| Age | Commit message (Collapse) | Author |
|---|
|
to commit a diff from 11/6...
do not insert the "block in on ! interface" rule for antispoof statements when
the interface in question does not have any IP address, because that then
expands to
block in on ! interface all
which is obviously bad.
niklas@ found it, dhartmei@ ok, and I think some more ppl ok I don't remember
|
|
ok cedric@
|
|
created by this rule from appearing on the pfsync(4) interface. e.g.
pass in proto tcp to self flags S/SA keep state (no-sync)
ok cedric@ henning@ dhartmei@
|
|
|
|
|
|
the idea is not mine and I'dlove to get credit, but I cannot find the mail
any more :-((
ok canacar@ dhartmei@
|
|
|
|
This brings us close to 100% atomicity for a "pfctl -f pf.conf" command.
(some splxxx work remain in the kernel). Basically, improvements are:
- Anchors/Rulesets cannot disappear unexpectedly anymore.
- No more leftover in the kernel if "pfctl -f" fail.
- Commit is now done in a single atomic IOCTL.
WARNING: The kernel code is fully backward compatible, but the new
pfctl/authpf userland utilities will only run on a new kernel.
The following ioctls are deprecated (i.e. will be deleted sooner or
later, depending on how many 3rd party utilities use them and how soon
they can be upgraded):
- DIOCBEGINRULES
- DIOCCOMMITRULES
- DIOCBEGINALTQS
- DIOCCOMMITALTQS
- DIOCRINABEGIN
- DIOCRINADEFINE
They are replaced by the following ioctls (yes, PF(4) will follow)
which operate on a vector of rulesets:
- DIOCXBEGIN
- DIOCXCOMMIT
- DIOCXROLLBACK
Ok dhartmei@ mcbride@
|
|
|
|
You MUST test nework stack changes on BOTH BYTE-ORDERS.
Someone can fix this later, but right now I need to get the damn
firewall up. Grr.
|
|
|
|
|
|
- Make sure we allow only tables in round-robin pools for routing options,
same as what we do for translation rules.
- Don't reject rules like: "nat on sis0 -> <foo>" because
"no address family is given". This is perfectly valid.
ok henning@
|
|
ok dhartmei@ jmc@
|
|
Exposes the source IP's operating system to the filter language.
Interesting policy decisions are now enforceable:
. block proto tcp from any os SCO
. block proto tcp from any os Windows to any port smtp
. rdr ... from any os "Windows 98" to port WWW -> 127.0.0.1 port 8001
|
|
|
|
|
|
|
|
redirection rules...
The advantage of using tables in redirection/routing rules is not efficiency,
in fact it will run slower than straight address pools. However, this brings
a lot of flexibility to PF, allowing simple scripts/daemons to add/remove
addresses from redirection/routing pools easily.
This implementation support all table features, including cidr blocks and
negated addresses. So specifying { 10.0.0.0/29 !10.0.0.0 !10.0.0.7 } will
correctly round-robin between the six addresses: .1, .2, .3, .4, .5, .6.
Tables can also be combined with simple addresses, so the following rule
will work as expected: "nat on foo0 -> { 1.1.1.1 <bar> }"
ok henning@ mcbride@
|
|
|
|
instead of indirectly trough struct pf_rule_addr.
Ryan McBride says:
If I'm not mistaken, the code _used_ to use the ports in pf_rule_addr as
well. The code was changed to fix some of the bugs with port ranges, but
it was too late in the release cycle to make kernel API changes, so the
structure was left as is.
Needless to say: KERNEL/USERLAND SYNC REQUIRED.
ok henning@ mcbride@
|
|
ok dhartmei@
|
|
I need vacations.
Found and verified by Pyun YongHyeon.
ok dhartmei@
|
|
|
|
- remove the tableaddrs and tableaddr yacc production and reuse
host_list instead.
- produce better error messages.
- do not load addresses from external file when it is not
required (like with -R option).
- store initializers in a new node_tinit linked list before
putting them into the address buffer (see next point).
- add a new print_tabledef() function, which makes "pfctl -nvf"
print something useful for table definitions, which in turn
makes it possible to write better regress tests (see first chunk
of the diff) and bring table definition consistant with other
parsed rules.
ok dhartmei@
|
|
ok dhartmei@ henning@
|
|
|
|
nat pass on $ext_if from $a to $b -> $ext_if
when the pass modifier is given, the filter ruleset is _not_ evaluated but
the packets matching this translation rule are passed unconditionally.
ok dhartmei@ cedric@ markus@
|
|
The pfctl.c part will probably need some further improvements.
ok henning@
|
|
and a couple of parsing functions moved to parse.y or pfctl_parser
where they belong.
I also took the opportunity to replace "void" functions with exit(1)
or err() inside by "int" functions, with the caller checking the
return value for errors (much cleaner and an old request from Theo)
ok dhartmei@ henning@
|
|
|
|
if .. else if .. else, and handle PF_ADDR_NOROUTE as well.
inspired by a comment from cedric.
|
|
a table refernence, don't print nonsense but the table name.
found by claudio jeker, fix by me, agreement by cedric
|
|
- pf_get_sport() leaves the translated port in the packet in network byte order
- merge code for the p1=0 p2=0 case and static-port case in pr_get_sport()
NOTE: people who use the static-port keyword in their pf.conf need to make sure pfctl is updated along with their kernel.
|
|
wrong for the redirection target.
reported by jared r r spiegel <jrrs@ice-nine.org>
|
|
dynaddr rules after we know the address family
ok dhartmei@, inspired by a session with bob
|
|
|
|
load bullshit
|
|
block in ! tagged sometag
ok dhartmei@ pb@
|
|
'synproxy state' for TCP connections. pf will complete the TCP handshake
with the active endpoint before passing any packets to the passive end-
point, preventing spoofed SYN floods from reaching the passive endpoint.
No additional memory requirements, no cookies needed, random initial
sequence numbers, uses the existing sequence number modulators to translate
packets after the handshakes.
ok frantzen@
|
|
|
|
ok henning@ dhartmei@
|
|
|
|
|
|
|
|
okie dhartmei@, yay pb@
|
|
nat on $ext_if all tag humppa -> $ext_if
pass out tagged hummpa keep state
|
|
|
|
it's now possible to tag packets with an arbitary tag and filter based on
that tag later on other interfaces:
pass in quick on fxp0 keep state tag blah
pass out quick on wi0 keep state with tag blah
can be used to express trust between interfaces, to distinguish between
NATed connections and connection originating from teh firewall itself
and much more
ok dhartmei@ frantzen@ pb@ mcbride@
|
|
Makes nat ... -> $ext_if port 500 rules work correctly again.
ok henning@ dhartemi@ frantzen@
|
