| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2002-02-27 | Instead of printing useless @0 rule numbers from pfctl -vR, increase a | Daniel Hartmeier | |
| counter. Helps debugging rule sets that are not loaded. Suggested by John Kerbawy. | |||
| 2002-01-11 | use bsearch() for keywords lookup, swap couple of entries to make the ↵ | Michael Shalayeff | |
| keywords array sorted and add a comment to keep it that way; dhartmei@ ok | |||
| 2002-01-10 | Let port 0 be specified as it's not special here. | Hugh Graham | |
| Agreement with Daniel and others. | |||
| 2002-01-09 | Port must be >0 and <=65535. Idea while have fun with ssh. | Mike Pechkin | |
| dhartmei@ ok | |||
| 2002-01-09 | free() 'interface' in {nat,binat,rdr}rule | Mike Pechkin | |
| dhartmei@ ok | |||
| 2002-01-09 | Add labels to rules. These are arbitrary names (not to be confused with | Daniel Hartmeier | |
| tags that will be used to tag packets later on). Add pfctl -z to clear per-rule counters. Add pfctl -s labels to output per-rule counters in terse format and only for rules that have labels. Suggested by Henning Brauer. | |||
| 2002-01-08 | Add "no nat/rdr/binat" to nat.conf. The first matching rule applies. | Daniel Hartmeier | |
| If it is a "no" rule, no translation occurs. Useful to exclude certain packets from translation. Suggested by Henning Brauer. | |||
| 2002-01-07 | remove 3rd argument from ipmask(), not used. | Mike Pechkin | |
| dhartmei@ ok | |||
| 2001-12-23 | find correct line number in lval, instead of val | Theo de Raadt | |
| 2001-12-10 | Add stateful filtering for other (non-TCP/UDP/ICMP) protocol, based on | Daniel Hartmeier | |
| source/destination addresses/ports only. Add RDR for ICMP. Add NAT/RDR/BINAT for other protocols. Destination and redirection port(s) are now optional for RDR rules. Not specifying destination port(s) means 'redirect all ports', not specifying redirection port(s) means 'redirect to the original port'. | |||
| 2001-12-05 | Correctly parse hex numbers. Spotted by Claudio Jeker. Closes PR 2234. | Daniel Hartmeier | |
| 2001-12-03 | For nat, binat and rdr rules, don't allow different address families in | Daniel Hartmeier | |
| one rule. pf can't translate IPv4 <-> IPv6 packets. Such rules didn't work, even if they were falsely accepted before. | |||
| 2001-11-26 | add fastroute options similar to what is found in ipf | jasoni | |
| ok dhartmei@, frantzen@ | |||
| 2001-11-05 | noone responds. | Theo de Raadt | |
| this diff makes } and { not be part of symbols | |||
| 2001-10-24 | Check interface names using ifa0_lookup() and print error message for | Daniel Hartmeier | |
| non-existant interfaces (instead of the generic ioctl error returned by the kernel in this case). | |||
| 2001-10-15 | Add 'allow-opts' to rules. Packets with IP options will be blocked by | Daniel Hartmeier | |
| default now, and can be allowed per rule. ok deraadt@ | |||
| 2001-10-11 | Don't htonl() past buffer bounds if ipmask == 128 | Mike Frantzen | |
| 2001-10-07 | Add interface name to address translation to pfctl, document it and add | Daniel Hartmeier | |
| a regress test. Translation is done on rule set load-time only, so the rule sets must be reloaded when an interface address changes. parse.y patch from Cedric Berger. Similar patch from Jonathon Fletcher. Thanks to both. | |||
| 2001-10-01 | print variable asignments only if -v is given. ok dhartmei/deraadt | Markus Friedl | |
| 2001-09-28 | Support underscores in macro names and document it in the man page. | Daniel Hartmeier | |
| 2001-09-20 | Fix uninitialized structure fields. Problem reported by Cedric Berger. | Daniel Hartmeier | |
| 2001-09-15 | Implement return-icmp(number), return-icmp6(number) | Peter Stromberg | |
| Differentiate between return-icmp and return-icmp6, icmp-type and ipv6-icmp-type. ok dhartmei@ | |||
| 2001-09-15 | Fix 'binat ... to any ...' (binat.af wasn't set). | Daniel Hartmeier | |
| 2001-09-15 | Parse bug, found by wilfried@ | Daniel Hartmeier | |
| 2001-09-15 | IPv6 support from Ryan McBride (mcbride@countersiege.com) | Mike Frantzen | |
| 2001-09-12 | check calloc() return value | Markus Friedl | |
| 2001-09-06 | - you can only binat between hosts | jasoni | |
| - add binat example and description | |||
| 2001-09-06 | 1:1 bidrectional NAT (binat); ok dhartmei@ and frantzen@ | jasoni | |
| 2001-09-04 | Support parameter lists {} for interfaces in filter rules, like | Daniel Hartmeier | |
| pass in on { gm0, kue0 } from any to any | |||
| 2001-08-28 | move '!' from host_list to host: "xhost : '!' host | host;"; ok dhartmei@ | Markus Friedl | |
| 2001-08-28 | check for malloc/strdup == NULL | Markus Friedl | |
| 2001-08-28 | Support ! operator in host parameter lists. Fixes PR system/2030. Reported | Daniel Hartmeier | |
| by Kamil Andrusz <wizz@mniam.net>. | |||
| 2001-08-26 | sort keywords | Theo de Raadt | |
| 2001-08-25 | PF ISN randomization. Or in trekkie techno-babble, ISN phase modulation. | Mike Frantzen | |
| 2001-08-23 | o for a port_item, initialize the "next" pointer to NULL | Todd C. Miller | |
| o for an address, use calloc() instead of malloc() so the struct is zeroed Fixes a SEGV in pfctl due to uninitialized "next" pointers. | |||
| 2001-08-23 | Support var="string". Expansion (at lex time) done using $var, for instance: | Theo de Raadt | |
| okproto="{ssh, smtp, domain, auth}" pass in on key0 proto tcp from any to any port $okproto keep state Can I ask someone else to document this in pf.conf(5)? | |||
| 2001-08-19 | Add parameter list support to parser. Handles lists for protocol, hosts | Daniel Hartmeier | |
| and ports in filter rules, like block in from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } to any pass in proto tcp from any to any port { ssh, 1024 >< 2000, > 65000 } block in proto { udp, igmp } and does rule expansion (generate all needed rule combinations). | |||
| 2001-08-16 | track the line number per-token, so that we can report errors correctly | Theo de Raadt | |
| 2001-08-14 | optimize the flags parsing; markus@ ok | Michael Shalayeff | |
| 2001-08-11 | \+\n support, and spit out cc-style error messages. the parser's line | Theo de Raadt | |
| counting is lex dependent, and will need to be tweaked | |||
| 2001-07-31 | allow to test that flags are unset, ok dhartmei@, mickey@ | Peter Stromberg | |
| 2001-07-19 | Fix/complete the handling of the binary ops >< and <> to behave | Kenneth R Westerback | |
| like the ipf operators. The 'n >< m' construct (Include Range = PF_OP_IRG) should match ports greater than n and less than m, not greater than or equal to n and less than or equal to m. The 'n <> m' construct (Exclude Range = PF_OP_XRG) should match all ports less than n OR greater than m, not be treated as an alias for ><. Thus PF_OP_GL, which was used for both <> and >< is replaced with PF_OP_IRG and PF_OP_XRG with the 'correct' semantics. OK dhartmei@ | |||
| 2001-07-18 | new ERROR token, errx() -> warnx() + ERROR; ok deraadt@ | Markus Friedl | |
| 2001-07-18 | KNF for return | Markus Friedl | |
| 2001-07-18 | check number range to fit in 32 bits | Michael Shalayeff | |
| 2001-07-18 | put range checks on NUMBER, pointed out by deraadt | Michael Shalayeff | |
| 2001-07-17 | spaces, parens, err instead of errx+strerror | Michael Shalayeff | |
| 2001-07-17 | warnx()/YYERROR instead of errx(); suggested by mickey@ | Markus Friedl | |
| 2001-07-17 | markus doesnt like min-ttl =, begone | Niels Provos | |
| 2001-07-17 | support min-ttl, okay dhartmei@ | Niels Provos | |
 |
index : src | |
| OpenBSD base system |
| summaryrefslogtreecommitdiff |