| Age | Commit message (Collapse) | Author |
|---|
|
when ALL entries have this specific AF (when even just one entry has no
specific AF, use any). found by Maurice Janssen, ok henning@
|
|
as pf_find_or_create_ruleset() will mangle relative anchor names and wildcards.
Also fixes some nits with nesting and printing inline anchors.
ok deraadt@
|
|
"set" "ruleset-optimization" [ "none" | "basic" | "profile" ]
You can optionally control ruleset optimization with these keywords on the
command line with the -o option; the command line setting will override the
pf.conf setting. The existing -o/-oo flags continue to work as expected.
cleanup and ok henning@
|
|
command line (but they can still be viewed)
- don't allow users to specify _* as an anchor name in the ruleset
- don't print _* anchor names with pfctl -sA unless -v is specified
'looks sensible' deraadt@
|
|
for anchors loaded inline in pf.conf, enclosed in a brace-delimited
block ("{" "}").
anchor on fxp0 {
pass in proto tcp port 22
}
The anchor name is optional on inline loaded anchors.
testing ckuethe@
ok henning@ dhartmei@
|
|
logif is to be considered invalid unless log is set, but we need this to
please the optimizer...
|
|
|
|
|
|
pass log(to pflog5)
block out log(to pflog2)
input & ok mcbride
|
|
pointed out by david@
ok mpf@ dhartmei@
|
|
|
|
the anchor, terminate ruleset evaluation when stepping out of the anchor.
This means that if you absolutely want the anchor to be terminal, you
probably want to use a 'block all' or 'pass all' rule at the start of the
anchor.
ok dhartmei@ henning@ deraadt@
|
|
|
|
a suggestion from dhartmei@. Also add 'flags any' and 'no state' options
to disable flag matching and stateful filtering respectively.
IMPORTANT NOTE:
Current rulesets will continue to load, but the behaviour may be slightly
changed as these defaults are more restrictive. If you are purposefully
filtering statelessly ('no state') or have a requirement to create states
on intermediate packets ('flags any') you should update your ruleset to
make use of the new keywords to explicitly request the behaviour.
Note that creation of states from intermediate packets in a connection is
not recommended, and will increasingly cause problems as more OSs enable
window scaling and increase buffer sizes by default.
ok dhartmei@ deraadt@ henning@
|
|
for nat rules. sorry, existing functionality trumps syntactic sugar. feel
free to resubmit a complete patch. closes PR 5207.
|
|
with & ok claudio hshoexer
|
|
|
|
timeouts.
|
|
other things work. ok henning
|
|
only bar under foo, not /bar as well.
secondly, when using "load anchor from" from a sub-anchor, the loading
point should be relative to the sub-anchor doing the load (unless absolute
paths are used, of course).
from Boris Polevoy. probably a -stable candidate.
|
|
|
|
quite some time... theo likes
|
|
which optionally verifies that a packet is received on the interface
that holds the route back to the packet's source address. This makes
it an automatic ingress filter, but only when routing is fully
symmetric.
bugfix feedback claudio@; ok claudio@ and dhartmei@
|
|
the file fails, produce only the error message and leave options
unchanged. reported by Tamas TEVESZ, ok deraadt@
|
|
|
|
From: "Alexey E. Suslikov" <cruel@texnika.com.ua>
|
|
option to log. so, 'log-all' becomes 'log (all)'.
|
|
|
|
inserted the rule which causes the logging. secondly, the uid/pid of the
process in case the logged packet is delivered to/from a local socket.
a lookup of the local socket can be forced for logged packets with a new
option, 'log (user)'. make tcpdump print the additional information when
-e and -v is used. note: this changes the pflog header struct, rebuild all
dependancies. ok bob@, henning@.
|
|
'keep state'), as a condition to branch into the anchor. suggested
by Bill Marquette.
|
|
ok dhartmei
|
|
from camield@. use #defines PF_LOG, PF_LOGALL instead of magic constants.
ok frantzen@, camield@
|
|
ok dhartmei mcbride
|
|
useless layers of indirection and make the code way cleaner overall.
this is just the start, more to come...
worked very hard on by Ryan and me in Montreal last week, on the airplane to
vancouver and yesterday here in calgary. it hurt.
ok ryan theo
|
|
if there are flags on the lefthandside that are masked off by the
righthand side.
ok mcbride@ (long time ago) dhartmei@ henning@
|
|
From: Andrey Matveev <andrushock@korovino.net>
|
|
PR4134 / geoff@collyer.net and a longer mail exhcange with han boetes
|
|
syntax, instead of the cryptic hex flags output.
|
|
ok henning@, deraadt@
|
|
is infinite... Andrey Matveev <andrushock@korovino.net> spotted a few again!
|
|
|
|
found by Peter Fraser, ok henning@
|
|
"(10.1.2.3)" that results from a simple typo like "$(ext_ip)" instead of
"$(ext_if)".
|
|
they are reset to default values if omitted from a subsequent ruleset load.
Also:
- make sure 'set ...' options are not loaded in anchors.
- add a -m ("merge") flag to pfctl which allows an individual option to be set
without reseting the others, eg:
# echo "set loginterface fxp0" | pfctl -mf -
ok henning@ dhartmei@
|
|
|
|
using regress test pf84
|
|
packet filtering should occur (like loopback, for instance).
Code from Max Laier, with minor improvements based on feedback from
deraadt@. ok mcbride@, henning@
|
|
|
|
pass in from route dtag keep state queue reallyslow
tested by Gabriel Kihlman <gk@stacken.kth.se> and
Michael Knudsen <e@molioner.dk> and ryan
ok ryan
|
|
fix some cut-n-paste mayhem in other related checks.
|
