| Age | Commit message (Collapse) | Author |
|---|
|
|
|
should make the pushback buffer really transparent.
diagnosis by me, fix with mpf, some input deraadt, ok mpf
|
|
permitted keep state(X). applies to all rules which do not have keep state
explicitely. e. g. "set state-defaults pflow, no-sync"
ok phessler deraadt
|
|
|
|
flows export data gathered from pf states.
initial implementation by Joerg Goltermann <jg@osn.de>, guidance and many
changes by me. 'put it in' theo
|
|
covers loopback addresses. ok ryan
problem report from Harald Dunkel <harald.dunkel@aixigo.de>
|
|
ok henning
|
|
Use the 'counters' table option in pf.conf if you actually need them.
If enabled, memory is not allocated until packets match an address.
This saves about 40% memory if counters are not being used, and paves the way
for some more significant cleanups coming soon.
ok henning mpf deraadt
|
|
of the good one. ok theo ryan reyk
|
|
numbers with one, and fix a few other bugs along the way
ok mpf henning
|
|
|
|
makes transparent proxies much easier; ok beck@, feedback claudio@
|
|
requested by reyk, ok reyk mpf
|
|
blocks, as requested by reyk; ok reyk mpf henning
|
|
to a sequence of strings and numbers, which get folded together into one
string (and later, when used, is re-lexed)
ok mpf
|
|
|
|
|
|
|
|
leads to a variety of errors; ok mcbride
|
|
by the parser but not passed to the kernel. This allows filtering based on
uid, gid, icmp options, tcp flags, os fingerprint, tos, tags, and probability;
It also allows the label to be set. State options and tagging are not
permitted.
ok henning mpf
|
|
I forgot to think about hex numbers when I removed it.
OK deraadt@
|
|
it with a simple filter in the yylex() loop.
The compression in lgetc() didn't happen for quoted strings,
thus creating a regression when tabs were used in variables.
Some testing by todd@ and pyr@
OK deraadt@
|
|
Add support for probablities of 0% and 100%.
With and OK deraadt@
|
|
ok deraadt@
|
|
|
|
Change 'set hostid' to NUMBER and remove unneeded converter.
Add '=' to allowed_to_end_number(x) to make varsets like 4=5 illegal.
OK deraadt@
|
|
expand to space or tab, and a \ followed by newline should be ignored
(as a line continuation). compatible with the needs of hoststated
(which has the most strict quoted string requirements), and ifstated
(where one commonly does line continuations in strings).
pointed out by mpf, discussed with pyr
|
|
the main configuration file; ok henning
|
|
yylex implementation and the code which interacts with yylex. this also
brings the future potential for include support to all of the parsers.
in the future please do not silly modifications to one of these files
without checking if you are de-unifying the code.
checked by developers in all these areas.
|
|
as found in hoststated, and make all the code diff as clean as possible. a
few issues remain mostly surrounding include support, which will likely be
added to more of the grammers soon.
ok norby pyr, others
|
|
Requested by deraadt@
|
|
Using a group sums up the statistics of all members.
Modify pfctl(1) slightly to allow a groupname "all",
which gives us an overall pf(4) statistic.
OK henning@, markus@
|
|
While there, also restrict the use of concatenated, unquoted
strings for variable assignments only.
Eyeballed by markus@, OK henning@
|
|
|
|
this in the parser. because the new numbers are int64_t, many new
range checks for < 0 are needed. re-check and improve all the
existing rangechecks while at it. thanks for help by cloder and
dhartmei
|
|
criteria. ok mcbride@
|
|
|
|
OK henning@, ``passt scho'' markus@
|
|
when ALL entries have this specific AF (when even just one entry has no
specific AF, use any). found by Maurice Janssen, ok henning@
|
|
as pf_find_or_create_ruleset() will mangle relative anchor names and wildcards.
Also fixes some nits with nesting and printing inline anchors.
ok deraadt@
|
|
"set" "ruleset-optimization" [ "none" | "basic" | "profile" ]
You can optionally control ruleset optimization with these keywords on the
command line with the -o option; the command line setting will override the
pf.conf setting. The existing -o/-oo flags continue to work as expected.
cleanup and ok henning@
|
|
command line (but they can still be viewed)
- don't allow users to specify _* as an anchor name in the ruleset
- don't print _* anchor names with pfctl -sA unless -v is specified
'looks sensible' deraadt@
|
|
for anchors loaded inline in pf.conf, enclosed in a brace-delimited
block ("{" "}").
anchor on fxp0 {
pass in proto tcp port 22
}
The anchor name is optional on inline loaded anchors.
testing ckuethe@
ok henning@ dhartmei@
|
|
logif is to be considered invalid unless log is set, but we need this to
please the optimizer...
|
|
|
|
|
|
pass log(to pflog5)
block out log(to pflog2)
input & ok mcbride
|
|
pointed out by david@
ok mpf@ dhartmei@
|
|
|
|
the anchor, terminate ruleset evaluation when stepping out of the anchor.
This means that if you absolutely want the anchor to be terminal, you
probably want to use a 'block all' or 'pass all' rule at the start of the
anchor.
ok dhartmei@ henning@ deraadt@
|
