summaryrefslogtreecommitdiff
path: root/sbin/pfctl/pfctl_parser.c
AgeCommit message (Collapse)Author
2005-06-13make the packet and byte counters on rules and src nodes per direction,Henning Brauer
matches the counters on states now. also fix the counting on scrub rules where we previously did not handle the byte counters at all. extend pfctl -sl output to include the new seperate in/out counters hacked on the ferry from Earls Cove to Saltery Bay ok ryan
2005-05-27Hide Hostid and Checksum in pfctl -si output unless the -v flag is used.Ryan Thomas McBride
Prodded by henning@
2005-05-27Calculate an MD5 checksum over the main pf ruleset.Marco Pfatschbacher
This is the basis for further pfsync improvements, to ensure that pf rules are in sync with the master. "get it in" mcbride@
2005-05-27get rid of 'log-all'. now that we have 'log (options)', make 'all' anDaniel Hartmeier
option to log. so, 'log-all' becomes 'log (all)'.
2005-05-27log two pairs of uid/pid through pflog: the uid/pid of the process thatDaniel Hartmeier
inserted the rule which causes the logging. secondly, the uid/pid of the process in case the logged packet is delivered to/from a local socket. a lookup of the local socket can be forced for logged packets with a new option, 'log (user)'. make tcpdump print the additional information when -e and -v is used. note: this changes the pflog header struct, rebuild all dependancies. ok bob@, henning@.
2005-05-26use PF_LOG, PF_LOGALL instead of numeric constantsDaniel Hartmeier
2005-05-21clean up and rework the interface absraction code big time, rip out multipleHenning Brauer
useless layers of indirection and make the code way cleaner overall. this is just the start, more to come... worked very hard on by Ryan and me in Montreal last week, on the airplane to vancouver and yesterday here in calgary. it hurt. ok ryan theo
2004-12-07re-commit mcbride@'s 'flush global', this time without the breakage inDaniel Hartmeier
pfvar.h. builds kernel and userland.
2004-12-07oops, incomplete backoutTheo de Raadt
2004-12-07Change the default for 'overload <table> flush' to flush only states from theRyan Thomas McBride
offending source created by the rule. 'flush global' flushes all states originating from the offending source. ABI change, requires kernel and pfctl to be in sync. ok deraadt@ henning@ dhartmei@
2004-12-04Userland support for limiting open tcp connections per source. eg:Ryan Thomas McBride
keep state (max-src-conn 1000, max-src-conn-rate 100/10, overflow <bad> flush) allow a maximum of 1000 open connections or 100 new connections in 10 seconds. The addresses of offenders are added to the <bad> table which can be used in the ruleset, and existing states from that host are flushed. ok deraadt@ dhartmei@
2004-11-09do not assume entries in pf_timeouts[] are ordererd like PFTM_* in pfvar.hDaniel Hartmeier
reported by Alexey E. Suslikov, ok henning@
2004-09-30print invalid hostmask when refusing it, ok deraadt@Daniel Hartmeier
2004-09-27anchor rules referencing anchors using slashes may need quotes.Jared Yanovich
ok mcbride henning
2004-09-21Implement "no scrub" to allow exclusion of specific traffic from scrub rules.Aaron Campbell
First match wins, just like "no {binat,nat,rdr}". henning@, dhartmei@ ok
2004-07-16'pfctl -o' ruleset optimizer that doesnt change the meaning of the final rulesetMike Frantzen
- remove identical and subsetted rules - when advantageous merge rules w/ similar addresses into a table and one rule - re-order rules to improve skip step performance (can do better w/ kernel mods) - 'pfctl -oo' will load the currently running ruleset and use it as a profile to direct the optimization of quicked rules ok henning@ mcbride@. man page help from jmc@
2004-06-29remove cedric's bogus interface name verification code.Henning Brauer
this was meant to verify that ne3 is a valid interface that could show up, but bogus0 is not. while this might sound like a good idea it is completely broken and causes a shitload of problems. just allow for anything as interface name, the kernel abstracts that nice enough. if no interface by that name exists (or shows up) the rule never matches; that matches pf semantics used everywhere else. this also fixes the "pfctl always has to run as root" issue that cedric did not fix over the last 6 months despite being bugged to regularily. help & ok mcbride@
2004-06-10rename struct pf_rule_addr member 'not' to 'neg', as 'not' is a reservedDaniel Hartmeier
keyword in C++. ok henning@, cedric@
2004-05-27plug memleak in error pathHenning Brauer
From: Andrey Matveev <andrushock@korovino.net>
2004-05-19Allow recursive anchors (anchors within anchors, up to 64Daniel Hartmeier
levels deep). More work required, but this is already functional. authpf users will need to adjust their anchor calls, but this will change again soon. ok beck@, cedric@, henning@, mcbride@
2004-05-07typosHenning Brauer
From: Jared Yanovich <phirerunner@comcast.net>
2004-05-05Use RFC1323 PAWS timestamps as a logical extension to the conventional TCPMike Frantzen
sequence numbers by taking advantage of the maximum 1KHz clock as an upperbound on the timestamp. Typically gains 10 to 18 bits of additional security against blind data insertion attacks. More if the TS Echo wasn't optional :-( Enabled with: scrub on !lo0 all reassemble tcp ok dhartmei@. documentation help from jmc@
2004-04-24Add "probability xxx" rule modifier. ok deraadt@Cedric Berger
2004-04-14Better interface filtering. vlan1 should not match vlan19.Cedric Berger
Found by Mike Wolman, ok dhartmei@ mcbride@
2004-03-15cast %llu arguments to unsigned long long, from Max Laier,Daniel Hartmeier
ok henning@ cedric@
2004-03-10plug 3 memory leaks; 2 from andrushock, 1 by meHenning Brauer
ok pb deraadt
2004-02-10KNFHenning Brauer
2004-02-10new kernel reports enabled & disabled time - use that info.Cedric Berger
ok henning@ mcbride@
2004-02-03bring back this fluffy change, of course without the bug:Henning Brauer
== to parse v4 adresses, only use inet_net_pton when we find a /, otherwise use inet_pton. helps bob who likes to type 1.2 3.4 instead of 1.2.3.4 and wonders why this results in two addresses. PR3638, bob ok == make sure bits is either 32 or what inet_net_pton tells us, and always call set_ipmask to mask the boring bits away ok dhartmei@ mcbride@ david@
2004-01-25This fix was made WITHOUT RUNNING REGRESS. Henning, you are beingTheo de Raadt
extremely unfluffy, King Bula is coming for your head.
2004-01-22to parse v4 adresses, only use inet_net_pton when we find a /, otherwiseHenning Brauer
use inet_pton. helps bob who likes to type 1.2 3.4 instead of 1.2.3.4 and wonders why this results in two addresses. PR3638, bob ok
2003-12-31spacing. note this, cedricTheo de Raadt
2003-12-31Many improvements to the handling of interfaces in PF.Cedric Berger
1) PF should do the right thing when unplugging/replugging or cloning/ destroying NICs. 2) Rules can be loaded in the kernel for not-yet-existing devices (USB, PCMCIA, Cardbus). For example, it is valid to write: "pass in on kue0" before kue USB is plugged in. 3) It is possible to write rules that apply to group of interfaces (drivers), like "pass in on ppp all" 4) There is a new ":peer" modifier that completes the ":broadcast" and ":network" modifiers. 5) There is a new ":0" modifier that will filter out interface aliases. Can also be applied to DNS names to restore original PF behaviour. 6) The dynamic interface syntax (foo) has been vastly improved, and now support multiple addresses, v4 and v6 addresses, and all userland modifiers, like "pass in from (fxp0:network)" 7) Scrub rules now support the !if syntax. 8) States can be bound to the specific interface that created them or to a group of interfaces for example: - pass all keep state (if-bound) - pass all keep state (group-bound) - pass all keep state (floating) 9) The default value when only keep state is given can be selected by using the "set state-policy" statement. 10) "pfctl -ss" will now print the interface scope of the state. This diff change the pf_state structure slighltly, so you should recompile your userland tools (pfctl, authpf, pflogd, tcpdump...) Tested on i386, sparc, sparc64 by Ryan Tested on macppc, sparc64 by Daniel ok deraadt@ mcbride@
2003-12-19i wrote much of these, assert my copyrightHenning Brauer
2003-12-17cosmetics, ok mcbride@Daniel Hartmeier
2003-12-15Add initial support for pf state synchronization over the network.Ryan Thomas McBride
Implemented as an in-kernel multicast IP protocol. Turn it on like this: # ifconfig pfsync0 up syncif fxp0 There is not yet any authentication on this protocol, so the syncif must be on a trusted network. ie, a crossover cable between the two firewalls. NOTABLE CHANGES: - A new index based on a unique (creatorid, stateid) tuple has been added to the state tree. - Updates now appear on the pfsync(4) interface; multiple updates may be compressed into a single update. - Applications which use bpf on pfsync(4) will need modification; packets on pfsync no longer contains regular pf_state structs, but pfsync_state structs which contain no pointers. Much more to come. ok deraadt@
2003-12-15Add support to track stateful connections by source ip. This allows usRyan Thomas McBride
to: - Ensure that clients get a consistent IP mapping with load-balanced translation/routing rules - Limit the number of simultaneous connections a client can make - Limit the number of clients which can connect through a rule ok dhartmei@ deraadt@
2003-11-14in print_status:Henning Brauer
-print debuglevel "Loud", this was omitted before (catched by mpech@) -use the fine PF_DEBUG_* defines instead of magic numbers ok markus
2003-11-08Add 'no-sync' state option to prevent state transition messages for statesRyan Thomas McBride
created by this rule from appearing on the pfsync(4) interface. e.g. pass in proto tcp to self flags S/SA keep state (no-sync) ok cedric@ henning@ dhartmei@
2003-11-06two more KNF violations I missed earlier. who introduces those all the time?Henning Brauer
2003-11-06KNFHenning Brauer
2003-10-08fix cedric's breakage:Henning Brauer
int is not the same as u_long caused an integer overflow on our 64 bit archs and thus made pf not working there ok mcbride@ marc@ millert@ cedric@
2003-09-26Rearchitecture of the userland/kernel IOCTL interface for transactions.Cedric Berger
This brings us close to 100% atomicity for a "pfctl -f pf.conf" command. (some splxxx work remain in the kernel). Basically, improvements are: - Anchors/Rulesets cannot disappear unexpectedly anymore. - No more leftover in the kernel if "pfctl -f" fail. - Commit is now done in a single atomic IOCTL. WARNING: The kernel code is fully backward compatible, but the new pfctl/authpf userland utilities will only run on a new kernel. The following ioctls are deprecated (i.e. will be deleted sooner or later, depending on how many 3rd party utilities use them and how soon they can be upgraded): - DIOCBEGINRULES - DIOCCOMMITRULES - DIOCBEGINALTQS - DIOCCOMMITALTQS - DIOCRINABEGIN - DIOCRINADEFINE They are replaced by the following ioctls (yes, PF(4) will follow) which operate on a vector of rulesets: - DIOCXBEGIN - DIOCXCOMMIT - DIOCXROLLBACK Ok dhartmei@ mcbride@
2003-09-18Not all address types have a mask.Cedric Berger
ok henning@
2003-08-22correct printf arg mismatch (in 64bit arch). dhartmei okJun-ichiro itojun Hagino
2003-08-21Add Michal Zalewski's p0f v2 style passive OS fingerprinting to PF.Mike Frantzen
Exposes the source IP's operating system to the filter language. Interesting policy decisions are now enforceable: . block proto tcp from any os SCO . block proto tcp from any os Windows to any port smtp . rdr ... from any os "Windows 98" to port WWW -> 127.0.0.1 port 8001
2003-07-29Remove space at end of line.Cedric Berger
Ok dhartmei@ henning@
2003-07-21KNFHenning Brauer
2003-07-19Simplify struct pf_pooladdr to include struct pf_addr_wrap directlyCedric Berger
instead of indirectly trough struct pf_rule_addr. Ryan McBride says: If I'm not mistaken, the code _used_ to use the ports in pf_rule_addr as well. The code was changed to fix some of the bugs with port ranges, but it was too late in the release cycle to make kernel API changes, so the structure was left as is. Needless to say: KERNEL/USERLAND SYNC REQUIRED. ok henning@ mcbride@
2003-07-15Repair memory managment in table parsing code.Cedric Berger
I need vacations. Found and verified by Pyun YongHyeon. ok dhartmei@