| Age | Commit message (Collapse) | Author |
|---|
|
ok deraadt@
|
|
|
|
Change 'set hostid' to NUMBER and remove unneeded converter.
Add '=' to allowed_to_end_number(x) to make varsets like 4=5 illegal.
OK deraadt@
|
|
expand to space or tab, and a \ followed by newline should be ignored
(as a line continuation). compatible with the needs of hoststated
(which has the most strict quoted string requirements), and ifstated
(where one commonly does line continuations in strings).
pointed out by mpf, discussed with pyr
|
|
the main configuration file; ok henning
|
|
yylex implementation and the code which interacts with yylex. this also
brings the future potential for include support to all of the parsers.
in the future please do not silly modifications to one of these files
without checking if you are de-unifying the code.
checked by developers in all these areas.
|
|
as found in hoststated, and make all the code diff as clean as possible. a
few issues remain mostly surrounding include support, which will likely be
added to more of the grammers soon.
ok norby pyr, others
|
|
Requested by deraadt@
|
|
Using a group sums up the statistics of all members.
Modify pfctl(1) slightly to allow a groupname "all",
which gives us an overall pf(4) statistic.
OK henning@, markus@
|
|
While there, also restrict the use of concatenated, unquoted
strings for variable assignments only.
Eyeballed by markus@, OK henning@
|
|
|
|
this in the parser. because the new numbers are int64_t, many new
range checks for < 0 are needed. re-check and improve all the
existing rangechecks while at it. thanks for help by cloder and
dhartmei
|
|
criteria. ok mcbride@
|
|
|
|
OK henning@, ``passt scho'' markus@
|
|
when ALL entries have this specific AF (when even just one entry has no
specific AF, use any). found by Maurice Janssen, ok henning@
|
|
as pf_find_or_create_ruleset() will mangle relative anchor names and wildcards.
Also fixes some nits with nesting and printing inline anchors.
ok deraadt@
|
|
"set" "ruleset-optimization" [ "none" | "basic" | "profile" ]
You can optionally control ruleset optimization with these keywords on the
command line with the -o option; the command line setting will override the
pf.conf setting. The existing -o/-oo flags continue to work as expected.
cleanup and ok henning@
|
|
command line (but they can still be viewed)
- don't allow users to specify _* as an anchor name in the ruleset
- don't print _* anchor names with pfctl -sA unless -v is specified
'looks sensible' deraadt@
|
|
for anchors loaded inline in pf.conf, enclosed in a brace-delimited
block ("{" "}").
anchor on fxp0 {
pass in proto tcp port 22
}
The anchor name is optional on inline loaded anchors.
testing ckuethe@
ok henning@ dhartmei@
|
|
logif is to be considered invalid unless log is set, but we need this to
please the optimizer...
|
|
|
|
|
|
pass log(to pflog5)
block out log(to pflog2)
input & ok mcbride
|
|
pointed out by david@
ok mpf@ dhartmei@
|
|
|
|
the anchor, terminate ruleset evaluation when stepping out of the anchor.
This means that if you absolutely want the anchor to be terminal, you
probably want to use a 'block all' or 'pass all' rule at the start of the
anchor.
ok dhartmei@ henning@ deraadt@
|
|
|
|
a suggestion from dhartmei@. Also add 'flags any' and 'no state' options
to disable flag matching and stateful filtering respectively.
IMPORTANT NOTE:
Current rulesets will continue to load, but the behaviour may be slightly
changed as these defaults are more restrictive. If you are purposefully
filtering statelessly ('no state') or have a requirement to create states
on intermediate packets ('flags any') you should update your ruleset to
make use of the new keywords to explicitly request the behaviour.
Note that creation of states from intermediate packets in a connection is
not recommended, and will increasingly cause problems as more OSs enable
window scaling and increase buffer sizes by default.
ok dhartmei@ deraadt@ henning@
|
|
for nat rules. sorry, existing functionality trumps syntactic sugar. feel
free to resubmit a complete patch. closes PR 5207.
|
|
with & ok claudio hshoexer
|
|
|
|
timeouts.
|
|
other things work. ok henning
|
|
only bar under foo, not /bar as well.
secondly, when using "load anchor from" from a sub-anchor, the loading
point should be relative to the sub-anchor doing the load (unless absolute
paths are used, of course).
from Boris Polevoy. probably a -stable candidate.
|
|
|
|
quite some time... theo likes
|
|
which optionally verifies that a packet is received on the interface
that holds the route back to the packet's source address. This makes
it an automatic ingress filter, but only when routing is fully
symmetric.
bugfix feedback claudio@; ok claudio@ and dhartmei@
|
|
the file fails, produce only the error message and leave options
unchanged. reported by Tamas TEVESZ, ok deraadt@
|
|
|
|
From: "Alexey E. Suslikov" <cruel@texnika.com.ua>
|
|
option to log. so, 'log-all' becomes 'log (all)'.
|
|
|
|
inserted the rule which causes the logging. secondly, the uid/pid of the
process in case the logged packet is delivered to/from a local socket.
a lookup of the local socket can be forced for logged packets with a new
option, 'log (user)'. make tcpdump print the additional information when
-e and -v is used. note: this changes the pflog header struct, rebuild all
dependancies. ok bob@, henning@.
|
|
'keep state'), as a condition to branch into the anchor. suggested
by Bill Marquette.
|
|
ok dhartmei
|
|
from camield@. use #defines PF_LOG, PF_LOGALL instead of magic constants.
ok frantzen@, camield@
|
|
ok dhartmei mcbride
|
|
useless layers of indirection and make the code way cleaner overall.
this is just the start, more to come...
worked very hard on by Ryan and me in Montreal last week, on the airplane to
vancouver and yesterday here in calgary. it hurt.
ok ryan theo
|
|
if there are flags on the lefthandside that are masked off by the
righthand side.
ok mcbride@ (long time ago) dhartmei@ henning@
|
