src - OpenBSD base system

Age	Commit message (Collapse)	Author
2003-01-05	Move ifname from pf_addr to pf_addr_wrap, prepare pf_addr_wrap for table	Daniel Hartmeier
	name. ok henning@, mcbride@, cedric@
2003-01-04	move noroute from flag in pf_rule_addr into type in pf_addr_wrap.	Daniel Hartmeier
	ok henning@, mcbride@
2003-01-04	I do not know where this policy of "one .h file for every .c file" comes	Theo de Raadt
	from, but whoever thought of it is stupid.
2002-12-30	Change ipv6-icmp-type to icpm6-type. pf.conf files will need to be adjusted	Ryan Thomas McBride
	to reflect this. ok dhartmei@ henning@
2002-12-18	Store translation rule pointer in state entries, so pfctl -vsn can print	Daniel Hartmeier
	evaluation, packet, byte and state entry counters similar to -vsr. Helps verify whether/how often translation rules are evaluated/matched. ok frantzen@, henning@
2002-12-17	Match merge of pf_nat/pf_binat/pf_rdr structs into pf_rule	Ryan Thomas McBride
	ok dhartmei@ henning@
2002-12-13	allow a second queue for higher priorized (currently: tos=lowdelay) packets	Henning Brauer
	to be specified per rule queue (qname, priorized_qname) idea dhartmei ok dhartmei@ frantzen@ deraadt@
2002-12-07	Support parameters in anchor rules. Allows conditional evaluation, like:	Daniel Hartmeier
	anchor spews inet proto tcp from any to any port smtp ok deraadt
2002-12-07	shadow cleanup	Henning Brauer
	ok mcbride@ frantzen@
2002-12-06	let pfctl -v print out "block drop" instead of just "block" in the drop	Henning Brauer
	case. fixes the last self-regress test. ok markus@
2002-12-06	Introduce anchors and named rule sets, allowing to load additional rule	Daniel Hartmeier
	sets with pfctl and evaluate them from the main rule set using a new type of rule (which will support conditional evaluation soon). Makes maintenance of sub-rulesets simpler for pfctl and daemons. Idea and ok deraadt@
2002-12-05	one step further to "program output is valid program input" and the related	Henning Brauer
	extra regress testing opportunities (an excellent idea by markus@). only print rule numbers in case of pfctl -v -v; but not with pfctl -v. ok markus@ frantzen@ mcbride@
2002-11-30	move unmask back into pf_print_state.c where it was, and please keep it ↵	Michael Shalayeff
	there; henning@ ok
2002-11-28	- Remove extra space before -> in print_rdr	Ryan Thomas McBride
	- Print hex keys lowercase ok dhartmei@ henning@
2002-11-28	- Adjust to match replacement of md5 with pf_hash	Ryan Thomas McBride
	- Allow keys to be specified in hex (must be 128 bits, mainly to make pfctl -v output paresable by pfctl) or as a string. Randomly generate key if one is not specified. Suggestions and fixes from camield@ ok mickey@ camield@ henning@
2002-11-23	Cosmetic fixes for print_*() functions, so they match the old regress	Daniel Hartmeier
	output (mainly spaces).
2002-11-23	fix parens "(" ")" when printing	Ryan Thomas McBride
	ok dhartmei@
2002-11-23	KNF	Theo de Raadt

2002-11-23	Missing {}	Daniel Hartmeier

2002-11-23	check to make sure a list item exists before checking to see if the next	Ryan Thomas McBride
	one is there. ok dhartmei@
2002-11-23	missing prototype, remember to use sa_family_t for af	Ryan Thomas McBride

2002-11-23	code to support loading of pf rules with multiple redirection addresses	Ryan Thomas McBride
	(in nat, rdr, route-to, dup-to and reply-to) Syntax looks like this, see pf.conf(5) for details: nat on wi0 proto { tcp, icmp } from any to 192.168.0.2 -> \ 192.168.0.16/29 source-hash random rdr on wi0 proto { tcp } from any to 192.168.0.34 port 22 -> \ { 192.168.0.8/31, 192.168.0.15 } port 22 round-robin ok dhartmei@ henning@
2002-11-19	minor cosmetics, space after "label %s", in case both label and queue are	Daniel Hartmeier
	specified.
2002-11-18	KNF	Theo de Raadt

2002-11-18	altq and pf merged	Henning Brauer
	this isn't 100% done yet: the print_ stuff isn't finished, some features will be added later, and there is no documetation yet, but committing now enables a few more people to work on. print_altq_node stuff hacked by Daniel at euroBSDcon; lotsa stuff from kjc, debugging help also pb and camiel. lots of good ideas by theo. "commit now" theo philipp daniel
2002-10-25	- more sa_family_t	Camiel Dobbelaar
	- move unmask code to correct file - whitespace ok mcbride@ dhartmei@
2002-10-22	More conversion of "int af" and "u_int8_t af" declarations and function	Ryan Thomas McBride
	arguments to the more correct and descriptive "sa_family_t af" ok dhartmei@ henning@
2002-10-14	Allow one to specify a netblock in a binat rule:	Henning Brauer
	binat on fxp0 from 192.168.0.32/27 to any -> 10.0.7.128/27 Both the network mask on the source and redirect addresses MUST be the same, and it works by essentially combining the network section of the redirect address with the host section of the source address. from ryan ok dhartmei@
2002-10-07	set block-policy [drop\|return]	Henning Brauer
	drop is default, same behaviour as before support block drop to override a return policy
2002-10-07	support a generic return	Henning Brauer
	block return in\|out ... acts like return-rst on tcp, like return-icmp on udp and like an ordinary block on anything else ok dhartmei@
2002-10-07	make return-icmp work for rules covering both v4 and v6	Henning Brauer
	-new field "return_icmp6" in pf_rule -parser accepts block return-icmp(ipv4-icmpcode, ipv6-icmpcode) ok and some input dhartmei@
2002-10-07	Add 'reply-to' to filter rules, similar to route-to, but applying to	Daniel Hartmeier
	replies (packets that flow in the opposite direction of the packet that created state), used for symmetric routing enforcement. Document how route-to and reply-to work in context of stateful filtering.
2002-10-05	Allow filtering based on IP header's tos field.	Daniel Hartmeier

2002-07-20	properly split yacc and lex use	Theo de Raadt

2002-07-15	add support for	Henning Brauer
	pass\|block on ! $interface ... ok dhartmei@ will be documented in pf.conf(5) by "I'm not slacking!" pb@ who's currently reworking this manpage
2002-07-01	KNF	Theo de Raadt

2002-06-27	repair formatting - the new "enabled since" format is longer than the old	Henning Brauer
	one and thus the field lengths need to be adjusted. ok dhartmei@, pb@
2002-06-19	"Enabled for Ss" -> "Enabled for D days HH:MM:SS", ok frantzen@	Daniel Hartmeier

2002-06-11	split the grammar of scrub(fragcache) into scrub ... 'fragment reassemble',	Mike Frantzen
	'fragment crop' or a new 'fragment drop-ovl' which will drop overlapping fragments and all corresponding ones ok kjell@ with feedback from kjell@ and deraadt@. the rest are slacking
2002-06-11	SCRUB(fragcache) to do gap tracking and overlap pruning of IPv4 fragments	Mike Frantzen
	without the memory overhead of the conventional defrag in SCRUB ok dhartmei@, idea by deraadt@
2002-06-11	Make NAT proxy port range configurable per rule, for instance privileged	Daniel Hartmeier
	source ports can mapped to privileged proxy ports, or source port 500 to proxy port 500. ok frantzen@
2002-06-11	rework pfctl statistics display	Henning Brauer
	move FCNT_NAMES from pfvar.h to pfctl_parser.h, only used by pfctl some input by nick@ ok frantzen@, dhartmei@
2002-06-10	Allow ports to be specified in nat rules, useful later on for individual	Daniel Hartmeier
	proxy port ranges.
2002-06-09	Make pf_nat.saddr/daddr a pf_rule_addr instead of pf_addr_wrap, so it	Daniel Hartmeier
	includes ports and operator.
2002-06-09	spaced out developers...	Theo de Raadt

2002-06-08	Change remaining read-only lookup tables to const, suggestion drahn@	Daniel Hartmeier

2002-06-08	pf_timeouts is shared between pfctl and authpf, put it in the shared file.	Dale Rahn
	unbreak build.
2002-06-08	Make state timeouts configurable per rule, like	Daniel Hartmeier
	pass in from any to any port www keep state (tcp.established 60) ok frantzen@
2002-06-07	add the possibility to configure a TTL while return-rst	Philipp Buehler
	ok dhartmei@, ipv6 part itojun@ ok
2002-06-07	Add "(max <number>)" option for "keep/modulate state" to limit the number	Daniel Hartmeier
	of concurrent connections a rule can create. ok frantzen@