| Age | Commit message (Collapse) | Author |
|---|
|
|
|
yylex implementation and the code which interacts with yylex. this also
brings the future potential for include support to all of the parsers.
in the future please do not silly modifications to one of these files
without checking if you are de-unifying the code.
checked by developers in all these areas.
|
|
since only the first letter matters in the end and state still matches
states since we do strncmp this does not change xisting behaviour and
just allows plural states to be used as well.
pt out by Tom Van Looy <tom@ctors.net>
|
|
ok henning@ toby@ pyr@
|
|
|
|
is invalid now, it doesn't serve any purpose any more anyway since that is
the default. ok mcbride
|
|
to reflect this;
whilst there i had to wrap -t in Xo/Xc to stop line split,
and i zapped some extra whitespace in usage();
fixes user/5441 from sthen
|
|
ok deraadt henning
|
|
|
|
to 200,000 instead of the conservative 100,000; ok dhartmei beck
tested by ckuethe
|
|
|
|
with -z instead of DIOCCLRRULECTRS. Unbreaks -z with anchors and makes the
read & reset operation atomic.
innstrument pfctl_show_rules() to clear counters while reading rules and
add a new output format for it, showing nothing, if only resetting counters
without actually displaying them is requested. minor cleanups on the way.
ok dhartmei & agreement from theo and ryan
|
|
"pfctl -t tablename -T expire 3600" would expire all entries in the given
table that are older than 3600 seconds. ok dhartmei, manpage help & ok jmc
|
|
-k argument for killing states; From Berk D. Demir <bdd@mindcast.org>
ok dhartmei henning
|
|
|
|
as pf_find_or_create_ruleset() will mangle relative anchor names and wildcards.
Also fixes some nits with nesting and printing inline anchors.
ok deraadt@
|
|
contains rules. Fixes DIOCXCOMMIT: Device busy when multiple anchors with
the same name are specified.
reported by ckuethe@ and mkb@crypt.org.ru
|
|
|
|
|
|
reserved names, if a trailing * is specified in the anchor name.
e.g. recursively print the main ruleset:
pfctl -a '*' -sr
Recursively print the spam anchor:
pfctl -a 'spam*'
pfctl -a 'spam/*'
Also fix a bug which prevented the contents of inline anchors with
explicit names from being loaded into the kernel.
ok henning@
|
|
"set" "ruleset-optimization" [ "none" | "basic" | "profile" ]
You can optionally control ruleset optimization with these keywords on the
command line with the -o option; the command line setting will override the
pf.conf setting. The existing -o/-oo flags continue to work as expected.
cleanup and ok henning@
|
|
command line (but they can still be viewed)
- don't allow users to specify _* as an anchor name in the ruleset
- don't print _* anchor names with pfctl -sA unless -v is specified
'looks sensible' deraadt@
|
|
for anchors loaded inline in pf.conf, enclosed in a brace-delimited
block ("{" "}").
anchor on fxp0 {
pass in proto tcp port 22
}
The anchor name is optional on inline loaded anchors.
testing ckuethe@
ok henning@ dhartmei@
|
|
|
|
state limit and adaptive.end of 120% of the state limit.
Explicitly setting the adaptive timeouts will override the default,
and it can be disabled by setting both adaptive.start and adaptive.end to 0.
ok henning@
|
|
from Jon Simola, ok henning@
|
|
the file fails, produce only the error message and leave options
unchanged. reported by Tamas TEVESZ, ok deraadt@
|
|
ok henning@
|
|
matches the counters on states now. also fix the counting on scrub rules
where we previously did not handle the byte counters at all.
extend pfctl -sl output to include the new seperate in/out counters
hacked on the ferry from Earls Cove to Saltery Bay
ok ryan
|
|
Henrik Gustafsson <openbsd@fnord.se> via tech@.
ok henning
|
|
regress tests don't have to deal with it (and it's a useless thing to
check from there).
|
|
inserted the rule which causes the logging. secondly, the uid/pid of the
process in case the logged packet is delivered to/from a local socket.
a lookup of the local socket can be forced for logged packets with a new
option, 'log (user)'. make tcpdump print the additional information when
-e and -v is used. note: this changes the pflog header struct, rebuild all
dependancies. ok bob@, henning@.
|
|
allocator and two pools, but PR_WAITOK when called from non-interrupt
context (ioctl). add configurable hard limits for tables and table
entries (set limit tables/table-entries), defaulting to 1000/100000.
ok aaron@, henning@, mcbride@, art@
|
|
man page from jmc@
OK dhartmei@
|
|
useless layers of indirection and make the code way cleaner overall.
this is just the start, more to come...
worked very hard on by Ryan and me in Montreal last week, on the airplane to
vancouver and yesterday here in calgary. it hurt.
ok ryan theo
|
|
|
|
|
|
syntax, instead of the cryptic hex flags output.
|
|
|
|
they are reset to default values if omitted from a subsequent ruleset load.
Also:
- make sure 'set ...' options are not loaded in anchors.
- add a -m ("merge") flag to pfctl which allows an individual option to be set
without reseting the others, eg:
# echo "set loginterface fxp0" | pfctl -mf -
ok henning@ dhartmei@
|
|
pfctl_clear_interface_flags().
suggested by and ok henning@
|
|
ok henning@
|
|
print that info on manual flushes. noticed by marc@
|
|
from max, this time working :)
|
|
|
|
from max
|
|
packet filtering should occur (like loopback, for instance).
Code from Max Laier, with minor improvements based on feedback from
deraadt@. ok mcbride@, henning@
|
|
First match wins, just like "no {binat,nat,rdr}". henning@, dhartmei@ ok
|
|
reminded by jmc, ok deraadt
|
|
|
