) by jmc
Branch: MAIN
Changes since 1.399: +2 -2 lines
Diff to previous 1.399 (colored)
another wee correction; ok henning
Revision 1.399 / (download) - annotate - [select for diffs], Tue Jun 10 08:04:05 2008 UTC (16 years ago) by jmc
Branch: MAIN
Changes since 1.398: +5 -5 lines
Diff to previous 1.398 (colored)
tweak previous;
Revision 1.398 / (download) - annotate - [select for diffs], Tue Jun 10 04:33:04 2008 UTC (16 years ago) by henning
Branch: MAIN
Changes since 1.397: +10 -3 lines
Diff to previous 1.397 (colored)
theo and ryan and I like to scare people
Revision 1.397 / (download) - annotate - [select for diffs], Mon May 19 14:57:31 2008 UTC (16 years ago) by markus
Branch: MAIN
Changes since 1.396: +17 -1 lines
Diff to previous 1.396 (colored)
add divert-to/divert-reply; ok henning, pyr
Revision 1.396 / (download) - annotate - [select for diffs], Wed May 7 07:32:37 2008 UTC (16 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.395: +4 -3 lines
Diff to previous 1.395 (colored)
scrub allows tagged, too
Revision 1.395 / (download) - annotate - [select for diffs], Wed May 7 06:23:30 2008 UTC (16 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.394: +18 -5 lines
Diff to previous 1.394 (colored)
allow setting TOS with scrub; ok mcbride, claudio
Revision 1.394 / (download) - annotate - [select for diffs], Wed Mar 19 19:28:24 2008 UTC (16 years, 2 months ago) by deraadt
Branch: MAIN
Changes since 1.393: +3 -2 lines
Diff to previous 1.393 (colored)
demonstrate "include" in the bnf; weerd@weirdnet.nl
Revision 1.393 / (download) - annotate - [select for diffs], Mon Feb 11 07:46:32 2008 UTC (16 years, 3 months ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_4_3_BASE,
OPENBSD_4_3
Changes since 1.392: +3 -3 lines
Diff to previous 1.392 (colored)
do not describe `/' as solidus; from Allen (freebsd pr120484);
Revision 1.392 / (download) - annotate - [select for diffs], Fri Feb 1 08:38:00 2008 UTC (16 years, 4 months ago) by jmc
Branch: MAIN
Changes since 1.391: +2 -4 lines
Diff to previous 1.391 (colored)
no more /usr/share/pf;
Revision 1.391 / (download) - annotate - [select for diffs], Fri Feb 1 07:26:41 2008 UTC (16 years, 4 months ago) by mcbride
Branch: MAIN
Changes since 1.390: +5 -7 lines
Diff to previous 1.390 (colored)
Document the ability to use filteropts on anchors.
Revision 1.390 / (download) - annotate - [select for diffs], Wed Nov 21 03:58:46 2007 UTC (16 years, 6 months ago) by ray
Branch: MAIN
Changes since 1.389: +3 -3 lines
Diff to previous 1.389 (colored)
Fix grammar, pointed out by Jim Razmus and RW. OK jmc.
Revision 1.389 / (download) - annotate - [select for diffs], Fri Nov 9 15:54:53 2007 UTC (16 years, 7 months ago) by jmc
Branch: MAIN
Changes since 1.388: +4 -4 lines
Diff to previous 1.388 (colored)
when "max <number>" is exceeded, packets are not dropped - rather they fail to match; from Doichin Dokov diff from henning and myself
Revision 1.388 / (download) - annotate - [select for diffs], Sun Oct 14 16:01:43 2007 UTC (16 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.387: +5 -4 lines
Diff to previous 1.387 (colored)
include in bnf, wanted by jmc
Revision 1.387 / (download) - annotate - [select for diffs], Sat Oct 13 21:49:15 2007 UTC (16 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.386: +13 -2 lines
Diff to previous 1.386 (colored)
support an include directive; file of course must also be "secure" like the main configuration file; ok henning
Revision 1.386 / (download) - annotate - [select for diffs], Sun Sep 30 20:12:22 2007 UTC (16 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.385: +3 -3 lines
Diff to previous 1.385 (colored)
while rdr'ing port spamd to portsmtpis perfectly valid, it is at least a bit confuzzling, so swap. From: Olli Hauer <ohauer@gmx.de>
Revision 1.385 / (download) - annotate - [select for diffs], Thu Sep 27 22:40:48 2007 UTC (16 years, 8 months ago) by mpf
Branch: MAIN
Changes since 1.384: +4 -3 lines
Diff to previous 1.384 (colored)
Mention "set loginterface <ifgroup>"
Revision 1.384 / (download) - annotate - [select for diffs], Thu Aug 30 17:05:44 2007 UTC (16 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.383: +8 -0 lines
Diff to previous 1.383 (colored)
document address ranges, with help from jmc@
Revision 1.383 / (download) - annotate - [select for diffs], Tue Jul 17 16:27:38 2007 UTC (16 years, 10 months ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_4_2_BASE,
OPENBSD_4_2
Changes since 1.382: +3 -3 lines
Diff to previous 1.382 (colored)
typo; from Stephan A. Rickauer
Revision 1.382 / (download) - annotate - [select for diffs], Tue Jun 26 20:22:02 2007 UTC (16 years, 11 months ago) by jmc
Branch: MAIN
Changes since 1.381: +2 -2 lines
Diff to previous 1.381 (colored)
checkd -> checked; from Nicholas Marriott
Revision 1.381 / (download) - annotate - [select for diffs], Fri Jun 8 14:16:37 2007 UTC (17 years ago) by henning
Branch: MAIN
Changes since 1.380: +15 -12 lines
Diff to previous 1.380 (colored)
make it clearer where ifgroups can be used From: Stuart Henderson <stu@spacehopper.org>
Revision 1.380 / (download) - annotate - [select for diffs], Thu May 31 19:19:58 2007 UTC (17 years ago) by jmc
Branch: MAIN
Changes since 1.379: +2 -2 lines
Diff to previous 1.379 (colored)
convert to new .Dd format;
Revision 1.379 / (download) - annotate - [select for diffs], Tue May 8 23:38:12 2007 UTC (17 years, 1 month ago) by mcbride
Branch: MAIN
Changes since 1.378: +4 -3 lines
Diff to previous 1.378 (colored)
Document the fact that 'allow-opts' applies to IPv6 now as well. ok jmc@ dhartmei@ henning@ deraadt@ claudio@
Revision 1.378 / (download) - annotate - [select for diffs], Sat Apr 14 07:24:18 2007 UTC (17 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.377: +2 -2 lines
Diff to previous 1.377 (colored)
set timeout source-track -> set timeout src.track; from Jason Testart and a missing full stop...
Revision 1.377 / (download) - annotate - [select for diffs], Wed Mar 21 03:04:16 2007 UTC (17 years, 2 months ago) by mcbride
Branch: MAIN
Changes since 1.376: +4 -3 lines
Diff to previous 1.376 (colored)
Basic ruleset optimization is now the default. Use 'set ruleset-optimization none' or the -o none argument to prevent pfctl from optimizing the ruleset before loading it.
Revision 1.376 / (download) - annotate - [select for diffs], Fri Dec 1 07:23:26 2006 UTC (17 years, 6 months ago) by camield
Branch: MAIN
CVS Tags: OPENBSD_4_1_BASE,
OPENBSD_4_1
Changes since 1.375: +12 -3 lines
Diff to previous 1.375 (colored)
Correct the explanation of NAT evaluation order. binat is always first, then rdr on inbound packets or nat on outbound packets. This is _not_ necessarily the same order in which the rules are defined in the ruleset. ok jmc dhartmei henning
Revision 1.375 / (download) - annotate - [select for diffs], Wed Nov 29 07:03:58 2006 UTC (17 years, 6 months ago) by jmc
Branch: MAIN
Changes since 1.374: +2 -2 lines
Diff to previous 1.374 (colored)
stateles -> stateless; from stuart henderson
Revision 1.374 / (download) - annotate - [select for diffs], Tue Nov 28 21:39:46 2006 UTC (17 years, 6 months ago) by jmc
Branch: MAIN
Changes since 1.373: +2 -2 lines
Diff to previous 1.373 (colored)
bad space;
Revision 1.373 / (download) - annotate - [select for diffs], Tue Nov 28 17:11:29 2006 UTC (17 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.372: +5 -2 lines
Diff to previous 1.372 (colored)
mention rtable shitz now that it is enabled in the forwarding path
Revision 1.372 / (download) - annotate - [select for diffs], Thu Nov 9 13:18:56 2006 UTC (17 years, 7 months ago) by jmc
Branch: MAIN
Changes since 1.371: +2 -2 lines
Diff to previous 1.371 (colored)
desireable -> desirable;
Revision 1.371 / (download) - annotate - [select for diffs], Wed Nov 1 09:19:48 2006 UTC (17 years, 7 months ago) by jmc
Branch: MAIN
Changes since 1.370: +7 -4 lines
Diff to previous 1.370 (colored)
tweaks;
Revision 1.370 / (download) - annotate - [select for diffs], Tue Oct 31 14:53:44 2006 UTC (17 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.369: +37 -2 lines
Diff to previous 1.369 (colored)
Document set ruleset-optimization [ none | basic | profile ].
Revision 1.369 / (download) - annotate - [select for diffs], Sat Oct 28 14:31:00 2006 UTC (17 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.368: +23 -5 lines
Diff to previous 1.368 (colored)
Document inline anchor loading with { } delimited blocks.
Revision 1.368 / (download) - annotate - [select for diffs], Thu Oct 26 13:15:16 2006 UTC (17 years, 7 months ago) by jmc
Branch: MAIN
Changes since 1.367: +5 -3 lines
Diff to previous 1.367 (colored)
tweak;
Revision 1.367 / (download) - annotate - [select for diffs], Thu Oct 26 13:11:05 2006 UTC (17 years, 7 months ago) by jmc
Branch: MAIN
Changes since 1.366: +2 -2 lines
Diff to previous 1.366 (colored)
tweaks; ok henning
Revision 1.366 / (download) - annotate - [select for diffs], Thu Oct 26 10:29:43 2006 UTC (17 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.365: +4 -4 lines
Diff to previous 1.365 (colored)
eep! unbreak.
Revision 1.365 / (download) - annotate - [select for diffs], Thu Oct 26 10:26:03 2006 UTC (17 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.364: +14 -1 lines
Diff to previous 1.364 (colored)
Document hostid. pointed out by Pierre-Yves Ritschard.
Revision 1.364 / (download) - annotate - [select for diffs], Wed Oct 25 11:36:08 2006 UTC (17 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.363: +11 -5 lines
Diff to previous 1.363 (colored)
document how ot send logs to alternate pflog interfaces
Revision 1.363 / (download) - annotate - [select for diffs], Mon Oct 23 06:58:35 2006 UTC (17 years, 7 months ago) by jmc
Branch: MAIN
Changes since 1.362: +2 -2 lines
Diff to previous 1.362 (colored)
remove trailing space;
Revision 1.362 / (download) - annotate - [select for diffs], Sun Oct 22 22:40:40 2006 UTC (17 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.361: +108 -141 lines
Diff to previous 1.361 (colored)
Move the stateful content up to the FILTERING section and flesh it out somewhat to reflect the default 'keep state' behaviour of pf.conf. prodding by theo, ok jmc@
Revision 1.361 / (download) - annotate - [select for diffs], Wed Oct 11 13:35:17 2006 UTC (17 years, 7 months ago) by jmc
Branch: MAIN
Changes since 1.360: +3 -2 lines
Diff to previous 1.360 (colored)
fix mark up mistake;
Revision 1.360 / (download) - annotate - [select for diffs], Wed Oct 11 08:44:39 2006 UTC (17 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.359: +9 -4 lines
Diff to previous 1.359 (colored)
Document 'anchor "foo" quick'.
Revision 1.359 / (download) - annotate - [select for diffs], Fri Oct 6 16:25:24 2006 UTC (17 years, 8 months ago) by jmc
Branch: MAIN
Changes since 1.358: +7 -7 lines
Diff to previous 1.358 (colored)
these fixes got lost somehow;
Revision 1.358 / (download) - annotate - [select for diffs], Fri Oct 6 13:56:29 2006 UTC (17 years, 8 months ago) by jmc
Branch: MAIN
Changes since 1.357: +5 -5 lines
Diff to previous 1.357 (colored)
missing fixes for STATEFUL INSPECTION;
Revision 1.357 / (download) - annotate - [select for diffs], Fri Oct 6 13:51:06 2006 UTC (17 years, 8 months ago) by jmc
Branch: MAIN
Changes since 1.356: +10 -10 lines
Diff to previous 1.356 (colored)
kill trailing whitespace;
Revision 1.356 / (download) - annotate - [select for diffs], Fri Oct 6 10:48:46 2006 UTC (17 years, 8 months ago) by mcbride
Branch: MAIN
Changes since 1.355: +85 -83 lines
Diff to previous 1.355 (colored)
Document the fact that 'flags S/SA keep state' is now the implicit default, as well as 'no state' and 'flags any' options. ok jmc@
Revision 1.355 / (download) - annotate - [select for diffs], Tue Sep 12 13:39:37 2006 UTC (17 years, 8 months ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_4_0_BASE,
OPENBSD_4_0
Changes since 1.354: +6 -1 lines
Diff to previous 1.354 (colored)
for apps which use interface groups, point to the section of ifconfig(8) where they are explained; ok mcbride mpf henning
Revision 1.354 / (download) - annotate - [select for diffs], Thu Aug 31 18:44:48 2006 UTC (17 years, 9 months ago) by jmc
Branch: MAIN
Changes since 1.353: +2 -6 lines
Diff to previous 1.353 (colored)
knock out the cpp/m4 stuff from MACROS; after discussion with many...
Revision 1.353 / (download) - annotate - [select for diffs], Tue Aug 22 15:55:13 2006 UTC (17 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.352: +4 -9 lines
Diff to previous 1.352 (colored)
back out -r1.497 (support for "tagged {}" lists), it broke "tagged" support
for nat rules. sorry, existing functionality trumps syntactic sugar. feel
free to resubmit a complete patch. closes PR 5207.
Revision 1.352 / (download) - annotate - [select for diffs], Wed Aug 2 11:45:56 2006 UTC (17 years, 10 months ago) by dhartmei
Branch: MAIN
Changes since 1.351: +2 -2 lines
Diff to previous 1.351 (colored)
in the BNF section, note that a comma is optional, closes PR 5191
Revision 1.351 / (download) - annotate - [select for diffs], Tue Jul 25 16:59:25 2006 UTC (17 years, 10 months ago) by jmc
Branch: MAIN
Changes since 1.350: +22 -2 lines
Diff to previous 1.350 (colored)
document "tos": pointed out by maxim bourmistrov diff from jared r r spiegel ok dhartmei
Revision 1.350 / (download) - annotate - [select for diffs], Sun Jul 9 11:00:17 2006 UTC (17 years, 11 months ago) by mcbride
Branch: MAIN
Changes since 1.349: +2 -2 lines
Diff to previous 1.349 (colored)
The timeout value is called src.track, not source-track.
Revision 1.349 / (download) - annotate - [select for diffs], Sun Jun 18 16:01:20 2006 UTC (17 years, 11 months ago) by hshoexer
Branch: MAIN
Changes since 1.348: +2 -2 lines
Diff to previous 1.348 (colored)
typo: queu -> queue ok claudio@
Revision 1.348 / (download) - annotate - [select for diffs], Sun May 28 12:07:10 2006 UTC (18 years ago) by jmc
Branch: MAIN
Changes since 1.347: +3 -2 lines
Diff to previous 1.347 (colored)
put previous in the correct place; ok mcbride
Revision 1.347 / (download) - annotate - [select for diffs], Sun May 28 02:51:06 2006 UTC (18 years ago) by mcbride
Branch: MAIN
Changes since 1.346: +6 -2 lines
Diff to previous 1.346 (colored)
Adaptive timeouts are now on by default.
Revision 1.346 / (download) - annotate - [select for diffs], Sun May 14 15:51:42 2006 UTC (18 years ago) by deraadt
Branch: MAIN
Changes since 1.345: +4 -2 lines
Diff to previous 1.345 (colored)
interface bandwidths can change; ok henning
Revision 1.345 / (download) - annotate - [select for diffs], Mon May 1 15:17:41 2006 UTC (18 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.344: +5 -2 lines
Diff to previous 1.344 (colored)
update the "tagged" line; ok dhartmei
Revision 1.344 / (download) - annotate - [select for diffs], Mon May 1 12:24:32 2006 UTC (18 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.343: +5 -3 lines
Diff to previous 1.343 (colored)
add support for "tagged {}" lists, from Pierre-Yves Ritschard
Revision 1.343 / (download) - annotate - [select for diffs], Sun Apr 30 10:12:21 2006 UTC (18 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.342: +144 -110 lines
Diff to previous 1.342 (colored)
- replace <> with .Aq - replace OpenBSD with .Ox from wiz@netbsd
Revision 1.342 / (download) - annotate - [select for diffs], Tue Mar 14 11:09:44 2006 UTC (18 years, 2 months ago) by djm
Branch: MAIN
Changes since 1.341: +10 -2 lines
Diff to previous 1.341 (colored)
implement a Unicast Reverse Path Forwarding (uRPF) check for pf(4) which optionally verifies that a packet is received on the interface that holds the route back to the packet's source address. This makes it an automatic ingress filter, but only when routing is fully symmetric. bugfix feedback claudio@; ok claudio@ and dhartmei@
Revision 1.341 / (download) - annotate - [select for diffs], Mon Feb 20 11:39:43 2006 UTC (18 years, 3 months ago) by camield
Branch: MAIN
CVS Tags: OPENBSD_3_9_BASE,
OPENBSD_3_9
Changes since 1.340: +8 -8 lines
Diff to previous 1.340 (colored)
new ftp-proxy ok jmc markus
Revision 1.340 / (download) - annotate - [select for diffs], Wed Jan 18 03:45:28 2006 UTC (18 years, 4 months ago) by joel
Branch: MAIN
Changes since 1.339: +13 -3 lines
Diff to previous 1.339 (colored)
Document the "tables" and "table-entries" limit options. ok jmc@ mcbride@
Revision 1.339 / (download) - annotate - [select for diffs], Thu Nov 17 22:18:20 2005 UTC (18 years, 6 months ago) by joel
Branch: MAIN
Changes since 1.338: +8 -1 lines
Diff to previous 1.338 (colored)
document "log (user)" wording help and ok jmc@
Revision 1.338 / (download) - annotate - [select for diffs], Fri Sep 16 10:18:29 2005 UTC (18 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.337: +4 -5 lines
Diff to previous 1.337 (colored)
in the bnf section, clarify that "fastroute" takes no arguments. also fix the literal parentheses around the "route/reply/dup-to" arguments. from Karl O. Pinc, discussed with jmc@ and otto@
Revision 1.337 / (download) - annotate - [select for diffs], Sat Aug 6 19:52:36 2005 UTC (18 years, 10 months ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_3_8_BASE,
OPENBSD_3_8
Changes since 1.336: +2 -2 lines
Diff to previous 1.336 (colored)
replace port number 8025 w/ symbolic `spamd'; ok krw@ deraadt@ diff from ray lai;
Revision 1.336 / (download) - annotate - [select for diffs], Fri Aug 5 22:35:59 2005 UTC (18 years, 10 months ago) by dhartmei
Branch: MAIN
Changes since 1.335: +2 -1 lines
Diff to previous 1.335 (colored)
document "set skip on" in the BNF grammar, from David Krause
Revision 1.335 / (download) - annotate - [select for diffs], Tue Jun 14 18:18:14 2005 UTC (18 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.334: +1 -9 lines
Diff to previous 1.334 (colored)
the need to use stateful rules for tagging is gone
Revision 1.334 / (download) - annotate - [select for diffs], Sun Jun 5 13:46:30 2005 UTC (19 years ago) by jmc
Branch: MAIN
Changes since 1.333: +11 -1 lines
Diff to previous 1.333 (colored)
(lightly) document carp(4) in reference to state table; suggested by alexey e. suslikov; better wording + ok joel@
Revision 1.333 / (download) - annotate - [select for diffs], Fri Jun 3 22:14:37 2005 UTC (19 years ago) by jmc
Branch: MAIN
Changes since 1.332: +7 -1 lines
Diff to previous 1.332 (colored)
add an ipv6 example; from alex kirk; ok dhartmei@, unless i have badly misunderstood him;
Revision 1.332 / (download) - annotate - [select for diffs], Thu Jun 2 22:56:50 2005 UTC (19 years ago) by dhartmei
Branch: MAIN
Changes since 1.331: +3 -3 lines
Diff to previous 1.331 (colored)
In the BNF section, remove one spurious "proto" and add one missing |. Found by Magne Andreassen.
Revision 1.331 / (download) - annotate - [select for diffs], Fri May 27 18:57:56 2005 UTC (19 years ago) by dhartmei
Branch: MAIN
Changes since 1.330: +9 -6 lines
Diff to previous 1.330 (colored)
s/log-all/log (all)/
Revision 1.330 / (download) - annotate - [select for diffs], Thu May 26 15:29:47 2005 UTC (19 years ago) by dhartmei
Branch: MAIN
Changes since 1.329: +8 -5 lines
Diff to previous 1.329 (colored)
support 'log' and 'log-all' in 'nat/rdr/binat pass' rules. original patch from camield@. use #defines PF_LOG, PF_LOGALL instead of magic constants. ok frantzen@, camield@
Revision 1.329 / (download) - annotate - [select for diffs], Thu May 26 05:34:00 2005 UTC (19 years ago) by henning
Branch: MAIN
Changes since 1.328: +7 -28 lines
Diff to previous 1.328 (colored)
sync with reality
Revision 1.328 / (download) - annotate - [select for diffs], Mon May 23 15:25:50 2005 UTC (19 years ago) by dhartmei
Branch: MAIN
Changes since 1.327: +2 -2 lines
Diff to previous 1.327 (colored)
the BNF production is called "load-anchor", found by Magne Andreassen
Revision 1.327 / (download) - annotate - [select for diffs], Wed May 18 02:31:49 2005 UTC (19 years ago) by david
Branch: MAIN
Changes since 1.326: +2 -2 lines
Diff to previous 1.326 (colored)
max-src-states typo; ok henning@
Revision 1.326 / (download) - annotate - [select for diffs], Tue Mar 1 18:10:44 2005 UTC (19 years, 3 months ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_3_7_BASE,
OPENBSD_3_7
Changes since 1.325: +2 -2 lines
Diff to previous 1.325 (colored)
occurance -> occurrence;
Revision 1.325 / (download) - annotate - [select for diffs], Sun Feb 27 15:08:39 2005 UTC (19 years, 3 months ago) by dhartmei
Branch: MAIN
Changes since 1.324: +5 -5 lines
Diff to previous 1.324 (colored)
support 'tagged' in translation rules, non-delayed tag lookup ok henning@, deraadt@
Revision 1.324 / (download) - annotate - [select for diffs], Fri Feb 25 13:59:14 2005 UTC (19 years, 3 months ago) by joel
Branch: MAIN
Changes since 1.323: +4 -3 lines
Diff to previous 1.323 (colored)
Mention that if a cbq/hfsc queue definition doesn't specify 'bandwidth' that it defauls to 100% of the parent queue. Fix examples to match. ok dhartmei@
Revision 1.323 / (download) - annotate - [select for diffs], Thu Feb 24 04:36:45 2005 UTC (19 years, 3 months ago) by joel
Branch: MAIN
Changes since 1.322: +21 -1 lines
Diff to previous 1.322 (colored)
Document the 'source-track' stateful tracking option. Heavy influence from dhartmei and henning. ok dhartmei@ henning@ jmc@ jaredy@
Revision 1.322 / (download) - annotate - [select for diffs], Sat Jan 1 07:57:53 2005 UTC (19 years, 5 months ago) by pascoe
Branch: MAIN
Changes since 1.321: +3 -3 lines
Diff to previous 1.321 (colored)
Fix some parse errors in example rules ok henning@ dhartmei@
Revision 1.321 / (download) - annotate - [select for diffs], Thu Dec 23 20:33:03 2004 UTC (19 years, 5 months ago) by jaredy
Branch: MAIN
Changes since 1.320: +11 -2 lines
Diff to previous 1.320 (colored)
document icmp type/code text abbreviations recognized by pfctl prodded by John Ladwig <jladwig@mango.lioness.net> ok deraadt jmc
Revision 1.320 / (download) - annotate - [select for diffs], Wed Dec 22 17:17:56 2004 UTC (19 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.319: +11 -1 lines
Diff to previous 1.319 (colored)
Introduce 'set skip on <ifspec>' to support a list of interfaces where no packet filtering should occur (like loopback, for instance). Code from Max Laier, with minor improvements based on feedback from deraadt@. ok mcbride@, henning@
Revision 1.319 / (download) - annotate - [select for diffs], Wed Dec 22 00:59:26 2004 UTC (19 years, 5 months ago) by david
Branch: MAIN
Changes since 1.318: +6 -6 lines
Diff to previous 1.318 (colored)
spacing
Revision 1.318 / (download) - annotate - [select for diffs], Tue Dec 21 02:00:36 2004 UTC (19 years, 5 months ago) by mjc
Branch: MAIN
Changes since 1.317: +4 -3 lines
Diff to previous 1.317 (colored)
update to indicate that return-rst generates packets on bridges. Spotted by Simon Kirby. proper caps from jmc@ ok dhartmei@
Revision 1.317 / (download) - annotate - [select for diffs], Sun Dec 19 12:00:48 2004 UTC (19 years, 5 months ago) by jmc
Branch: MAIN
Changes since 1.316: +2 -2 lines
Diff to previous 1.316 (colored)
route <label> rewording from otto@; ok dhartmei@;
Revision 1.316 / (download) - annotate - [select for diffs], Sat Dec 18 00:23:31 2004 UTC (19 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.315: +4 -4 lines
Diff to previous 1.315 (colored)
Better wording.
Revision 1.315 / (download) - annotate - [select for diffs], Fri Dec 17 11:31:18 2004 UTC (19 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.314: +2 -2 lines
Diff to previous 1.314 (colored)
Michael Knudsen <e@molioner.dk> says: "I think you messed something up when you committed this." and he is right, I lost a word. Dang! And Thanks :)
Revision 1.314 / (download) - annotate - [select for diffs], Sun Dec 12 17:41:55 2004 UTC (19 years, 5 months ago) by jmc
Branch: MAIN
Changes since 1.313: +3 -3 lines
Diff to previous 1.313 (colored)
grammar and a little whitespace;
Revision 1.313 / (download) - annotate - [select for diffs], Fri Dec 10 22:17:02 2004 UTC (19 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.312: +15 -5 lines
Diff to previous 1.312 (colored)
document matching on route labels From: Michael Knudsen <e@molioner.dk> jaredy ok
Revision 1.312 / (download) - annotate - [select for diffs], Wed Dec 8 18:49:47 2004 UTC (19 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.311: +2 -2 lines
Diff to previous 1.311 (colored)
and the example needs 'proto tcp' if it specifies a port, also from mpech@
Revision 1.311 / (download) - annotate - [select for diffs], Wed Dec 8 18:47:34 2004 UTC (19 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.310: +4 -4 lines
Diff to previous 1.310 (colored)
overload (not overflow) <table>, at least that's what the parser knows. found by mpech@
Revision 1.310 / (download) - annotate - [select for diffs], Tue Dec 7 10:40:08 2004 UTC (19 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.309: +9 -4 lines
Diff to previous 1.309 (colored)
and don't lose the documentation for 'flush global'
Revision 1.309 / (download) - annotate - [select for diffs], Tue Dec 7 09:36:16 2004 UTC (19 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.308: +3 -8 lines
Diff to previous 1.308 (colored)
tree does not compile, spotted by dlg (not obvious how to fix) ---- Change the default for 'overload <table> flush' to flush only states from the offending source created by the rule. 'flush global' flushes all states originating from the offending source. ABI change, requires kernel and pfctl to be in sync. ok deraadt@ henning@ dhartmei@
Revision 1.308 / (download) - annotate - [select for diffs], Tue Dec 7 05:30:27 2004 UTC (19 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.307: +9 -4 lines
Diff to previous 1.307 (colored)
Change the default for 'overload <table> flush' to flush only states from the offending source created by the rule. 'flush global' flushes all states originating from the offending source. ABI change, requires kernel and pfctl to be in sync. ok deraadt@ henning@ dhartmei@
Revision 1.307 / (download) - annotate - [select for diffs], Sat Dec 4 16:07:31 2004 UTC (19 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.306: +3 -21 lines
Diff to previous 1.306 (colored)
Cleanup and remove a cut-n-pasto. From jmc@
Revision 1.306 / (download) - annotate - [select for diffs], Sat Dec 4 08:02:13 2004 UTC (19 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.305: +62 -3 lines
Diff to previous 1.305 (colored)
Document 'max-src-conn', 'max-src-conn-rate', 'overflow <bad> flush'.
Revision 1.305 / (download) - annotate - [select for diffs], Tue Nov 16 18:09:14 2004 UTC (19 years, 6 months ago) by mpf
Branch: MAIN
Changes since 1.304: +3 -2 lines
Diff to previous 1.304 (colored)
Add "probability" to BNF ok henning, markus
Revision 1.304 / (download) - annotate - [select for diffs], Mon Nov 8 23:32:08 2004 UTC (19 years, 7 months ago) by aaron
Branch: MAIN
Changes since 1.303: +10 -1 lines
Diff to previous 1.303 (colored)
Document "no scrub"; from jmc@, tweaked by me. dhartmei@ ok
Revision 1.303 / (download) - annotate - [select for diffs], Thu Oct 28 19:29:53 2004 UTC (19 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.302: +2 -2 lines
Diff to previous 1.302 (colored)
s/timeout modulation/timestamp modulation/ ok frantzen@
Revision 1.302 / (download) - annotate - [select for diffs], Mon Oct 18 23:08:08 2004 UTC (19 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.301: +2 -2 lines
Diff to previous 1.301 (colored)
'random-id' no longer applies only to outgoing packets.
Revision 1.301 / (download) - annotate - [select for diffs], Tue Sep 21 16:59:11 2004 UTC (19 years, 8 months ago) by aaron
Branch: MAIN
Changes since 1.300: +2 -2 lines
Diff to previous 1.300 (colored)
Implement "no scrub" to allow exclusion of specific traffic from scrub rules.
First match wins, just like "no {binat,nat,rdr}". henning@, dhartmei@ ok
Revision 1.300 / (download) - annotate - [select for diffs], Fri Sep 10 12:40:49 2004 UTC (19 years, 9 months ago) by jaredy
Branch: MAIN
CVS Tags: OPENBSD_3_6_BASE,
OPENBSD_3_6
Changes since 1.299: +47 -1 lines
Diff to previous 1.299 (colored)
mention parent (..) anchors, mention wildcard (*) anchors, and mention quotes around anchor names. ok dhartmei henning jmc
Revision 1.299 / (download) - annotate - [select for diffs], Wed Aug 25 07:19:00 2004 UTC (19 years, 9 months ago) by jaredy
Branch: MAIN
Changes since 1.298: +49 -46 lines
Diff to previous 1.298 (colored)
update w.r.t. recursive anchors and fix an mdoc list display (from jmc) ok dhartmei henning jmc
Revision 1.298 / (download) - annotate - [select for diffs], Mon Aug 23 14:26:04 2004 UTC (19 years, 9 months ago) by jmc
Branch: MAIN
Changes since 1.297: +21 -1 lines
Diff to previous 1.297 (colored)
differentiate between cbq and hfsc; problem found by marc@; this diff based on a patch from sven at sandcat dot nl; ok henning@;
Revision 1.297 / (download) - annotate - [select for diffs], Sun May 9 10:51:55 2004 UTC (20 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.296: +2 -2 lines
Diff to previous 1.296 (colored)
route-to -> reply-to in one case where it was swapped, from Christopher Pascoe
Revision 1.296 / (download) - annotate - [select for diffs], Wed May 5 23:16:02 2004 UTC (20 years, 1 month ago) by frantzen
Branch: MAIN
Changes since 1.295: +19 -1 lines
Diff to previous 1.295 (colored)
Use RFC1323 PAWS timestamps as a logical extension to the conventional TCP sequence numbers by taking advantage of the maximum 1KHz clock as an upperbound on the timestamp. Typically gains 10 to 18 bits of additional security against blind data insertion attacks. More if the TS Echo wasn't optional :-( Enabled with: scrub on !lo0 all reassemble tcp ok dhartmei@. documentation help from jmc@
Revision 1.295 / (download) - annotate - [select for diffs], Sat Apr 24 23:22:54 2004 UTC (20 years, 1 month ago) by cedric
Branch: MAIN
Changes since 1.294: +10 -1 lines
Diff to previous 1.294 (colored)
Add "probability xxx" rule modifier. ok deraadt@
Revision 1.294 / (download) - annotate - [select for diffs], Sun Apr 4 19:40:43 2004 UTC (20 years, 2 months ago) by jmc
Branch: MAIN
Changes since 1.293: +6 -5 lines
Diff to previous 1.293 (colored)
- fix an .El in the wrong place - add a .Pp - kill a stray space - new sentence, new line from Joel Knight;
Revision 1.293 / (download) - annotate - [select for diffs], Wed Mar 31 11:13:03 2004 UTC (20 years, 2 months ago) by dhartmei
Branch: MAIN
Changes since 1.292: +2 -2 lines
Diff to previous 1.292 (colored)
vender -> vendor, from John Bajana-Bacalle
Revision 1.292 / (download) - annotate - [select for diffs], Tue Feb 24 05:44:48 2004 UTC (20 years, 3 months ago) by mcbride
Branch: MAIN
CVS Tags: OPENBSD_3_5_BASE,
OPENBSD_3_5
Changes since 1.291: +4 -4 lines
Diff to previous 1.291 (colored)
'source-track' not 'source-tracking'
Revision 1.291 / (download) - annotate - [select for diffs], Wed Feb 4 19:38:30 2004 UTC (20 years, 4 months ago) by jmc
Branch: MAIN
Changes since 1.290: +2 -2 lines
Diff to previous 1.290 (colored)
upper case ip;
Revision 1.290 / (download) - annotate - [select for diffs], Wed Feb 4 11:09:33 2004 UTC (20 years, 4 months ago) by mcbride
Branch: MAIN
Changes since 1.289: +14 -3 lines
Diff to previous 1.289 (colored)
Document 'set limit src-nodes'
Revision 1.289 / (download) - annotate - [select for diffs], Tue Jan 6 09:28:00 2004 UTC (20 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.288: +2 -2 lines
Diff to previous 1.288 (colored)
group-locked -> group-bound, from J. Knight
Revision 1.288 / (download) - annotate - [select for diffs], Wed Dec 31 14:09:57 2003 UTC (20 years, 5 months ago) by jmc
Branch: MAIN
Changes since 1.287: +5 -5 lines
Diff to previous 1.287 (colored)
typos;
Revision 1.287 / (download) - annotate - [select for diffs], Wed Dec 31 11:18:25 2003 UTC (20 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.286: +67 -3 lines
Diff to previous 1.286 (colored)
Many improvements to the handling of interfaces in PF. 1) PF should do the right thing when unplugging/replugging or cloning/ destroying NICs. 2) Rules can be loaded in the kernel for not-yet-existing devices (USB, PCMCIA, Cardbus). For example, it is valid to write: "pass in on kue0" before kue USB is plugged in. 3) It is possible to write rules that apply to group of interfaces (drivers), like "pass in on ppp all" 4) There is a new ":peer" modifier that completes the ":broadcast" and ":network" modifiers. 5) There is a new ":0" modifier that will filter out interface aliases. Can also be applied to DNS names to restore original PF behaviour. 6) The dynamic interface syntax (foo) has been vastly improved, and now support multiple addresses, v4 and v6 addresses, and all userland modifiers, like "pass in from (fxp0:network)" 7) Scrub rules now support the !if syntax. 8) States can be bound to the specific interface that created them or to a group of interfaces for example: - pass all keep state (if-bound) - pass all keep state (group-bound) - pass all keep state (floating) 9) The default value when only keep state is given can be selected by using the "set state-policy" statement. 10) "pfctl -ss" will now print the interface scope of the state. This diff change the pf_state structure slighltly, so you should recompile your userland tools (pfctl, authpf, pflogd, tcpdump...) Tested on i386, sparc, sparc64 by Ryan Tested on macppc, sparc64 by Daniel ok deraadt@ mcbride@
Revision 1.286 / (download) - annotate - [select for diffs], Mon Dec 15 05:17:20 2003 UTC (20 years, 5 months ago) by jmc
Branch: MAIN
Changes since 1.285: +10 -10 lines
Diff to previous 1.285 (colored)
- kill whitespace at EOL - new sentence, new line - kill blank line - missing .El - missing escape - ip -> IP - greate -> create
Revision 1.285 / (download) - annotate - [select for diffs], Mon Dec 15 00:02:03 2003 UTC (20 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.284: +44 -7 lines
Diff to previous 1.284 (colored)
Add support to track stateful connections by source ip. This allows us to: - Ensure that clients get a consistent IP mapping with load-balanced translation/routing rules - Limit the number of simultaneous connections a client can make - Limit the number of clients which can connect through a rule ok dhartmei@ deraadt@
Revision 1.284 / (download) - annotate - [select for diffs], Sat Nov 29 10:05:55 2003 UTC (20 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.283: +9 -5 lines
Diff to previous 1.283 (colored)
allow ':' (range including boundaries) to be used whereever '><' (range excluding boundaries) is legal. already supported by kernel, requires only removal of three error messages. ok henning@
Revision 1.283 / (download) - annotate - [select for diffs], Mon Nov 24 16:06:00 2003 UTC (20 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.282: +2 -2 lines
Diff to previous 1.282 (colored)
fix load anchor BNF. from Joel Knight
Revision 1.282 / (download) - annotate - [select for diffs], Tue Nov 18 22:52:38 2003 UTC (20 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.281: +2 -2 lines
Diff to previous 1.281 (colored)
more literal confusion, "(" ")" vs. ( )
the parentheses are required when using two queue arguments, and
optional when using one.
Revision 1.281 / (download) - annotate - [select for diffs], Tue Nov 18 22:43:45 2003 UTC (20 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.280: +2 -2 lines
Diff to previous 1.280 (colored)
un-quote "return" where it's meant to reference a bnf production and not a literal.
Revision 1.280 / (download) - annotate - [select for diffs], Fri Nov 14 16:44:21 2003 UTC (20 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.279: +3 -2 lines
Diff to previous 1.279 (colored)
update BNF for set debug too, again catched by mpech@
Revision 1.279 / (download) - annotate - [select for diffs], Fri Nov 14 13:51:42 2003 UTC (20 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.278: +17 -1 lines
Diff to previous 1.278 (colored)
document "set debug" ok jmc@ cedric@
Revision 1.278 / (download) - annotate - [select for diffs], Sat Nov 8 00:45:34 2003 UTC (20 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.277: +7 -2 lines
Diff to previous 1.277 (colored)
Add 'no-sync' state option to prevent state transition messages for states created by this rule from appearing on the pfsync(4) interface. e.g. pass in proto tcp to self flags S/SA keep state (no-sync) ok cedric@ henning@ dhartmei@
Revision 1.277 / (download) - annotate - [select for diffs], Fri Nov 7 20:29:54 2003 UTC (20 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.276: +14 -8 lines
Diff to previous 1.276 (colored)
Add some missing mentions of 'synproxy state' ok jmc@
Revision 1.276 / (download) - annotate - [select for diffs], Thu Nov 6 14:38:03 2003 UTC (20 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.275: +2 -1 lines
Diff to previous 1.275 (colored)
document that label macros can now be used in tags as well with help from and ok jmc@
Revision 1.275 / (download) - annotate - [select for diffs], Thu Oct 30 19:08:07 2003 UTC (20 years, 7 months ago) by jmc
Branch: MAIN
Changes since 1.274: +2 -2 lines
Diff to previous 1.274 (colored)
double word, from Tom Cosgrove;
Revision 1.274 / (download) - annotate - [select for diffs], Fri Oct 24 19:31:59 2003 UTC (20 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.273: +29 -28 lines
Diff to previous 1.273 (colored)
consistently use $ext_if / $int_if in the examples from jared r r spiegel <jrrs@ice-nine.org> ok canacar@ jmc@
Revision 1.273 / (download) - annotate - [select for diffs], Tue Oct 7 20:18:36 2003 UTC (20 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.272: +2 -2 lines
Diff to previous 1.272 (colored)
typo; ish
Revision 1.272 / (download) - annotate - [select for diffs], Tue Oct 7 09:57:43 2003 UTC (20 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.271: +2 -2 lines
Diff to previous 1.271 (colored)
filename needs to be quoted... ok mcbride@ jmc@
Revision 1.271 / (download) - annotate - [select for diffs], Tue Sep 2 18:37:08 2003 UTC (20 years, 9 months ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_3_4_BASE,
OPENBSD_3_4
Changes since 1.270: +2 -2 lines
Diff to previous 1.270 (colored)
escape punctuation; ok deraadt@
Revision 1.270 / (download) - annotate - [select for diffs], Thu Aug 28 09:41:22 2003 UTC (20 years, 9 months ago) by jmc
Branch: MAIN
Changes since 1.269: +20 -19 lines
Diff to previous 1.269 (colored)
tweak; ok frantzen@
Revision 1.269 / (download) - annotate - [select for diffs], Tue Aug 26 18:34:25 2003 UTC (20 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.268: +7 -5 lines
Diff to previous 1.268 (colored)
mention that synproxy state takes the same options as keep/modulate state, add synproxy to BNF. from mpech@. ok mpech@, henning@
Revision 1.268 / (download) - annotate - [select for diffs], Sun Aug 24 12:47:07 2003 UTC (20 years, 9 months ago) by cedric
Branch: MAIN
Changes since 1.267: +8 -4 lines
Diff to previous 1.267 (colored)
Tables can now be used in round-robin pools. ok henning@
Revision 1.267 / (download) - annotate - [select for diffs], Fri Aug 22 21:50:34 2003 UTC (20 years, 9 months ago) by david
Branch: MAIN
Changes since 1.266: +2 -2 lines
Diff to previous 1.266 (colored)
pf spelling police ok dhartmei@ jmc@
Revision 1.266 / (download) - annotate - [select for diffs], Fri Aug 22 18:28:14 2003 UTC (20 years, 9 months ago) by frantzen
Branch: MAIN
Changes since 1.265: +9 -8 lines
Diff to previous 1.265 (colored)
- roff indent fix from Max Laier. thanks! - fix an example that became wrong when I switched from p0f v1 fingerprints to p0f v2
Revision 1.265 / (download) - annotate - [select for diffs], Fri Aug 22 04:54:13 2003 UTC (20 years, 9 months ago) by david
Branch: MAIN
Changes since 1.264: +4 -4 lines
Diff to previous 1.264 (colored)
spelling
Revision 1.264 / (download) - annotate - [select for diffs], Thu Aug 21 19:12:59 2003 UTC (20 years, 9 months ago) by frantzen
Branch: MAIN
Changes since 1.263: +108 -5 lines
Diff to previous 1.263 (colored)
document passive OS fingerprinting
Revision 1.263 / (download) - annotate - [select for diffs], Mon Jul 7 09:15:54 2003 UTC (20 years, 11 months ago) by jmc
Branch: MAIN
Changes since 1.262: +3 -3 lines
Diff to previous 1.262 (colored)
fix a macro and remove a whitespace at EOL; ok henning@
Revision 1.262 / (download) - annotate - [select for diffs], Mon Jul 7 08:42:38 2003 UTC (20 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.261: +5 -5 lines
Diff to previous 1.261 (colored)
clarification in nat pass, pointed out by theo
Revision 1.261 / (download) - annotate - [select for diffs], Mon Jul 7 08:38:03 2003 UTC (20 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.260: +21 -19 lines
Diff to previous 1.260 (colored)
I'm pretty sure the formatting cleanup & clarifications here that Joel Knight did in negotiation with jmc@ included some dancing with dead chicken ritual from Joel Knight ok jmc@
Revision 1.260 / (download) - annotate - [select for diffs], Fri Jul 4 10:42:52 2003 UTC (20 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.259: +17 -8 lines
Diff to previous 1.259 (colored)
nat pass ok jmc@
Revision 1.259 / (download) - annotate - [select for diffs], Tue Jun 17 21:48:11 2003 UTC (20 years, 11 months ago) by david
Branch: MAIN
Changes since 1.258: +5 -5 lines
Diff to previous 1.258 (colored)
add adaptive, interval, and frag timeouts to pf.conf and BNF ok henning@ dhartmei@
Revision 1.258 / (download) - annotate - [select for diffs], Thu Jun 12 10:05:15 2003 UTC (21 years ago) by henning
Branch: MAIN
Changes since 1.257: +2 -3 lines
Diff to previous 1.257 (colored)
qlimit referenced twice from queueopts, PR 3312
Revision 1.257 / (download) - annotate - [select for diffs], Wed Jun 11 23:09:20 2003 UTC (21 years ago) by henning
Branch: MAIN
Changes since 1.256: +2 -2 lines
Diff to previous 1.256 (colored)
ref table-rule from line, PR 3311
Revision 1.256 / (download) - annotate - [select for diffs], Wed Jun 11 17:03:09 2003 UTC (21 years ago) by pb
Branch: MAIN
Changes since 1.255: +13 -1 lines
Diff to previous 1.255 (colored)
document that is is unsupported to use return-rst/icmp or synproxy on bridging firewalls henning@ ok, spelling fixes from jmc@
Revision 1.255 / (download) - annotate - [select for diffs], Tue Jun 10 16:59:49 2003 UTC (21 years ago) by deraadt
Branch: MAIN
Changes since 1.254: +3 -3 lines
Diff to previous 1.254 (colored)
fix grammer regarding queues; noted by jlouis@mongers.org
Revision 1.254 / (download) - annotate - [select for diffs], Sat Jun 7 20:31:13 2003 UTC (21 years ago) by henning
Branch: MAIN
Changes since 1.253: +6 -3 lines
Diff to previous 1.253 (colored)
update BNF to show that tagging is also possible on rdr/nat/binat
Revision 1.253 / (download) - annotate - [select for diffs], Sat Jun 7 20:27:56 2003 UTC (21 years ago) by henning
Branch: MAIN
Changes since 1.252: +57 -8 lines
Diff to previous 1.252 (colored)
second part of the diff from Joel Knight that was sitting in my inbox for far too long: better tag documentation. help and ok jmc@
Revision 1.252 / (download) - annotate - [select for diffs], Sat Jun 7 20:05:12 2003 UTC (21 years ago) by henning
Branch: MAIN
Changes since 1.251: +2 -2 lines
Diff to previous 1.251 (colored)
update BNF to include "! tagged"
Revision 1.251 / (download) - annotate - [select for diffs], Sat Jun 7 20:00:52 2003 UTC (21 years ago) by henning
Branch: MAIN
Changes since 1.250: +25 -1 lines
Diff to previous 1.250 (colored)
document "load anchor from file" mostly from Joel Knight help and ok jmc@
Revision 1.250 / (download) - annotate - [select for diffs], Tue Jun 3 12:18:02 2003 UTC (21 years ago) by henning
Branch: MAIN
Changes since 1.249: +15 -7 lines
Diff to previous 1.249 (colored)
make crystal clear that NAT happens before filtering and what that means for the filter rules. from Joel Knight again ok cedric@, silence everybody else
Revision 1.249 / (download) - annotate - [select for diffs], Mon Jun 2 20:05:49 2003 UTC (21 years ago) by david
Branch: MAIN
Changes since 1.248: +169 -166 lines
Diff to previous 1.248 (colored)
revert to previous BNF formatting; requested by deraadt@ ok deraadt@ dhartmei@ CVSt e---------------------------------------------------------------------
Revision 1.248 / (download) - annotate - [select for diffs], Fri May 30 20:06:48 2003 UTC (21 years ago) by henning
Branch: MAIN
Changes since 1.247: +2 -2 lines
Diff to previous 1.247 (colored)
the secgtion is called QUEUEING, not QUEUE RULES, so point people to QUEUEING and not QUEUE RULES... found by Joel Knight
Revision 1.247 / (download) - annotate - [select for diffs], Fri May 23 12:06:48 2003 UTC (21 years ago) by jmc
Branch: MAIN
Changes since 1.246: +6 -6 lines
Diff to previous 1.246 (colored)
consistently uppercase abbreviations; ok henning@
Revision 1.246 / (download) - annotate - [select for diffs], Sat May 17 07:50:46 2003 UTC (21 years ago) by henning
Branch: MAIN
Changes since 1.245: +5 -4 lines
Diff to previous 1.245 (colored)
tweak; 10x jmc
Revision 1.245 / (download) - annotate - [select for diffs], Sat May 17 07:10:34 2003 UTC (21 years ago) by david
Branch: MAIN
Changes since 1.244: +3 -3 lines
Diff to previous 1.244 (colored)
tweak ok dhartmei@
Revision 1.244 / (download) - annotate - [select for diffs], Sat May 17 06:44:27 2003 UTC (21 years ago) by david
Branch: MAIN
Changes since 1.243: +2 -2 lines
Diff to previous 1.243 (colored)
spelling fix
Revision 1.243 / (download) - annotate - [select for diffs], Sat May 17 06:14:58 2003 UTC (21 years ago) by henning
Branch: MAIN
Changes since 1.242: +4 -2 lines
Diff to previous 1.242 (colored)
tweak
Revision 1.242 / (download) - annotate - [select for diffs], Sat May 17 05:51:09 2003 UTC (21 years ago) by david
Branch: MAIN
Changes since 1.241: +9 -2 lines
Diff to previous 1.241 (colored)
document tags ok henning@
Revision 1.241 / (download) - annotate - [select for diffs], Fri May 16 18:38:47 2003 UTC (21 years ago) by jmc
Branch: MAIN
Changes since 1.240: +2 -4 lines
Diff to previous 1.240 (colored)
tweak; ok dhartmei@
Revision 1.240 / (download) - annotate - [select for diffs], Fri May 16 17:15:17 2003 UTC (21 years ago) by dhartmei
Branch: MAIN
Changes since 1.239: +39 -1 lines
Diff to previous 1.239 (colored)
TCP SYN proxy. Instead of 'keep state' or 'modulate state', one can use 'synproxy state' for TCP connections. pf will complete the TCP handshake with the active endpoint before passing any packets to the passive end- point, preventing spoofed SYN floods from reaching the passive endpoint. No additional memory requirements, no cookies needed, random initial sequence numbers, uses the existing sequence number modulators to translate packets after the handshakes. ok frantzen@
Revision 1.239 / (download) - annotate - [select for diffs], Fri May 16 09:08:58 2003 UTC (21 years ago) by jmc
Branch: MAIN
Changes since 1.238: +9 -19 lines
Diff to previous 1.238 (colored)
removed unnecessary macros: - don't need .Pp before/after .Sh - don't need .Ns before punctuation ok krw@ millert@ david@
Revision 1.238 / (download) - annotate - [select for diffs], Thu May 15 08:38:47 2003 UTC (21 years ago) by jmc
Branch: MAIN
Changes since 1.237: +2 -2 lines
Diff to previous 1.237 (colored)
tweak; ok frantzen@
Revision 1.237 / (download) - annotate - [select for diffs], Thu May 15 00:03:06 2003 UTC (21 years ago) by frantzen
Branch: MAIN
Changes since 1.236: +37 -11 lines
Diff to previous 1.236 (colored)
document scrub opt "reassemble tcp"
Revision 1.236 / (download) - annotate - [select for diffs], Mon May 12 04:22:04 2003 UTC (21 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.235: +3 -3 lines
Diff to previous 1.235 (colored)
Use an example that acutally makes some sense.
Revision 1.235 / (download) - annotate - [select for diffs], Mon May 12 01:25:32 2003 UTC (21 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.234: +29 -3 lines
Diff to previous 1.234 (colored)
Adaptive timeout value scaling. Allows to reduce timeout values as the number of state table entries grows, so entries time out faster before the table fills up. Works both globally and per-rule. ok frantzen@
Revision 1.234 / (download) - annotate - [select for diffs], Sun May 11 20:46:11 2003 UTC (21 years, 1 month ago) by frantzen
Branch: MAIN
Changes since 1.233: +9 -1 lines
Diff to previous 1.233 (colored)
document the dynamic min-ttl TCP scrub behavior
Revision 1.233 / (download) - annotate - [select for diffs], Sat May 10 23:27:07 2003 UTC (21 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.232: +2 -3 lines
Diff to previous 1.232 (colored)
'return' now causes an ICMP unreachable for non-TCP/UDP/ICMP protocols.
Revision 1.232 / (download) - annotate - [select for diffs], Sat May 10 22:38:04 2003 UTC (21 years, 1 month ago) by pb
Branch: MAIN
Changes since 1.231: +112 -112 lines
Diff to previous 1.231 (colored)
uppercase all non-literals in BNF.. might make some stuff more clear ;) commitski henning@
Revision 1.231 / (download) - annotate - [select for diffs], Sat May 10 16:46:53 2003 UTC (21 years, 1 month ago) by pb
Branch: MAIN
Changes since 1.230: +52 -52 lines
Diff to previous 1.230 (colored)
quote non-alphabetic literals 'over the desk' oks..
Revision 1.230 / (download) - annotate - [select for diffs], Sat May 10 00:45:43 2003 UTC (21 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.229: +4 -2 lines
Diff to previous 1.229 (colored)
BNF for load anchor stuff
Revision 1.229 / (download) - annotate - [select for diffs], Tue May 6 15:52:27 2003 UTC (21 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.228: +7 -6 lines
Diff to previous 1.228 (colored)
fix formatting in the BNF
Revision 1.228 / (download) - annotate - [select for diffs], Thu May 1 16:21:02 2003 UTC (21 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.227: +3 -2 lines
Diff to previous 1.227 (colored)
BNF update for label on antispoof
Revision 1.227 / (download) - annotate - [select for diffs], Tue Apr 29 12:44:14 2003 UTC (21 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.226: +52 -6 lines
Diff to previous 1.226 (colored)
document hfsc mostly from Berk D. Demir <bdd at ieee.org> with tweaks by me some nits and ok jmc@
Revision 1.226 / (download) - annotate - [select for diffs], Tue Apr 29 10:36:34 2003 UTC (21 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.225: +4 -4 lines
Diff to previous 1.225 (colored)
port 8081 -> 8021 for ftp-proxy in the examples, so it matches pf.conf and inetd.conf defaults
Revision 1.225 / (download) - annotate - [select for diffs], Fri Apr 25 19:18:25 2003 UTC (21 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.224: +3 -2 lines
Diff to previous 1.224 (colored)
added two missing .El macros; ok henning@
Revision 1.224 / (download) - annotate - [select for diffs], Sat Apr 19 21:58:06 2003 UTC (21 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.223: +12 -3 lines
Diff to previous 1.223 (colored)
BNF update for hfsc
Revision 1.223 / (download) - annotate - [select for diffs], Sat Apr 19 21:45:16 2003 UTC (21 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.222: +18 -8 lines
Diff to previous 1.222 (colored)
mention hfsc. this needs more work.
Revision 1.222 / (download) - annotate - [select for diffs], Sat Apr 5 21:46:50 2003 UTC (21 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.221: +5 -2 lines
Diff to previous 1.221 (colored)
document queue .. on $interface ok jmc@
Revision 1.221 / (download) - annotate - [select for diffs], Tue Apr 1 12:29:28 2003 UTC (21 years, 2 months ago) by pb
Branch: MAIN
Changes since 1.220: +2 -2 lines
Diff to previous 1.220 (colored)
'flags X' is not valid (BNF lied) henning@ ok
Revision 1.220 / (download) - annotate - [select for diffs], Tue Apr 1 12:23:44 2003 UTC (21 years, 2 months ago) by pb
Branch: MAIN
Changes since 1.219: +10 -3 lines
Diff to previous 1.219 (colored)
anchors in BNF (from loki at niteshade . net)
Revision 1.219 / (download) - annotate - [select for diffs], Sat Mar 22 00:10:17 2003 UTC (21 years, 2 months ago) by david
Branch: MAIN
CVS Tags: OPENBSD_3_3_BASE,
OPENBSD_3_3
Changes since 1.218: +29 -29 lines
Diff to previous 1.218 (colored)
Cleanup for release: remove some unneeded escaping of spaces "\ " indent by 6 spaces in a few places to match the rest of the file fix a few lines that were improperly wrapped or not wrapped to the next line update sample rule expansion to match current state of pfctl output fix spacing in a few places fix a small typo found by jmc@ updated a few example rules so that they parse with current pfctl ok henning@ jmc@
Revision 1.218 / (download) - annotate - [select for diffs], Thu Mar 20 01:27:17 2003 UTC (21 years, 2 months ago) by david
Branch: MAIN
Changes since 1.217: +42 -43 lines
Diff to previous 1.217 (colored)
replace some .Pp inside .Bd -literal block with empty line remove an uneeded .Pp kill whitespace at eol ok jmc@
Revision 1.217 / (download) - annotate - [select for diffs], Thu Mar 13 19:26:27 2003 UTC (21 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.216: +2 -2 lines
Diff to previous 1.216 (colored)
and bandwidth is bits per second
Revision 1.216 / (download) - annotate - [select for diffs], Thu Mar 13 19:21:05 2003 UTC (21 years, 2 months ago) by deraadt
Branch: MAIN
Changes since 1.215: +3 -3 lines
Diff to previous 1.215 (colored)
bits not bytes; fk@spoiled.org
Revision 1.215 / (download) - annotate - [select for diffs], Wed Mar 12 00:49:49 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.214: +117 -51 lines
Diff to previous 1.214 (colored)
fair amount of clarifications, extensions, and corrections from joel knight <enabled at myrealbox.com>, some tweaks by me, some by jmc@ ok dhartmei@ mcbride@ cedric@
Revision 1.214 / (download) - annotate - [select for diffs], Mon Mar 10 14:15:02 2003 UTC (21 years, 3 months ago) by jmc
Branch: MAIN
Changes since 1.213: +7 -6 lines
Diff to previous 1.213 (colored)
small changes to mike's random-id section; ok frantzen@
Revision 1.213 / (download) - annotate - [select for diffs], Mon Mar 10 09:40:47 2003 UTC (21 years, 3 months ago) by deraadt
Branch: MAIN
Changes since 1.212: +6 -6 lines
Diff to previous 1.212 (colored)
use Pa for paths more
Revision 1.212 / (download) - annotate - [select for diffs], Mon Mar 10 09:33:51 2003 UTC (21 years, 3 months ago) by deraadt
Branch: MAIN
Changes since 1.211: +4 -14 lines
Diff to previous 1.211 (colored)
few minor tweaks
Revision 1.211 / (download) - annotate - [select for diffs], Mon Mar 10 09:27:47 2003 UTC (21 years, 3 months ago) by jmc
Branch: MAIN
Changes since 1.210: +144 -395 lines
Diff to previous 1.210 (colored)
removal of .Ic for examples. this was messing the postscript output.
Revision 1.210 / (download) - annotate - [select for diffs], Sun Mar 9 22:02:45 2003 UTC (21 years, 3 months ago) by frantzen
Branch: MAIN
Changes since 1.209: +23 -1 lines
Diff to previous 1.209 (colored)
- document that scrub 'no-df' is sometimes necessary for "certain" OS's NFS - suggest 'random-id' with 'no-df' since "certain" OSes set ip->ip_id to zero ok deraadt@ henning@
Revision 1.209 / (download) - annotate - [select for diffs], Thu Mar 6 04:03:40 2003 UTC (21 years, 3 months ago) by david
Branch: MAIN
Changes since 1.208: +2 -2 lines
Diff to previous 1.208 (colored)
date should be written formally: .Dd Month day, year also fixes a few misspellings of the month ok henning@ jmc@
Revision 1.208 / (download) - annotate - [select for diffs], Tue Mar 4 23:40:03 2003 UTC (21 years, 3 months ago) by dhartmei
Branch: MAIN
Changes since 1.207: +17 -1 lines
Diff to previous 1.207 (colored)
Add a paragraph explaining possible unwanted side-effects of redirecting to the loopback address.
Revision 1.207 / (download) - annotate - [select for diffs], Tue Mar 4 22:50:36 2003 UTC (21 years, 3 months ago) by deraadt
Branch: MAIN
Changes since 1.206: +6 -6 lines
Diff to previous 1.206 (colored)
more oops
Revision 1.206 / (download) - annotate - [select for diffs], Tue Mar 4 22:38:22 2003 UTC (21 years, 3 months ago) by deraadt
Branch: MAIN
Changes since 1.205: +4 -4 lines
Diff to previous 1.205 (colored)
oops
Revision 1.205 / (download) - annotate - [select for diffs], Tue Mar 4 22:18:43 2003 UTC (21 years, 3 months ago) by deraadt
Branch: MAIN
Changes since 1.204: +260 -89 lines
Diff to previous 1.204 (colored)
wrap Ic in Xo/Xc until fixed
Revision 1.204 / (download) - annotate - [select for diffs], Tue Mar 4 21:03:46 2003 UTC (21 years, 3 months ago) by frantzen
Branch: MAIN
Changes since 1.203: +28 -25 lines
Diff to previous 1.203 (colored)
leave my cave to clarify the caveats of state modulation mdoc incantations from jmc@ ok henning@ deraadt@
Revision 1.203 / (download) - annotate - [select for diffs], Tue Mar 4 18:36:18 2003 UTC (21 years, 3 months ago) by deraadt
Branch: MAIN
Changes since 1.202: +2 -1 lines
Diff to previous 1.202 (colored)
show example of string concat in macro assign
Revision 1.202 / (download) - annotate - [select for diffs], Tue Mar 4 18:03:09 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.201: +4 -4 lines
Diff to previous 1.201 (colored)
fix .Bl width, pt out by theo
Revision 1.201 / (download) - annotate - [select for diffs], Tue Mar 4 16:52:00 2003 UTC (21 years, 3 months ago) by dhartmei
Branch: MAIN
Changes since 1.200: +4 -4 lines
Diff to previous 1.200 (colored)
Fix limit BNF part, since we don't quote token literals, use limit-item,
and limit-list is already a list (due to the recursive definition) which
can also consist of just one entry, so no need for {}.
Found by Maik Kuendig
Revision 1.200 / (download) - annotate - [select for diffs], Tue Mar 4 16:50:01 2003 UTC (21 years, 3 months ago) by pb
Branch: MAIN
Changes since 1.199: +2 -2 lines
Diff to previous 1.199 (colored)
update BNF for 'queue ( q_def, q_pri )' and similar in filteropts ok henning@
Revision 1.199 / (download) - annotate - [select for diffs], Tue Mar 4 16:35:47 2003 UTC (21 years, 3 months ago) by dhartmei
Branch: MAIN
Changes since 1.198: +3 -2 lines
Diff to previous 1.198 (colored)
other.single was missing in the BNF section, from Maik Kuendig
Revision 1.198 / (download) - annotate - [select for diffs], Tue Mar 4 16:23:32 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.197: +2 -2 lines
Diff to previous 1.197 (colored)
format nicer
Revision 1.197 / (download) - annotate - [select for diffs], Tue Mar 4 16:16:05 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.196: +9 -5 lines
Diff to previous 1.196 (colored)
lies
Revision 1.196 / (download) - annotate - [select for diffs], Tue Mar 4 16:05:42 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.195: +5 -5 lines
Diff to previous 1.195 (colored)
make the label example actually work... (missing quotes)
Revision 1.195 / (download) - annotate - [select for diffs], Tue Mar 4 15:54:54 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.194: +2 -2 lines
Diff to previous 1.194 (colored)
fix .Bl width in translation section
Revision 1.194 / (download) - annotate - [select for diffs], Tue Mar 4 15:47:40 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.193: +2 -2 lines
Diff to previous 1.193 (colored)
fix width in set block-policy list
Revision 1.193 / (download) - annotate - [select for diffs], Tue Mar 4 15:44:08 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.192: +1 -2 lines
Diff to previous 1.192 (colored)
pfctl -T create is no more
Revision 1.192 / (download) - annotate - [select for diffs], Tue Mar 4 15:40:40 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.191: +69 -19 lines
Diff to previous 1.191 (colored)
remove lies about queueing and finally take into account that we have more than one scheduler, explain a bit more how that works etc etc english(4) police passed in persona jmc@, ok pb@
Revision 1.191 / (download) - annotate - [select for diffs], Mon Mar 3 22:12:24 2003 UTC (21 years, 3 months ago) by deraadt
Branch: MAIN
Changes since 1.190: +2 -2 lines
Diff to previous 1.190 (colored)
we mean: macros are not expanded inside quotes
Revision 1.190 / (download) - annotate - [select for diffs], Sun Mar 2 12:44:42 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.189: +2 -6 lines
Diff to previous 1.189 (colored)
cbq control keyword is gone
Revision 1.189 / (download) - annotate - [select for diffs], Sun Mar 2 12:37:49 2003 UTC (21 years, 3 months ago) by dhartmei
Branch: MAIN
Changes since 1.188: +3 -2 lines
Diff to previous 1.188 (colored)
The (optional) priority queue is also used for TCP ACKs without data payload now.
Revision 1.188 / (download) - annotate - [select for diffs], Fri Feb 28 22:43:59 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.187: +2 -1 lines
Diff to previous 1.187 (colored)
note that default and control queue must not be identical
Revision 1.187 / (download) - annotate - [select for diffs], Fri Feb 21 16:59:29 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.186: +2 -2 lines
Diff to previous 1.186 (colored)
typo; Mr. Manpagebeauty Krause. Thanks!
Revision 1.186 / (download) - annotate - [select for diffs], Tue Feb 18 22:06:49 2003 UTC (21 years, 3 months ago) by pb
Branch: MAIN
Changes since 1.185: +6 -4 lines
Diff to previous 1.185 (colored)
add PRIQ scheduler to BNF henning@ ok
Revision 1.185 / (download) - annotate - [select for diffs], Fri Feb 14 09:43:18 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.184: +4 -4 lines
Diff to previous 1.184 (colored)
more krause tweaks
Revision 1.184 / (download) - annotate - [select for diffs], Thu Feb 13 10:19:44 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.183: +5 -5 lines
Diff to previous 1.183 (colored)
be consistent when listing the different rule type for order requirement krause
Revision 1.183 / (download) - annotate - [select for diffs], Thu Feb 13 09:39:14 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.182: +3 -3 lines
Diff to previous 1.182 (colored)
grammar; krause ok jmc@
Revision 1.182 / (download) - annotate - [select for diffs], Thu Feb 13 09:33:53 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.181: +36 -24 lines
Diff to previous 1.181 (colored)
new sentence, new line
Revision 1.181 / (download) - annotate - [select for diffs], Thu Feb 13 08:23:40 2003 UTC (21 years, 3 months ago) by jmc
Branch: MAIN
Changes since 1.180: +3 -3 lines
Diff to previous 1.180 (colored)
typos; setextattr(8): example markus@ spamd(8): someone else found some of these on bugs/misc, but for the life of me i can't find out who pf.conf(5): from openbsd@davidkrause.com raidctl(8): from ian@darwinsys.com
Revision 1.180 / (download) - annotate - [select for diffs], Wed Feb 12 13:27:20 2003 UTC (21 years, 3 months ago) by mcbride
Branch: MAIN
Changes since 1.179: +4 -6 lines
Diff to previous 1.179 (colored)
Fix BNF for rdr and nat to match merge of rdr and nat parsing.
Revision 1.179 / (download) - annotate - [select for diffs], Mon Feb 10 11:26:30 2003 UTC (21 years, 4 months ago) by jmc
Branch: MAIN
Changes since 1.178: +3 -3 lines
Diff to previous 1.178 (colored)
queuing -> queueing for consistency from openbsd@davidkrause.com via henning@
Revision 1.178 / (download) - annotate - [select for diffs], Mon Feb 10 11:09:10 2003 UTC (21 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.177: +7 -8 lines
Diff to previous 1.177 (colored)
Add random-id to BNF syntax, clean up superflous [] Reported by Dries Schellekens
Revision 1.177 / (download) - annotate - [select for diffs], Sat Feb 8 20:13:19 2003 UTC (21 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.176: +6 -1 lines
Diff to previous 1.176 (colored)
Add scrub option 'random-id', which replaces IP IDs with random values for outgoing packets that are not fragmented (after reassembly), to compensate for predictable IDs generated by some hosts, and defeat fingerprinting and NAT detection as described in the Bellovin paper http://www.research.att.com/~smb/papers/fnat.pdf. ok theo@
Revision 1.176 / (download) - annotate - [select for diffs], Mon Feb 3 16:17:49 2003 UTC (21 years, 4 months ago) by mpech
Branch: MAIN
Changes since 1.175: +2 -2 lines
Diff to previous 1.175 (colored)
Add blank space inside '.Xr Ic'. Spotted by xvenient@free.fr via henning@. millert@
Revision 1.175 / (download) - annotate - [select for diffs], Sun Feb 2 23:38:31 2003 UTC (21 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.174: +2 -2 lines
Diff to previous 1.174 (colored)
typo in anchor section From: Eduardo Augusto Alvarenga <eduardo at thrx.dyndns.org>
Revision 1.174 / (download) - annotate - [select for diffs], Sun Feb 2 22:47:18 2003 UTC (21 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.173: +5 -5 lines
Diff to previous 1.173 (colored)
nicer indentation in the queue example inspired by a mail to tech@ from Eduardo Augusto Alvarenga <eduardo at thrx.dyndns.org>
Revision 1.173 / (download) - annotate - [select for diffs], Sat Feb 1 14:37:04 2003 UTC (21 years, 4 months ago) by mcbride
Branch: MAIN
Changes since 1.172: +6 -5 lines
Diff to previous 1.172 (colored)
The network interface is not mandatory for translation rules. ok dhartmei@
Revision 1.172 / (download) - annotate - [select for diffs], Thu Jan 30 15:05:37 2003 UTC (21 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.171: +9 -1 lines
Diff to previous 1.171 (colored)
document :network and :broadcast modifiers help jmc@
Revision 1.171 / (download) - annotate - [select for diffs], Sat Jan 25 17:49:37 2003 UTC (21 years, 4 months ago) by cedric
Branch: MAIN
Changes since 1.170: +26 -5 lines
Diff to previous 1.170 (colored)
Make pf.conf reflect all changes that occured in the last 2 weeks.
Revision 1.170 / (download) - annotate - [select for diffs], Sat Jan 25 09:35:43 2003 UTC (21 years, 4 months ago) by jmc
Branch: MAIN
Changes since 1.169: +14 -14 lines
Diff to previous 1.169 (colored)
s -> z; thanks naddy@ ok deraadt@
Revision 1.169 / (download) - annotate - [select for diffs], Fri Jan 24 20:39:54 2003 UTC (21 years, 4 months ago) by jmc
Branch: MAIN
Changes since 1.168: +860 -717 lines
Diff to previous 1.168 (colored)
Changed: - Am. Eng. -> Br. Eng. eg. normalization -> normalisation - examples/commands in white bold face - .Pa macros -> .Ar - ordered SEE ALSO - removed double quotes from GRAMMAR section - some grammar typos ok deraadt@
Revision 1.168 / (download) - annotate - [select for diffs], Thu Jan 23 13:46:45 2003 UTC (21 years, 4 months ago) by mcbride
Branch: MAIN
Changes since 1.167: +113 -109 lines
Diff to previous 1.167 (colored)
- rework Tables section in the introduction (pointed out by Theo) - Macros and Tables can appear anywhere in pf.conf - Since tables are no longer just a rule option, move the section up appropriately. ok dhartmei@
Revision 1.167 / (download) - annotate - [select for diffs], Thu Jan 23 01:51:55 2003 UTC (21 years, 4 months ago) by mcbride
Branch: MAIN
Changes since 1.166: +71 -41 lines
Diff to previous 1.166 (colored)
Cleanup of TABLES section. Help with english language jmc@ ok dhartmei@ cedric@
Revision 1.166 / (download) - annotate - [select for diffs], Tue Jan 21 19:59:09 2003 UTC (21 years, 4 months ago) by jmc
Branch: MAIN
Changes since 1.165: +15 -16 lines
Diff to previous 1.165 (colored)
typos; ok deraadt@
Revision 1.165 / (download) - annotate - [select for diffs], Wed Jan 15 23:19:19 2003 UTC (21 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.164: +9 -4 lines
Diff to previous 1.164 (colored)
at least mention the PRIQ scheduler. more to come...
Revision 1.164 / (download) - annotate - [select for diffs], Fri Jan 10 10:08:54 2003 UTC (21 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.163: +2 -2 lines
Diff to previous 1.163 (colored)
Tipo in tabledef grammar. Found by Rukh <openbsd@rukh.net>
Revision 1.163 / (download) - annotate - [select for diffs], Thu Jan 9 10:40:44 2003 UTC (21 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.162: +77 -4 lines
Diff to previous 1.162 (colored)
Add support for active/inactive tablesets in the kernel. Add table definition/initialisation construct in pfctl parser. Add and fix documentation for pf.4 and pf.conf.5. Tested on i386 and sparc64 by myself, macppc by Daniel. ok dhartmei@
Revision 1.162 / (download) - annotate - [select for diffs], Mon Dec 30 23:58:46 2002 UTC (21 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.161: +6 -6 lines
Diff to previous 1.161 (colored)
Match changes to pfctl and /etc/protocols. ipv6-icmp-type becomes icmp6-type; "proto ipv6-icmp" still works, but prefer icmp6, since we have icmp6(4), not ipv6-icmp(4). ok dhartmei@ henning@
Revision 1.161 / (download) - annotate - [select for diffs], Mon Dec 30 11:26:20 2002 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.160: +2 -2 lines
Diff to previous 1.160 (colored)
Remove stray 'hosts' on the nat-rule production in BNF, found by Benjamin M.A. Robson.
Revision 1.160 / (download) - annotate - [select for diffs], Sat Dec 28 22:15:47 2002 UTC (21 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.159: +16 -4 lines
Diff to previous 1.159 (colored)
More direct explanation of where the port number and protocol number to name mappings come from. ok dhartmei@ henning@
Revision 1.159 / (download) - annotate - [select for diffs], Tue Dec 24 21:28:46 2002 UTC (21 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.158: +83 -85 lines
Diff to previous 1.158 (colored)
More cleanup. - s/Em/Pa/ where appropriate - get rid of references to spews and Tomcat - more simplification by removal of direction - timeout values are no longer a pfctl(8) thing yes! henning@
Revision 1.158 / (download) - annotate - [select for diffs], Mon Dec 23 18:42:20 2002 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.157: +2 -5 lines
Diff to previous 1.157 (colored)
do not mention optimization default, as "set optimization default" is not parseable. "normal" is exactly the same, so use that. good catch by David Krause (again).
Revision 1.157 / (download) - annotate - [select for diffs], Mon Dec 23 15:18:51 2002 UTC (21 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.156: +2 -2 lines
Diff to previous 1.156 (colored)
Fix typo, pointed out by Dries Schellekens
Revision 1.156 / (download) - annotate - [select for diffs], Mon Dec 23 13:05:20 2002 UTC (21 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.155: +13 -19 lines
Diff to previous 1.155 (colored)
A nudge towards reality: - direction is now optional - better way of specifying drop return rules - wrap some lines which are too long. ok dhartmei@ henning@
Revision 1.155 / (download) - annotate - [select for diffs], Sun Dec 22 16:23:35 2002 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.154: +2 -2 lines
Diff to previous 1.154 (colored)
consistency; grange@
Revision 1.154 / (download) - annotate - [select for diffs], Wed Dec 18 07:45:37 2002 UTC (21 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.153: +4 -4 lines
Diff to previous 1.153 (colored)
how the heck did such a stupid mistake end up in here
Revision 1.153 / (download) - annotate - [select for diffs], Mon Dec 16 20:35:24 2002 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.152: +2 -2 lines
Diff to previous 1.152 (colored)
nat after queue, good catch by marc@
Revision 1.152 / (download) - annotate - [select for diffs], Fri Dec 13 22:30:20 2002 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.151: +2 -2 lines
Diff to previous 1.151 (colored)
minor glitch in the queue example
Revision 1.151 / (download) - annotate - [select for diffs], Fri Dec 13 21:54:31 2002 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.150: +17 -9 lines
Diff to previous 1.150 (colored)
document extended queue syntax help theo
Revision 1.150 / (download) - annotate - [select for diffs], Tue Dec 10 01:38:41 2002 UTC (21 years, 6 months ago) by margarida
Branch: MAIN
Changes since 1.149: +7 -6 lines
Diff to previous 1.149 (colored)
More nitpicking. Correct placement of .Pp. (Europeans do use nroff -mandoc) deraadt@ henning@ ok
Revision 1.149 / (download) - annotate - [select for diffs], Tue Dec 10 00:33:33 2002 UTC (21 years, 6 months ago) by margarida
Branch: MAIN
Changes since 1.148: +29 -29 lines
Diff to previous 1.148 (colored)
More coherency: rule set(s) -> ruleset(s) deraadt@ henning@ ok
Revision 1.148 / (download) - annotate - [select for diffs], Mon Dec 9 22:23:35 2002 UTC (21 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.147: +7 -4 lines
Diff to previous 1.147 (colored)
show user & group correctly
Revision 1.147 / (download) - annotate - [select for diffs], Mon Dec 9 22:19:39 2002 UTC (21 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.146: +2 -2 lines
Diff to previous 1.146 (colored)
ARRHGHGHGHGHGHGH
Revision 1.146 / (download) - annotate - [select for diffs], Mon Dec 9 22:09:21 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.145: +3 -1 lines
Diff to previous 1.145 (colored)
document the "all" keyword; Theo
Revision 1.145 / (download) - annotate - [select for diffs], Mon Dec 9 09:44:30 2002 UTC (21 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.144: +3 -3 lines
Diff to previous 1.144 (colored)
two powerful words the germans should know: which and such
Revision 1.144 / (download) - annotate - [select for diffs], Sun Dec 8 20:59:08 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.143: +2 -4 lines
Diff to previous 1.143 (colored)
"flags X" is long dead, the /Y is mandantory now. fix BNF and remove a now bogus comment noticed during discussion with gustavo
Revision 1.143 / (download) - annotate - [select for diffs], Sun Dec 8 20:41:51 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.142: +2 -2 lines
Diff to previous 1.142 (colored)
typo; gustavo
Revision 1.142 / (download) - annotate - [select for diffs], Sun Dec 8 00:22:16 2002 UTC (21 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.141: +4 -5 lines
Diff to previous 1.141 (colored)
scheduler keyword dies
Revision 1.141 / (download) - annotate - [select for diffs], Sun Dec 8 00:18:42 2002 UTC (21 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.140: +44 -43 lines
Diff to previous 1.140 (colored)
BNF improvement: show that queue options are now flexible
Revision 1.140 / (download) - annotate - [select for diffs], Sat Dec 7 23:15:53 2002 UTC (21 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.139: +31 -1 lines
Diff to previous 1.139 (colored)
Support parameters in anchor rules. Allows conditional evaluation, like: anchor spews inet proto tcp from any to any port smtp ok deraadt
Revision 1.139 / (download) - annotate - [select for diffs], Sat Dec 7 22:58:40 2002 UTC (21 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.138: +80 -80 lines
Diff to previous 1.138 (colored)
repair BNF to show that filter-opts can now be flexibly ordered a pass/block line
Revision 1.138 / (download) - annotate - [select for diffs], Fri Dec 6 00:47:32 2002 UTC (21 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.137: +96 -1 lines
Diff to previous 1.137 (colored)
Introduce anchors and named rule sets, allowing to load additional rule sets with pfctl and evaluate them from the main rule set using a new type of rule (which will support conditional evaluation soon). Makes maintenance of sub-rulesets simpler for pfctl and daemons. Idea and ok deraadt@
Revision 1.137 / (download) - annotate - [select for diffs], Thu Dec 5 15:00:47 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.136: +7 -7 lines
Diff to previous 1.136 (colored)
typos; Dries Schellenkens, Thanks!
Revision 1.136 / (download) - annotate - [select for diffs], Thu Dec 5 12:28:02 2002 UTC (21 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.135: +83 -48 lines
Diff to previous 1.135 (colored)
more tweaking. things above STATEFUL INSPECTION are now ok
Revision 1.135 / (download) - annotate - [select for diffs], Tue Dec 3 15:49:31 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.134: +2 -2 lines
Diff to previous 1.134 (colored)
add back clarification about percentage bandwidth spec; was accidently removed; negotiated with harding@
Revision 1.134 / (download) - annotate - [select for diffs], Tue Dec 3 10:47:53 2002 UTC (21 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.133: +114 -102 lines
Diff to previous 1.133 (colored)
merge tweaks from harding
Revision 1.133 / (download) - annotate - [select for diffs], Mon Dec 2 22:26:16 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.132: +7 -2 lines
Diff to previous 1.132 (colored)
explain bandwidth specs better and cope with the last changes
Revision 1.132 / (download) - annotate - [select for diffs], Sun Dec 1 22:21:38 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.131: +2 -2 lines
Diff to previous 1.131 (colored)
little clarification about the valid priority numbers
Revision 1.131 / (download) - annotate - [select for diffs], Thu Nov 28 14:58:58 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.130: +10 -2 lines
Diff to previous 1.130 (colored)
+qlimit +tbrsize
Revision 1.130 / (download) - annotate - [select for diffs], Wed Nov 27 17:52:53 2002 UTC (21 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.129: +6 -6 lines
Diff to previous 1.129 (colored)
more tweaking
Revision 1.129 / (download) - annotate - [select for diffs], Wed Nov 27 17:04:30 2002 UTC (21 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.128: +133 -157 lines
Diff to previous 1.128 (colored)
move even closer to where we want to be
Revision 1.128 / (download) - annotate - [select for diffs], Tue Nov 26 23:18:36 2002 UTC (21 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.127: +13 -4 lines
Diff to previous 1.127 (colored)
more tweaks
Revision 1.127 / (download) - annotate - [select for diffs], Tue Nov 26 22:50:54 2002 UTC (21 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.126: +2 -2 lines
Diff to previous 1.126 (colored)
tiny spacing nit
Revision 1.126 / (download) - annotate - [select for diffs], Tue Nov 26 22:46:27 2002 UTC (21 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.125: +46 -27 lines
Diff to previous 1.125 (colored)
Fix various nits: - references to ip(4) et. al. - Remove extra whitespace - Finish some uncompleted sentences - s/traffic shaping/bandwidth control/ ok deraadt@, frantzen@
Revision 1.125 / (download) - annotate - [select for diffs], Tue Nov 26 20:19:56 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.124: +29 -10 lines
Diff to previous 1.124 (colored)
fancier queue example
Revision 1.124 / (download) - annotate - [select for diffs], Tue Nov 26 19:20:12 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.123: +2 -2 lines
Diff to previous 1.123 (colored)
fix queue example
Revision 1.123 / (download) - annotate - [select for diffs], Tue Nov 26 19:13:05 2002 UTC (21 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.122: +12 -12 lines
Diff to previous 1.122 (colored)
more cleanup
Revision 1.122 / (download) - annotate - [select for diffs], Tue Nov 26 19:09:07 2002 UTC (21 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.121: +113 -73 lines
Diff to previous 1.121 (colored)
more cleanup, and nat parts from mcbride
Revision 1.121 / (download) - annotate - [select for diffs], Mon Nov 25 04:05:51 2002 UTC (21 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.120: +78 -74 lines
Diff to previous 1.120 (colored)
another pass, sigh
Revision 1.120 / (download) - annotate - [select for diffs], Mon Nov 25 03:44:12 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.119: +2 -2 lines
Diff to previous 1.119 (colored)
fix queue example
Revision 1.119 / (download) - annotate - [select for diffs], Mon Nov 25 03:38:17 2002 UTC (21 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.118: +35 -19 lines
Diff to previous 1.118 (colored)
more crap tuning
Revision 1.118 / (download) - annotate - [select for diffs], Mon Nov 25 03:25:56 2002 UTC (21 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.117: +369 -324 lines
Diff to previous 1.117 (colored)
I am sick of this thing. It does not follow the rules of manual pages. Reoganize it, start to use the proper commands that one uses when writing man pages, and damn well do not continue to make this a "different for the hell of it" game. One writes manual pages by reading the source of others; if you cannot do it that way, stay the hell away.
Revision 1.117 / (download) - annotate - [select for diffs], Sun Nov 24 23:06:04 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.116: +7 -6 lines
Diff to previous 1.116 (colored)
consistency; s/nat/translation/ a few times ok pb@ mcbride@
Revision 1.116 / (download) - annotate - [select for diffs], Sun Nov 24 18:12:12 2002 UTC (21 years, 6 months ago) by pb
Branch: MAIN
Changes since 1.115: +8 -2 lines
Diff to previous 1.115 (colored)
we "now" have /usr/share/pf short descr about the items henning "go ahead, schnellschnellschnell"
Revision 1.115 / (download) - annotate - [select for diffs], Sun Nov 24 17:41:53 2002 UTC (21 years, 6 months ago) by pb
Branch: MAIN
Changes since 1.114: +3 -3 lines
Diff to previous 1.114 (colored)
reflect new ordering requirements (..nat, queue, filter)
Revision 1.114 / (download) - annotate - [select for diffs], Sun Nov 24 17:27:49 2002 UTC (21 years, 6 months ago) by pb
Branch: MAIN
Changes since 1.113: +2 -1 lines
Diff to previous 1.113 (colored)
RIO is not yet in GENERIC henning@, kjc@ ok
Revision 1.113 / (download) - annotate - [select for diffs], Sat Nov 23 05:24:19 2002 UTC (21 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.112: +78 -10 lines
Diff to previous 1.112 (colored)
document "nat pools" changes syntax may still change somewhat ok dhartmei@ henning@
Revision 1.112 / (download) - annotate - [select for diffs], Wed Nov 20 10:55:26 2002 UTC (21 years, 6 months ago) by pb
Branch: MAIN
Changes since 1.111: +7 -5 lines
Diff to previous 1.111 (colored)
BNF update: o catch up with queuespec change (no 'queue' in altq_rule) o there cant be a lonely number for bandwidth o s/k/K/ for queue_rule also henning@ ok
Revision 1.111 / (download) - annotate - [select for diffs], Wed Nov 20 10:40:01 2002 UTC (21 years, 6 months ago) by pb
Branch: MAIN
Changes since 1.110: +1 -2 lines
Diff to previous 1.110 (colored)
Xr altq bu-bye henning@ ok
Revision 1.110 / (download) - annotate - [select for diffs], Tue Nov 19 23:41:03 2002 UTC (21 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.109: +13 -3 lines
Diff to previous 1.109 (colored)
talk about pass and block and queue
Revision 1.109 / (download) - annotate - [select for diffs], Tue Nov 19 22:18:50 2002 UTC (21 years, 6 months ago) by pb
Branch: MAIN
Changes since 1.108: +89 -1 lines
Diff to previous 1.108 (colored)
.Sh QUEUE RULES more to come.. previous fixes from various ppl included: ok henning@, mcbride@
Revision 1.108 / (download) - annotate - [select for diffs], Tue Nov 19 11:34:12 2002 UTC (21 years, 6 months ago) by pb
Branch: MAIN
Changes since 1.107: +2 -2 lines
Diff to previous 1.107 (colored)
"fix" .Nd, "they do not need to know" request by deraadt@
Revision 1.107 / (download) - annotate - [select for diffs], Tue Nov 19 11:30:17 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.106: +2 -2 lines
Diff to previous 1.106 (colored)
kb -> Kb
Revision 1.106 / (download) - annotate - [select for diffs], Tue Nov 19 10:29:10 2002 UTC (21 years, 6 months ago) by pb
Branch: MAIN
Changes since 1.105: +18 -5 lines
Diff to previous 1.105 (colored)
first catch up with altq merge: -Nd: catch on man -k altq/queue -Xr -BNF: should leave enough place/logic for more then cbq henning@ "commit" ok
Revision 1.105 / (download) - annotate - [select for diffs], Wed Nov 13 18:24:53 2002 UTC (21 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.104: +3 -1 lines
Diff to previous 1.104 (colored)
Add label macro $if, as we support {} list expansion for interfaces now.
From David Gwynne. ok henning@, camield@
Revision 1.104 / (download) - annotate - [select for diffs], Fri Nov 8 08:08:47 2002 UTC (21 years, 7 months ago) by mpech
Branch: MAIN
Changes since 1.103: +1 -2 lines
Diff to previous 1.103 (colored)
Time to cleanup: o) start new sentence on a new line; o) wrap long lines; o) don't use .Pp before/after .Sh, .Ss; o) OpenBSD -> .Ox; o) typos; o) close .Rs; o) use space between arguments in tag, for example: .Xr blabla ) . miod@ ok
Revision 1.103 / (download) - annotate - [select for diffs], Wed Nov 6 00:30:04 2002 UTC (21 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.102: +3 -3 lines
Diff to previous 1.102 (colored)
2x spelling, Jolan Luff, Thanks!
Revision 1.102 / (download) - annotate - [select for diffs], Mon Nov 4 14:30:21 2002 UTC (21 years, 7 months ago) by dhartmei
Branch: MAIN
Changes since 1.101: +2 -2 lines
Diff to previous 1.101 (colored)
state-opt = "max" seconds -> number, it limits the number of states not time. ok henning@, pb@
Revision 1.101 / (download) - annotate - [select for diffs], Thu Oct 31 10:51:03 2002 UTC (21 years, 7 months ago) by pb
Branch: MAIN
Changes since 1.100: +13 -3 lines
Diff to previous 1.100 (colored)
document 'set require-order (yes|no)' mini-BNF fix henning@ ok
Revision 1.100 / (download) - annotate - [select for diffs], Thu Oct 31 09:18:24 2002 UTC (21 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.99: +3 -3 lines
Diff to previous 1.99 (colored)
spelling; Jolan Luff, thanks!
Revision 1.99 / (download) - annotate - [select for diffs], Sun Oct 27 13:56:59 2002 UTC (21 years, 7 months ago) by pb
Branch: MAIN
Changes since 1.98: +2 -7 lines
Diff to previous 1.98 (colored)
Remove 'flags X' syntax, if people make heavy use of X/FOOBAR, they chould use macros, e.g. tcpinit="S/SAFR" pass in ... flags $tcpinit
Revision 1.98 / (download) - annotate - [select for diffs], Mon Oct 14 19:37:51 2002 UTC (21 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.97: +3 -3 lines
Diff to previous 1.97 (colored)
.Cm inside .Bd -literal screws up
Revision 1.97 / (download) - annotate - [select for diffs], Mon Oct 14 13:07:32 2002 UTC (21 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.96: +3 -3 lines
Diff to previous 1.96 (colored)
grammar & formatting From: Jolan Luff <jolan@cryptonomicon.org>, who is no i386 wheenie ;-) Thanks!
Revision 1.96 / (download) - annotate - [select for diffs], Mon Oct 14 12:59:40 2002 UTC (21 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.95: +5 -4 lines
Diff to previous 1.95 (colored)
document binat netblocks from ryan
Revision 1.95 / (download) - annotate - [select for diffs], Mon Oct 14 09:21:34 2002 UTC (21 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.94: +2 -2 lines
Diff to previous 1.94 (colored)
your -> one's From: Gregory Steuck <greg@nest.cx> Thanks!
Revision 1.94 / (download) - annotate - [select for diffs], Sun Oct 13 15:51:55 2002 UTC (21 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.93: +17 -1 lines
Diff to previous 1.93 (colored)
talk about lo0 issues from Gregory Steuck greg at nest dot cx
Revision 1.93 / (download) - annotate - [select for diffs], Wed Oct 9 14:37:01 2002 UTC (21 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.92: +51 -11 lines
Diff to previous 1.92 (colored)
document the extended return-icmp syntax, block return, block drop and set block-policy. from ryan ok dhartmei@
Revision 1.92 / (download) - annotate - [select for diffs], Mon Oct 7 12:39:29 2002 UTC (21 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.91: +24 -1 lines
Diff to previous 1.91 (colored)
Add 'reply-to' to filter rules, similar to route-to, but applying to replies (packets that flow in the opposite direction of the packet that created state), used for symmetric routing enforcement. Document how route-to and reply-to work in context of stateful filtering.
Revision 1.91 / (download) - annotate - [select for diffs], Sat Oct 5 21:17:57 2002 UTC (21 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.90: +5 -2 lines
Diff to previous 1.90 (colored)
Allow filtering based on IP header's tos field.
Revision 1.90 / (download) - annotate - [select for diffs], Fri Oct 4 10:15:37 2002 UTC (21 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.89: +20 -16 lines
Diff to previous 1.89 (colored)
new sentence, new line pointed out by Dries Schellekens, Thanks!
Revision 1.89 / (download) - annotate - [select for diffs], Mon Sep 30 23:41:46 2002 UTC (21 years, 8 months ago) by frantzen
Branch: MAIN
CVS Tags: OPENBSD_3_2_BASE,
OPENBSD_3_2
Changes since 1.88: +53 -21 lines
Diff to previous 1.88 (colored)
document fragcache comments jasoni@, deraadt@. ok henning@ and deraadt@ i'm sure at least one man page nazi will find something in it though
Revision 1.88 / (download) - annotate - [select for diffs], Sat Sep 28 22:49:19 2002 UTC (21 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.87: +2 -2 lines
Diff to previous 1.87 (colored)
better word; ish
Revision 1.87 / (download) - annotate - [select for diffs], Thu Sep 26 08:30:36 2002 UTC (21 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.86: +16 -1 lines
Diff to previous 1.86 (colored)
document extended antispoof some help nick@ and frantzen@ ok theo
Revision 1.86 / (download) - annotate - [select for diffs], Wed Sep 18 16:28:47 2002 UTC (21 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.85: +16 -20 lines
Diff to previous 1.85 (colored)
not good; back to old version
Revision 1.85 / (download) - annotate - [select for diffs], Wed Sep 18 16:14:31 2002 UTC (21 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.84: +20 -16 lines
Diff to previous 1.84 (colored)
nicer english, use Packet Filter instead of packet filter work by nick@ and a bit nitpicking by me ok pb@
Revision 1.84 / (download) - annotate - [select for diffs], Sun Sep 15 19:36:22 2002 UTC (21 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.83: +2 -2 lines
Diff to previous 1.83 (colored)
consistency
Revision 1.83 / (download) - annotate - [select for diffs], Sun Sep 15 19:30:54 2002 UTC (21 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.82: +2 -2 lines
Diff to previous 1.82 (colored)
don't forget to mention options in the always famous "Rules must be in order"
Revision 1.82 / (download) - annotate - [select for diffs], Thu Sep 12 13:47:20 2002 UTC (21 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.81: +21 -1 lines
Diff to previous 1.81 (colored)
explain antispoof most work by nick@
Revision 1.81 / (download) - annotate - [select for diffs], Thu Sep 12 12:17:05 2002 UTC (21 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.80: +7 -2 lines
Diff to previous 1.80 (colored)
BNF for antispoof
Revision 1.80 / (download) - annotate - [select for diffs], Thu Sep 12 12:14:35 2002 UTC (21 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.79: +4 -3 lines
Diff to previous 1.79 (colored)
nicer
Revision 1.79 / (download) - annotate - [select for diffs], Fri Sep 6 09:46:52 2002 UTC (21 years, 9 months ago) by henning
Branch: MAIN
Changes since 1.78: +6 -5 lines
Diff to previous 1.78 (colored)
yes, you can specify the address family in nat/rdr/binat rules. noticed through a misc@ mail by Paul de Weerd
Revision 1.78 / (download) - annotate - [select for diffs], Sat Aug 10 15:40:05 2002 UTC (21 years, 10 months ago) by pb
Branch: MAIN
Changes since 1.77: +44 -44 lines
Diff to previous 1.77 (colored)
move section parameters more upwards, include section quick and logging as a subsection (style changes later) ok henning@, frantzen@
Revision 1.77 / (download) - annotate - [select for diffs], Thu Aug 8 15:16:42 2002 UTC (21 years, 10 months ago) by pb
Branch: MAIN
Changes since 1.76: +1 -39 lines
Diff to previous 1.76 (colored)
remove explanations of external programs (pfctl/tcpdump) ok henning@, dhartmei@, frantzen@
Revision 1.76 / (download) - annotate - [select for diffs], Sun Aug 4 14:27:48 2002 UTC (21 years, 10 months ago) by pb
Branch: MAIN
Changes since 1.75: +2 -2 lines
Diff to previous 1.75 (colored)
.SH -> .Sh NAT EXAMPELS
Revision 1.75 / (download) - annotate - [select for diffs], Tue Jul 30 17:28:54 2002 UTC (21 years, 10 months ago) by pb
Branch: MAIN
Changes since 1.74: +9 -9 lines
Diff to previous 1.74 (colored)
BNF is now in sync with reality: - commas are optional in lists ok henning@, dhartmei@
Revision 1.74 / (download) - annotate - [select for diffs], Tue Jul 30 16:35:15 2002 UTC (21 years, 10 months ago) by pb
Branch: MAIN
Changes since 1.73: +7 -8 lines
Diff to previous 1.73 (colored)
BNF catchup and consolidation of interface name handling: ok henning@, dhartmei@
Revision 1.73 / (download) - annotate - [select for diffs], Tue Jul 30 13:53:57 2002 UTC (21 years, 10 months ago) by pb
Branch: MAIN
Changes since 1.72: +21 -40 lines
Diff to previous 1.72 (colored)
Merge filter and nat BNF for simplification: - top of reduction is now 'line', better to add more keywords later on - reorder, group - remove double productions ok dhartmei@, henning@
Revision 1.72 / (download) - annotate - [select for diffs], Tue Jul 30 11:55:31 2002 UTC (21 years, 10 months ago) by pb
Branch: MAIN
Changes since 1.71: +7 -6 lines
Diff to previous 1.71 (colored)
BNF catchup to reality: - set loginterface none - add "self" to hosts ok henning@
Revision 1.71 / (download) - annotate - [select for diffs], Tue Jul 30 11:21:46 2002 UTC (21 years, 10 months ago) by pb
Branch: MAIN
Changes since 1.70: +3 -3 lines
Diff to previous 1.70 (colored)
typo/pasto in route-to/dup-to syntax ok henning@
Revision 1.70 / (download) - annotate - [select for diffs], Tue Jul 30 09:25:00 2002 UTC (21 years, 10 months ago) by pb
Branch: MAIN
Changes since 1.69: +120 -121 lines
Diff to previous 1.69 (colored)
.Sh GRAMMAR moves to bottom, it's a reference and not readable for the casual user in first place ok henning@
Revision 1.69 / (download) - annotate - [select for diffs], Tue Jul 30 08:56:07 2002 UTC (21 years, 10 months ago) by pb
Branch: MAIN
Changes since 1.68: +2 -2 lines
Diff to previous 1.68 (colored)
65335->65535 typo henning ok@
Revision 1.68 / (download) - annotate - [select for diffs], Tue Jul 30 08:55:12 2002 UTC (21 years, 10 months ago) by pb
Branch: MAIN
Changes since 1.67: +466 -458 lines
Diff to previous 1.67 (colored)
backout, this will go in in little pieces as advised by theo and henning
Revision 1.67 / (download) - annotate - [select for diffs], Mon Jul 29 22:40:45 2002 UTC (21 years, 10 months ago) by pb
Branch: MAIN
Changes since 1.66: +456 -464 lines
Diff to previous 1.66 (colored)
o complete restructuring o BNF has been fixed and should represent -current as close as possible o theo: commit this, and then let us get started fixing it.
Revision 1.66 / (download) - annotate - [select for diffs], Sun Jul 21 21:28:06 2002 UTC (21 years, 10 months ago) by deraadt
Branch: MAIN
Changes since 1.65: +5 -3 lines
Diff to previous 1.65 (colored)
fix route-to also
Revision 1.65 / (download) - annotate - [select for diffs], Fri Jul 5 14:32:45 2002 UTC (21 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.64: +6 -1 lines
Diff to previous 1.64 (colored)
document "set loginterface none"
Revision 1.64 / (download) - annotate - [select for diffs], Thu Jul 4 10:51:18 2002 UTC (21 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.63: +164 -3 lines
Diff to previous 1.63 (colored)
document setting options in pf.conf ok dhartmei@
Revision 1.63 / (download) - annotate - [select for diffs], Mon Jul 1 23:10:33 2002 UTC (21 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.62: +18 -15 lines
Diff to previous 1.62 (colored)
Language improvements and line wrapping fixes, from Moritz Jodeit
Revision 1.62 / (download) - annotate - [select for diffs], Mon Jun 24 09:54:43 2002 UTC (21 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.61: +4 -4 lines
Diff to previous 1.61 (colored)
Fix more example rules
Revision 1.61 / (download) - annotate - [select for diffs], Thu Jun 20 12:04:54 2002 UTC (21 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.60: +16 -7 lines
Diff to previous 1.60 (colored)
Use 'inet' in translation rules where required, add example for proxy port selection. From jolan at enteract dot com
Revision 1.60 / (download) - annotate - [select for diffs], Thu Jun 20 06:43:58 2002 UTC (21 years, 11 months ago) by mpech
Branch: MAIN
Changes since 1.59: +2 -2 lines
Diff to previous 1.59 (colored)
typo from form@.
Revision 1.59 / (download) - annotate - [select for diffs], Thu Jun 20 06:21:40 2002 UTC (21 years, 11 months ago) by mpech
Branch: MAIN
Changes since 1.58: +18 -14 lines
Diff to previous 1.58 (colored)
Spotted by form@, mdoc things from mpech@: o) wrap long lines; o) start new sentence on a new line; o) 41952 -> 49151; o) add 'flags S/SA' in "FILTER EXAMPLES"; o) remove blank lines before .Ed; dhartmei@, henning@
Revision 1.58 / (download) - annotate - [select for diffs], Sun Jun 16 17:54:30 2002 UTC (21 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.57: +199 -18 lines
Diff to previous 1.57 (colored)
merge nat.conf.5 most work by Chris Kuethe, some changes by me. ok dhartmei@, pb@
Revision 1.57 / (download) - annotate - [select for diffs], Fri Jun 14 21:34:58 2002 UTC (21 years, 11 months ago) by todd
Branch: MAIN
Changes since 1.56: +2 -2 lines
Diff to previous 1.56 (colored)
spelling; from Brian Poole <raj@cerias.purdue.edu>
Revision 1.56 / (download) - annotate - [select for diffs], Sat Jun 8 17:10:52 2002 UTC (22 years ago) by dhartmei
Branch: MAIN
Changes since 1.55: +2 -2 lines
Diff to previous 1.55 (colored)
.Xr pf.conf 5 . -> pfctl 8, from Dries Schellekens
Revision 1.55 / (download) - annotate - [select for diffs], Sat Jun 8 08:46:49 2002 UTC (22 years ago) by henning
Branch: MAIN
Changes since 1.54: +1 -7 lines
Diff to previous 1.54 (colored)
no macro concatenation
Revision 1.54 / (download) - annotate - [select for diffs], Sat Jun 8 08:12:31 2002 UTC (22 years ago) by dhartmei
Branch: MAIN
Changes since 1.53: +2 -2 lines
Diff to previous 1.53 (colored)
'(' -> "(" in BNF, from Dries Schellekens
Revision 1.53 / (download) - annotate - [select for diffs], Sat Jun 8 08:05:14 2002 UTC (22 years ago) by henning
Branch: MAIN
Changes since 1.52: +7 -1 lines
Diff to previous 1.52 (colored)
document macro concatenation ok dhartmei@
Revision 1.52 / (download) - annotate - [select for diffs], Sat Jun 8 07:58:07 2002 UTC (22 years ago) by dhartmei
Branch: MAIN
Changes since 1.51: +23 -7 lines
Diff to previous 1.51 (colored)
Make state timeouts configurable per rule, like pass in from any to any port www keep state (tcp.established 60) ok frantzen@
Revision 1.51 / (download) - annotate - [select for diffs], Sat Jun 8 04:36:18 2002 UTC (22 years ago) by henning
Branch: MAIN
Changes since 1.50: +32 -4 lines
Diff to previous 1.50 (colored)
document $proto, $nr in rule labels add example ok dhartmei@
Revision 1.50 / (download) - annotate - [select for diffs], Fri Jun 7 22:53:45 2002 UTC (22 years ago) by pb
Branch: MAIN
Changes since 1.49: +4 -3 lines
Diff to previous 1.49 (colored)
add the possibility to configure a TTL while return-rst ok dhartmei@, ipv6 part itojun@ ok
Revision 1.49 / (download) - annotate - [select for diffs], Fri Jun 7 21:25:36 2002 UTC (22 years ago) by dhartmei
Branch: MAIN
Changes since 1.48: +7 -2 lines
Diff to previous 1.48 (colored)
Add "(max <number>)" option for "keep/modulate state" to limit the number of concurrent connections a rule can create. ok frantzen@
Revision 1.48 / (download) - annotate - [select for diffs], Fri Jun 7 19:41:23 2002 UTC (22 years ago) by henning
Branch: MAIN
Changes since 1.47: +4 -1 lines
Diff to previous 1.47 (colored)
document $srcaddr/$srcport/$dstaddr/$dstport in rule labels ok dhartmei@
Revision 1.47 / (download) - annotate - [select for diffs], Sat Jun 1 04:08:47 2002 UTC (22 years ago) by hugh
Branch: MAIN
Changes since 1.46: +5 -4 lines
Diff to previous 1.46 (colored)
Document ECN support, with input from dhartmei@.
Revision 1.46 / (download) - annotate - [select for diffs], Sun May 12 15:02:52 2002 UTC (22 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.45: +15 -4 lines
Diff to previous 1.45 (colored)
Explain that user/group 'unknown' can only be used with operators = and != and refuse other constructs in the parser. Also note that 'user >= 0' does not match forwarded packets with unknown user ID.
Revision 1.45 / (download) - annotate - [select for diffs], Sun May 12 00:54:56 2002 UTC (22 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.44: +14 -12 lines
Diff to previous 1.44 (colored)
Add gid based filtering, reduce to one (effective) uid, rename parser keywords to 'user' and 'group'.
Revision 1.44 / (download) - annotate - [select for diffs], Thu May 9 21:58:12 2002 UTC (22 years, 1 month ago) by jasoni
Branch: MAIN
Changes since 1.43: +5 -2 lines
Diff to previous 1.43 (colored)
Add a max-mss option to the scrub rule which will enforce a maximum mss by lowering it to the given value. - ok dhartmei@, provos@
Revision 1.43 / (download) - annotate - [select for diffs], Thu May 9 19:58:42 2002 UTC (22 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.42: +40 -6 lines
Diff to previous 1.42 (colored)
Introduce user based filtering. Rules can specify ruid and euid (real and effective user ID) much like ports. The user of a packet is either the user that opens an outgoing connection, the one that listens on a socket, or 'unknown' if the firewall is not a connection endpoint (for forwarded connections). Socket uid lookup code from jwk@bug.it.
Revision 1.42 / (download) - annotate - [select for diffs], Wed May 8 18:54:14 2002 UTC (22 years, 1 month ago) by jasoni
Branch: MAIN
Changes since 1.41: +4 -5 lines
Diff to previous 1.41 (colored)
move route grammar to a more logical place, suggested by malachi@vaned.net - ok dhartmei@
Revision 1.41 / (download) - annotate - [select for diffs], Tue Apr 30 16:23:01 2002 UTC (22 years, 1 month ago) by mpech
Branch: MAIN
Changes since 1.40: +2 -2 lines
Diff to previous 1.40 (colored)
typo: form -> from. From form@
Revision 1.40 / (download) - annotate - [select for diffs], Wed Apr 24 18:10:25 2002 UTC (22 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.39: +11 -11 lines
Diff to previous 1.39 (colored)
Add dynamic (in-kernel) interface name -> address translation. Instead of using just the interface name instead of an address and reloading the rule set whenever the interface changes its address, the interface name can be put in parentheses, and the kernel will keep track of changes and update rules. There is no additional cost for evaluating rules (per packet), the cost occurs when an interface changes address (and the rules are traversed and updated where necessary).
Revision 1.39 / (download) - annotate - [select for diffs], Tue Apr 23 14:32:23 2002 UTC (22 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.38: +64 -3 lines
Diff to previous 1.38 (colored)
Allow explicit filtering of fragments when they are not reassembled. Document fragment handling in the man page. Short version: if you're scrubbing everything (as is recommended, in general), nothing changes. If you want to deal with fragments manually, read the man page. ok frantzen.
Revision 1.38 / (download) - annotate - [select for diffs], Wed Apr 17 17:25:35 2002 UTC (22 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.37: +2 -2 lines
Diff to previous 1.37 (colored)
50'000 -> 50000 (50,000 is equally wrong ;), from David Krause
Revision 1.37 / (download) - annotate - [select for diffs], Thu Mar 28 02:43:47 2002 UTC (22 years, 2 months ago) by mickey
Branch: MAIN
CVS Tags: OPENBSD_3_1_BASE,
OPENBSD_3_1
Changes since 1.36: +2 -2 lines
Diff to previous 1.36 (colored)
looko; from Dries Schellekens <gwyllion@ace.ulyssis.org>
Revision 1.36 / (download) - annotate - [select for diffs], Wed Mar 27 18:16:17 2002 UTC (22 years, 2 months ago) by mickey
Branch: MAIN
Changes since 1.35: +14 -4 lines
Diff to previous 1.35 (colored)
implement a "no-route" keyword. usage semantics are analogous w/ "any", meaning is "any ip address for which there is no route in the current routing table", could be used in both from and to. typical usage would be (assuming symmetrical routing): block in from no-route to any also doc "any" in the pf.conf.5, include in regress, etc. tested by me on i386 and sparc. dhartmei@ and frantzen@ ok
Revision 1.35 / (download) - annotate - [select for diffs], Sun Mar 17 18:22:45 2002 UTC (22 years, 2 months ago) by dhartmei
Branch: MAIN
Changes since 1.34: +6 -1 lines
Diff to previous 1.34 (colored)
Add references to FILES and SEE ALSO sections. From David Krause.
Revision 1.34 / (download) - annotate - [select for diffs], Thu Mar 7 13:17:40 2002 UTC (22 years, 3 months ago) by dhartmei
Branch: MAIN
Changes since 1.33: +44 -39 lines
Diff to previous 1.33 (colored)
Add interface-list to BNF, re-indent and wrap. Found by Attila Nagy.
Revision 1.33 / (download) - annotate - [select for diffs], Sat Feb 23 01:22:54 2002 UTC (22 years, 3 months ago) by dhartmei
Branch: MAIN
Changes since 1.32: +6 -1 lines
Diff to previous 1.32 (colored)
Mention that normalization happens before filtering, and that the position of scrub rules (in relation to pass/block rules) is not relevant.
Revision 1.32 / (download) - annotate - [select for diffs], Tue Feb 19 12:18:24 2002 UTC (22 years, 3 months ago) by dhartmei
Branch: MAIN
Changes since 1.31: +11 -9 lines
Diff to previous 1.31 (colored)
Add a BNF production for address (interface name, host name, or numeric). In the examples, change "port = x" -> "port x", since it's shorter and valid.
Revision 1.31 / (download) - annotate - [select for diffs], Fri Feb 15 00:29:56 2002 UTC (22 years, 3 months ago) by dhartmei
Branch: MAIN
Changes since 1.30: +2 -2 lines
Diff to previous 1.30 (colored)
Correct BNF, unary port operators are optional and default to =, "pass ... to any port = ssh" and "pass ... to any port ssh" are equivalent.
Revision 1.30 / (download) - annotate - [select for diffs], Sun Jan 27 02:08:08 2002 UTC (22 years, 4 months ago) by frantzen
Branch: MAIN
Changes since 1.29: +20 -8 lines
Diff to previous 1.29 (colored)
clarify the caveats of state modulation a wee bit
Revision 1.29 / (download) - annotate - [select for diffs], Wed Jan 9 11:30:53 2002 UTC (22 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.28: +8 -2 lines
Diff to previous 1.28 (colored)
Add labels to rules. These are arbitrary names (not to be confused with tags that will be used to tag packets later on). Add pfctl -z to clear per-rule counters. Add pfctl -s labels to output per-rule counters in terse format and only for rules that have labels. Suggested by Henning Brauer.
Revision 1.28 / (download) - annotate - [select for diffs], Fri Dec 7 20:36:17 2001 UTC (22 years, 6 months ago) by beck
Branch: MAIN
Changes since 1.27: +7 -1 lines
Diff to previous 1.27 (colored)
add example for ftp-proxy data connections, to reduce some of the questions on misc@. ok dhartmei@
Revision 1.27 / (download) - annotate - [select for diffs], Mon Nov 26 16:51:13 2001 UTC (22 years, 6 months ago) by jasoni
Branch: MAIN
Changes since 1.26: +24 -2 lines
Diff to previous 1.26 (colored)
add bnf and some documentation on fastroute/route-to/dup-to
Revision 1.26 / (download) - annotate - [select for diffs], Wed Oct 24 10:23:53 2001 UTC (22 years, 7 months ago) by dhartmei
Branch: MAIN
Changes since 1.25: +2 -2 lines
Diff to previous 1.25 (colored)
"minium" -> "minimum", ok deraadt@
Revision 1.25 / (download) - annotate - [select for diffs], Mon Oct 15 16:22:22 2001 UTC (22 years, 7 months ago) by dhartmei
Branch: MAIN
CVS Tags: OPENBSD_3_0_BASE,
OPENBSD_3_0
Changes since 1.24: +16 -2 lines
Diff to previous 1.24 (colored)
Add 'allow-opts' to rules. Packets with IP options will be blocked by default now, and can be allowed per rule. ok deraadt@
Revision 1.24 / (download) - annotate - [select for diffs], Thu Oct 11 19:52:28 2001 UTC (22 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.23: +1 -6 lines
Diff to previous 1.23 (colored)
Remove URL, the FAQ links to it.
Revision 1.23 / (download) - annotate - [select for diffs], Thu Oct 11 19:02:19 2001 UTC (22 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.22: +2 -1 lines
Diff to previous 1.22 (colored)
List possible flags (FIN, SYN, RST, PUSH, ACK, URG), suggested by Todd Fries.
Revision 1.22 / (download) - annotate - [select for diffs], Tue Oct 9 13:49:18 2001 UTC (22 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.21: +14 -10 lines
Diff to previous 1.21 (colored)
man page corrections, from Brian J. Kifiak
Revision 1.21 / (download) - annotate - [select for diffs], Sun Oct 7 11:56:57 2001 UTC (22 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.20: +16 -3 lines
Diff to previous 1.20 (colored)
Add interface name to address translation to pfctl, document it and add a regress test. Translation is done on rule set load-time only, so the rule sets must be reloaded when an interface address changes. parse.y patch from Cedric Berger. Similar patch from Jonathon Fletcher. Thanks to both.
Revision 1.20 / (download) - annotate - [select for diffs], Fri Oct 5 14:45:54 2001 UTC (22 years, 8 months ago) by mpech
Branch: MAIN
Changes since 1.19: +15 -12 lines
Diff to previous 1.19 (colored)
Powered by @mantoya: o) start new sentence on a new line; o) minor mdoc fixes; millert@ ok Tip of the day: www.mpechismazohist.com
Revision 1.19 / (download) - annotate - [select for diffs], Mon Oct 1 19:04:16 2001 UTC (22 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.18: +27 -25 lines
Diff to previous 1.18 (colored)
Clean up example rule set. Use \ to wrap lines, use macro for interface name, scrub in all.
Revision 1.18 / (download) - annotate - [select for diffs], Mon Oct 1 18:44:36 2001 UTC (22 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.17: +3 -3 lines
Diff to previous 1.17 (colored)
It's keep state and modulate state, not keep-state/modulate-state.
Revision 1.17 / (download) - annotate - [select for diffs], Fri Sep 28 14:12:15 2001 UTC (22 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.16: +7 -4 lines
Diff to previous 1.16 (colored)
Support underscores in macro names and document it in the man page.
Revision 1.16 / (download) - annotate - [select for diffs], Tue Sep 25 19:55:25 2001 UTC (22 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.15: +4 -4 lines
Diff to previous 1.15 (colored)
Update examples (af is required for proto icmp).
Revision 1.15 / (download) - annotate - [select for diffs], Sat Sep 15 14:04:20 2001 UTC (22 years, 8 months ago) by jakob
Branch: MAIN
Changes since 1.14: +13 -5 lines
Diff to previous 1.14 (colored)
describe pflogd usage; canacar@eee.metu.edu.tr, ok deraadt@
Revision 1.14 / (download) - annotate - [select for diffs], Sat Sep 15 03:54:40 2001 UTC (22 years, 8 months ago) by frantzen
Branch: MAIN
Changes since 1.13: +25 -10 lines
Diff to previous 1.13 (colored)
IPv6 support from Ryan McBride (mcbride@countersiege.com)
Revision 1.13 / (download) - annotate - [select for diffs], Tue Aug 28 08:48:57 2001 UTC (22 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.12: +9 -1 lines
Diff to previous 1.12 (colored)
Mention macro definition/expansion with an example.
Revision 1.12 / (download) - annotate - [select for diffs], Sat Aug 25 21:54:26 2001 UTC (22 years, 9 months ago) by frantzen
Branch: MAIN
Changes since 1.11: +40 -4 lines
Diff to previous 1.11 (colored)
PF ISN randomization. Or in trekkie techno-babble, ISN phase modulation.
Revision 1.11 / (download) - annotate - [select for diffs], Sun Aug 19 16:44:39 2001 UTC (22 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.10: +34 -34 lines
Diff to previous 1.10 (colored)
Parameter list expansion, documentation and examples.
Revision 1.10 / (download) - annotate - [select for diffs], Tue Jul 31 09:02:18 2001 UTC (22 years, 10 months ago) by wilfried
Branch: MAIN
Changes since 1.9: +6 -3 lines
Diff to previous 1.9 (colored)
allow to test that flags are unset, ok dhartmei@, mickey@
Revision 1.9 / (download) - annotate - [select for diffs], Sun Jul 22 20:47:19 2001 UTC (22 years, 10 months ago) by krw
Branch: MAIN
Changes since 1.8: +2 -2 lines
Diff to previous 1.8 (colored)
Fix times vs timed typo. Closes PR #1952.
Revision 1.8 / (download) - annotate - [select for diffs], Fri Jul 20 15:42:39 2001 UTC (22 years, 10 months ago) by markus
Branch: MAIN
Changes since 1.7: +4 -4 lines
Diff to previous 1.7 (colored)
fix example: you need 'proto' if you specify ports
Revision 1.7 / (download) - annotate - [select for diffs], Fri Jul 20 14:11:05 2001 UTC (22 years, 10 months ago) by deraadt
Branch: MAIN
Changes since 1.6: +40 -44 lines
Diff to previous 1.6 (colored)
first cut at a cleanup
Revision 1.6 / (download) - annotate - [select for diffs], Tue Jul 17 22:33:02 2001 UTC (22 years, 10 months ago) by provos
Branch: MAIN
Changes since 1.5: +19 -2 lines
Diff to previous 1.5 (colored)
talk about normalization
Revision 1.5 / (download) - annotate - [select for diffs], Mon Jul 16 15:41:59 2001 UTC (22 years, 10 months ago) by dhartmei
Branch: MAIN
Changes since 1.4: +110 -72 lines
Diff to previous 1.4 (colored)
improvements by mpech@. thank you.
Revision 1.4 / (download) - annotate - [select for diffs], Mon Jul 16 14:25:39 2001 UTC (22 years, 10 months ago) by dhartmei
Branch: MAIN
Changes since 1.3: +199 -19 lines
Diff to previous 1.3 (colored)
add some substance. formatting probably sub-standard. help appreciated.
Revision 1.3 / (download) - annotate - [select for diffs], Tue Jul 10 11:05:41 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.2: +1 -5 lines
Diff to previous 1.2 (colored)
some .Pp removed, according to mpech@
Revision 1.2 / (download) - annotate - [select for diffs], Mon Jul 9 22:12:03 2001 UTC (22 years, 11 months ago) by marc
Branch: MAIN
Changes since 1.1: +2 -2 lines
Diff to previous 1.1 (colored)
Add missing closing paren
Revision 1.1 / (download) - annotate - [select for diffs], Sun Jul 8 14:31:23 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
first draft of pf.conf man page (just BNF grammar and example yet)