| Age | Commit message (Collapse) | Author |
|---|
|
reserved names, if a trailing * is specified in the anchor name.
e.g. recursively print the main ruleset:
pfctl -a '*' -sr
Recursively print the spam anchor:
pfctl -a 'spam*'
pfctl -a 'spam/*'
Also fix a bug which prevented the contents of inline anchors with
explicit names from being loaded into the kernel.
ok henning@
|
|
for anchors loaded inline in pf.conf, enclosed in a brace-delimited
block ("{" "}").
anchor on fxp0 {
pass in proto tcp port 22
}
The anchor name is optional on inline loaded anchors.
testing ckuethe@
ok henning@ dhartmei@
|
|
pass log(to pflog5)
block out log(to pflog2)
input & ok mcbride
|
|
pointed out by david@
ok mpf@ dhartmei@
|
|
|
|
|
|
|
|
reported by andrew fresh
|
|
with & ok claudio hshoexer
|
|
|
|
account for that. fixes PR5130, ok dhartmei
|
|
end-of-array NULL marker, shuts up source analysis tool, from deraadt@
|
|
we're breaking pfsync compatibility this cycle anyways.
Requested by djm@, ok henning@, 'wheee!' deraadt@
|
|
pass to group
ok hshoexer, hacked at linux-kongress last week
|
|
|
|
PF_MD5_DIGEST_LENGTH instead of including crypto/md5.h
ok markus@, henning@, mpf@
|
|
matches the counters on states now. also fix the counting on scrub rules
where we previously did not handle the byte counters at all.
extend pfctl -sl output to include the new seperate in/out counters
hacked on the ferry from Earls Cove to Saltery Bay
ok ryan
|
|
Prodded by henning@
|
|
This is the basis for further pfsync improvements,
to ensure that pf rules are in sync with the master.
"get it in" mcbride@
|
|
option to log. so, 'log-all' becomes 'log (all)'.
|
|
inserted the rule which causes the logging. secondly, the uid/pid of the
process in case the logged packet is delivered to/from a local socket.
a lookup of the local socket can be forced for logged packets with a new
option, 'log (user)'. make tcpdump print the additional information when
-e and -v is used. note: this changes the pflog header struct, rebuild all
dependancies. ok bob@, henning@.
|
|
|
|
useless layers of indirection and make the code way cleaner overall.
this is just the start, more to come...
worked very hard on by Ryan and me in Montreal last week, on the airplane to
vancouver and yesterday here in calgary. it hurt.
ok ryan theo
|
|
pfvar.h. builds kernel and userland.
|
|
|
|
offending source created by the rule. 'flush global' flushes all states
originating from the offending source. ABI change, requires kernel and pfctl
to be in sync.
ok deraadt@ henning@ dhartmei@
|
|
keep state (max-src-conn 1000, max-src-conn-rate 100/10, overflow <bad> flush)
allow a maximum of 1000 open connections or 100 new connections in 10 seconds.
The addresses of offenders are added to the <bad> table which can be used in
the ruleset, and existing states from that host are flushed.
ok deraadt@ dhartmei@
|
|
reported by Alexey E. Suslikov, ok henning@
|
|
|
|
ok mcbride henning
|
|
First match wins, just like "no {binat,nat,rdr}". henning@, dhartmei@ ok
|
|
- remove identical and subsetted rules
- when advantageous merge rules w/ similar addresses into a table and one rule
- re-order rules to improve skip step performance (can do better w/ kernel mods)
- 'pfctl -oo' will load the currently running ruleset and use it as a profile
to direct the optimization of quicked rules
ok henning@ mcbride@. man page help from jmc@
|
|
this was meant to verify that ne3 is a valid interface that could show
up, but bogus0 is not. while this might sound like a good idea it is
completely broken and causes a shitload of problems. just allow for anything
as interface name, the kernel abstracts that nice enough. if no interface
by that name exists (or shows up) the rule never matches; that matches
pf semantics used everywhere else.
this also fixes the "pfctl always has to run as root" issue that cedric
did not fix over the last 6 months despite being bugged to regularily.
help & ok mcbride@
|
|
keyword in C++. ok henning@, cedric@
|
|
From: Andrey Matveev <andrushock@korovino.net>
|
|
levels deep). More work required, but this is already
functional. authpf users will need to adjust their anchor
calls, but this will change again soon. ok beck@, cedric@,
henning@, mcbride@
|
|
From: Jared Yanovich <phirerunner@comcast.net>
|
|
sequence numbers by taking advantage of the maximum 1KHz clock as an upperbound
on the timestamp. Typically gains 10 to 18 bits of additional security against
blind data insertion attacks. More if the TS Echo wasn't optional :-(
Enabled with: scrub on !lo0 all reassemble tcp
ok dhartmei@. documentation help from jmc@
|
|
|
|
Found by Mike Wolman, ok dhartmei@ mcbride@
|
|
ok henning@ cedric@
|
|
ok pb deraadt
|
|
|
|
ok henning@ mcbride@
|
|
==
to parse v4 adresses, only use inet_net_pton when we find a /, otherwise
use inet_pton.
helps bob who likes to type 1.2 3.4 instead of 1.2.3.4 and wonders why this
results in two addresses.
PR3638, bob ok
==
make sure bits is either 32 or what inet_net_pton tells us, and always call
set_ipmask to mask the boring bits away
ok dhartmei@ mcbride@ david@
|
|
extremely unfluffy, King Bula is coming for your head.
|
|
use inet_pton.
helps bob who likes to type 1.2 3.4 instead of 1.2.3.4 and wonders why this
results in two addresses.
PR3638, bob ok
|
|
|
|
1) PF should do the right thing when unplugging/replugging or cloning/
destroying NICs.
2) Rules can be loaded in the kernel for not-yet-existing devices
(USB, PCMCIA, Cardbus). For example, it is valid to write:
"pass in on kue0" before kue USB is plugged in.
3) It is possible to write rules that apply to group of interfaces
(drivers), like "pass in on ppp all"
4) There is a new ":peer" modifier that completes the ":broadcast"
and ":network" modifiers.
5) There is a new ":0" modifier that will filter out interface aliases.
Can also be applied to DNS names to restore original PF behaviour.
6) The dynamic interface syntax (foo) has been vastly improved, and
now support multiple addresses, v4 and v6 addresses, and all userland
modifiers, like "pass in from (fxp0:network)"
7) Scrub rules now support the !if syntax.
8) States can be bound to the specific interface that created them or
to a group of interfaces for example:
- pass all keep state (if-bound)
- pass all keep state (group-bound)
- pass all keep state (floating)
9) The default value when only keep state is given can be selected by
using the "set state-policy" statement.
10) "pfctl -ss" will now print the interface scope of the state.
This diff change the pf_state structure slighltly, so you should
recompile your userland tools (pfctl, authpf, pflogd, tcpdump...)
Tested on i386, sparc, sparc64 by Ryan
Tested on macppc, sparc64 by Daniel
ok deraadt@ mcbride@
|
|
|
