| Age | Commit message (Collapse) | Author |
|---|
|
ok cedric@
|
|
|
|
ok deraadt@ henning@
|
|
This brings us close to 100% atomicity for a "pfctl -f pf.conf" command.
(some splxxx work remain in the kernel). Basically, improvements are:
- Anchors/Rulesets cannot disappear unexpectedly anymore.
- No more leftover in the kernel if "pfctl -f" fail.
- Commit is now done in a single atomic IOCTL.
WARNING: The kernel code is fully backward compatible, but the new
pfctl/authpf userland utilities will only run on a new kernel.
The following ioctls are deprecated (i.e. will be deleted sooner or
later, depending on how many 3rd party utilities use them and how soon
they can be upgraded):
- DIOCBEGINRULES
- DIOCCOMMITRULES
- DIOCBEGINALTQS
- DIOCCOMMITALTQS
- DIOCRINABEGIN
- DIOCRINADEFINE
They are replaced by the following ioctls (yes, PF(4) will follow)
which operate on a vector of rulesets:
- DIOCXBEGIN
- DIOCXCOMMIT
- DIOCXROLLBACK
Ok dhartmei@ mcbride@
|
|
Add a warning on global/anchor name clashes to help prevent mistakes from our
users during the 3.3 -> 3.4 switch.
ok henning@
|
|
(like pfctl -t spammers -vvTt -f file, causing EPERM on DIOCOSFPFLUSH).
|
|
Exposes the source IP's operating system to the filter language.
Interesting policy decisions are now enforceable:
. block proto tcp from any os SCO
. block proto tcp from any os Windows to any port smtp
. rdr ... from any os "Windows 98" to port WWW -> 127.0.0.1 port 8001
|
|
ERRX() has two effects: the message printing and goto _error; which causes
exit(1). While we don't want the message if pfctl was invoked with -n, we
DO want to abort. Otherwise subsequent 'load anchor' statements will get
executed, for instance, and the return value is handy for scripts.
|
|
(with pfctl -n)
Jared Yanovich <phirerunner@comcast.net>
|
|
Make table tickets u_int32_t for consistency with other parts of PF.
Ok dhartmei@ henning@
|
|
ok dhartmei@
|
|
- remove the tableaddrs and tableaddr yacc production and reuse
host_list instead.
- produce better error messages.
- do not load addresses from external file when it is not
required (like with -R option).
- store initializers in a new node_tinit linked list before
putting them into the address buffer (see next point).
- add a new print_tabledef() function, which makes "pfctl -nvf"
print something useful for table definitions, which in turn
makes it possible to write better regress tests (see first chunk
of the diff) and bring table definition consistant with other
parsed rules.
ok dhartmei@
|
|
The pfctl.c part will probably need some further improvements.
ok henning@
|
|
and a couple of parsing functions moved to parse.y or pfctl_parser
where they belong.
I also took the opportunity to replace "void" functions with exit(1)
or err() inside by "int" functions, with the caller checking the
return value for errors (much cleaner and an old request from Theo)
ok dhartmei@ henning@
|
|
|
|
ok henning@
|
|
|
|
and off independently. so only complain if there's a real error.
ok dhartmei@ pb@ camield@
|
|
|
|
newline. requested by markus@, dhartmei and myself agree
|
|
ok henning@
|
|
number of state table entries grows, so entries time out faster before
the table fills up. Works both globally and per-rule. ok frantzen@
|
|
load anchor anchorname:rulesetname file /path/to/file
ok pb@ dhartmei@ cedric@
|
|
to the functions that need them. makes the code easier and cleaner in some
places and will be needed for other things to come soon
ok cedric@
|
|
Most pfctl table commands (excluding 'show' and 'flush') support the "-a"
modifier.
ok dhartmei@
|
|
ok dhartmei@ henning@
|
|
|
|
|
|
|
|
|
|
from David Hill <david at phobia.ms> a while ago
|
|
clear nat/rules, like -sn/-sr already does.
Reported by Julien Bordet. ok henning@, cedric@
|
|
ok cedric@ mcbride@
|
|
-vvsr ./. -vvsl). this resulted in more or less garbage in pfctl -vsl and
-vvsl output.
so ignore the extra verbosity flags for -sl.
found by pb@
ok pb@ dhartmei@
|
|
ok cedric@ pb@
|
|
calculation, in verbose output (pfctl -vvsr). Instead, use a new flag -g for
that.
result of a longer discussion with dhartmei@ and jakob@
ok cedric@ pb@
|
|
|
|
|
|
from krause
|
|
due to a bug in the loadopt check options were always loaded no matter which
loadopts where specified.
while beeing there, move the prints for that to where they belong, into the
appropriate pfctl_set_* functions, and thus only print when the options are
actually loaded.
fixes regress tests pfopt3, pfopt4, pfopt5 I added earlier.
ok dhartmei@
|
|
|
|
|
|
mcbride@, dhartmei@ ok
|
|
ok pb@ mcbride@ deraadt@
|
|
pfctl -Dextif=wi0 -f /etc/pf.conf
command line macro definitions override the ones made in the file (idea
theo), very handy if your notebook has another NIC at some conference, as
well as for debugging etc.
idea rezine@mistrusted.net via pb@
hacked live at FOSDEM
ok pb@ dhartmei@ cedric@
|
|
|
|
|
|
ok henning@
|
|
|
|
given; they used to check for their parent interface/queue even in this
case.
ok dhartmei@ cedric@
|
