| Age | Commit message (Collapse) | Author |
|---|
|
2) packet reassembly: only one method remains, full reassembly. crop
and drop-ovl are gone.
. set reassemble yes|no [no-df]
if no-df is given fragments (and only fragments!) with the df bit set
have it cleared before entering the fragment cache, and thus the
reassembled packet doesn't have df set either. it does NOT touch
non-fragmented packets.
3) regular rules can have scrub options.
. pass scrub(no-df, min-ttl 64, max-mss 1400, set-tos lowdelay)
. match scrub(reassemble tcp, random-id)
of course all options are optional. the individual options still do
what they used to do on scrub rules, but everything is stateful now.
4) match rules
"match" is a new action, just like pass and block are, and can be used
like they do. opposed to pass or block, they do NOT change the
pass/block state of a packet. i. e.
. pass
. match
passes the packet, and
. block
. match
blocks it.
Every time (!) a match rule matches, i. e. not only when it is the
last matching rule, the following actions are set:
-queue assignment. can be overwritten later, the last rule that set a
queue wins. note how this is different from the last matching rule
wins, if the last matching rule has no queue assignments and the
second last matching rule was a match rule with queue assignments,
these assignments are taken.
-rtable assignments. works the same as queue assignments.
-set-tos, min-ttl, max-mss, no-df, random-id, reassemble tcp, all work
like the above
-logging. every matching rule causes the packet to be logged. this
means a single packet can get logged more than once (think multiple log
interfaces with different receivers, like pflogd and spamlogd)
.
almost entirely hacked at n2k9 in basel, could not be committed close to
release. this really should have been multiple diffs, but splitting them
now is not feasible any more. input from mcbride and dlg, and frantzen
about the fragment handling.
speedup around 7% for the common case, the more the more scrub rules
were in use.
manpage not up to date, being worked on.
|
|
|
|
should make the pushback buffer really transparent.
diagnosis by me, fix with mpf, some input deraadt, ok mpf
|
|
permitted keep state(X). applies to all rules which do not have keep state
explicitely. e. g. "set state-defaults pflow, no-sync"
ok phessler deraadt
|
|
|
|
flows export data gathered from pf states.
initial implementation by Joerg Goltermann <jg@osn.de>, guidance and many
changes by me. 'put it in' theo
|
|
covers loopback addresses. ok ryan
problem report from Harald Dunkel <harald.dunkel@aixigo.de>
|
|
ok henning
|
|
Use the 'counters' table option in pf.conf if you actually need them.
If enabled, memory is not allocated until packets match an address.
This saves about 40% memory if counters are not being used, and paves the way
for some more significant cleanups coming soon.
ok henning mpf deraadt
|
|
of the good one. ok theo ryan reyk
|
|
numbers with one, and fix a few other bugs along the way
ok mpf henning
|
|
|
|
makes transparent proxies much easier; ok beck@, feedback claudio@
|
|
requested by reyk, ok reyk mpf
|
|
blocks, as requested by reyk; ok reyk mpf henning
|
|
to a sequence of strings and numbers, which get folded together into one
string (and later, when used, is re-lexed)
ok mpf
|
|
|
|
|
|
|
|
leads to a variety of errors; ok mcbride
|
|
by the parser but not passed to the kernel. This allows filtering based on
uid, gid, icmp options, tcp flags, os fingerprint, tos, tags, and probability;
It also allows the label to be set. State options and tagging are not
permitted.
ok henning mpf
|
|
I forgot to think about hex numbers when I removed it.
OK deraadt@
|
|
it with a simple filter in the yylex() loop.
The compression in lgetc() didn't happen for quoted strings,
thus creating a regression when tabs were used in variables.
Some testing by todd@ and pyr@
OK deraadt@
|
|
Add support for probablities of 0% and 100%.
With and OK deraadt@
|
|
ok deraadt@
|
|
|
|
Change 'set hostid' to NUMBER and remove unneeded converter.
Add '=' to allowed_to_end_number(x) to make varsets like 4=5 illegal.
OK deraadt@
|
|
expand to space or tab, and a \ followed by newline should be ignored
(as a line continuation). compatible with the needs of hoststated
(which has the most strict quoted string requirements), and ifstated
(where one commonly does line continuations in strings).
pointed out by mpf, discussed with pyr
|
|
the main configuration file; ok henning
|
|
yylex implementation and the code which interacts with yylex. this also
brings the future potential for include support to all of the parsers.
in the future please do not silly modifications to one of these files
without checking if you are de-unifying the code.
checked by developers in all these areas.
|
|
as found in hoststated, and make all the code diff as clean as possible. a
few issues remain mostly surrounding include support, which will likely be
added to more of the grammers soon.
ok norby pyr, others
|
|
Requested by deraadt@
|
|
Using a group sums up the statistics of all members.
Modify pfctl(1) slightly to allow a groupname "all",
which gives us an overall pf(4) statistic.
OK henning@, markus@
|
|
While there, also restrict the use of concatenated, unquoted
strings for variable assignments only.
Eyeballed by markus@, OK henning@
|
|
|
|
this in the parser. because the new numbers are int64_t, many new
range checks for < 0 are needed. re-check and improve all the
existing rangechecks while at it. thanks for help by cloder and
dhartmei
|
|
criteria. ok mcbride@
|
|
|
|
OK henning@, ``passt scho'' markus@
|
|
when ALL entries have this specific AF (when even just one entry has no
specific AF, use any). found by Maurice Janssen, ok henning@
|
|
as pf_find_or_create_ruleset() will mangle relative anchor names and wildcards.
Also fixes some nits with nesting and printing inline anchors.
ok deraadt@
|
|
"set" "ruleset-optimization" [ "none" | "basic" | "profile" ]
You can optionally control ruleset optimization with these keywords on the
command line with the -o option; the command line setting will override the
pf.conf setting. The existing -o/-oo flags continue to work as expected.
cleanup and ok henning@
|
|
command line (but they can still be viewed)
- don't allow users to specify _* as an anchor name in the ruleset
- don't print _* anchor names with pfctl -sA unless -v is specified
'looks sensible' deraadt@
|
|
for anchors loaded inline in pf.conf, enclosed in a brace-delimited
block ("{" "}").
anchor on fxp0 {
pass in proto tcp port 22
}
The anchor name is optional on inline loaded anchors.
testing ckuethe@
ok henning@ dhartmei@
|
|
logif is to be considered invalid unless log is set, but we need this to
please the optimizer...
|
|
|
|
|
|
pass log(to pflog5)
block out log(to pflog2)
input & ok mcbride
|
|
pointed out by david@
ok mpf@ dhartmei@
|
|
|
