| Age | Commit message (Collapse) | Author |
|---|
|
contain bandwidth specifications and we need to carry the unprocessed bw
specs around for quite some time until we can break them down to absolute
values.
|
|
to expand_altq/expand_queue -> eval_pfaltq/eval_pfqueue and
further down to the new eval_queue_opts() instead of evaluating them directly
in the yacc grammar.
this will be needed to process the hfsc options which can contain relative
bandwidth specifications, and we can't break them down to an absolute one
earlier.
|
|
let eval_pfqueue() and eval_pfaltq() take a pointer to a struct
node_queue_bw instead of two distince bw_absolute and bw_percent parameters.
|
|
input theo, ok dhartmei@
|
|
ok dhartmei@ henning@
|
|
from David Hill <david at phobia.ms> a while ago
|
|
calculation, in verbose output (pfctl -vvsr). Instead, use a new flag -g for
that.
result of a longer discussion with dhartmei@ and jakob@
ok cedric@ pb@
|
|
due to a bug in the loadopt check options were always loaded no matter which
loadopts where specified.
while beeing there, move the prints for that to where they belong, into the
appropriate pfctl_set_* functions, and thus only print when the options are
actually loaded.
fixes regress tests pfopt3, pfopt4, pfopt5 I added earlier.
ok dhartmei@
|
|
|
|
ok henning@
|
|
given; they used to check for their parent interface/queue even in this
case.
ok dhartmei@ cedric@
|
|
part of the struct pfctl.
|
|
ok theo
|
|
|
|
Cleaning up of the table options parsing, more flexible.
idea+cleanup deraadt@, ok dhartmei@, pass all regress tests.
|
|
but do something useful when the user has no access to /dev/pf.
Tested on i386, sparc64.
ok henning@
|
|
-move host(), set_ipmask and the ifa_* functions to pfctl_parser.[c|h]
-extend host() to handle /mask itself, plus minor adjustments
-use that in pfctl_table.c instead of coding the same shit again
discussed w/ cedric@
ok cedric@ dhartmei@
|
|
Add table definition/initialisation construct in pfctl parser.
Add and fix documentation for pf.4 and pf.conf.5.
Tested on i386 and sparc64 by myself, macppc by Daniel.
ok dhartmei@
|
|
from, but whoever thought of it is stupid.
|
|
ruleset, make authpf manage its rules inside anchors.
|
|
evaluation, packet, byte and state entry counters similar to -vsr. Helps
verify whether/how often translation rules are evaluated/matched.
ok frantzen@, henning@
|
|
to prevent tickets from getting overwritten.
bug reported by dhartmei@
ok dhartmei@
|
|
ok dhartmei@ henning@
|
|
extra regress testing opportunities (an excellent idea by markus@).
only print rule numbers in case of pfctl -v -v; but not with pfctl -v.
ok markus@ frantzen@ mcbride@
|
|
|
|
|
|
- Allow keys to be specified in hex (must be 128 bits, mainly to make
pfctl -v output paresable by pfctl) or as a string. Randomly generate key
if one is not specified.
Suggestions and fixes from camield@
ok mickey@ camield@ henning@
|
|
|
|
(in nat, rdr, route-to, dup-to and reply-to)
Syntax looks like this, see pf.conf(5) for details:
nat on wi0 proto { tcp, icmp } from any to 192.168.0.2 -> \
192.168.0.16/29 source-hash random
rdr on wi0 proto { tcp } from any to 192.168.0.34 port 22 -> \
{ 192.168.0.8/31, 192.168.0.15 } port 22 round-robin
ok dhartmei@ henning@
|
|
this isn't 100% done yet: the print_ stuff isn't finished, some features
will be added later, and there is no documetation yet, but committing now
enables a few more people to work on.
print_altq_node stuff hacked by Daniel at euroBSDcon; lotsa stuff from kjc,
debugging help also pb and camiel. lots of good ideas by theo.
"commit now" theo philipp daniel
|
|
- move unmask code to correct file
- whitespace
ok mcbride@ dhartmei@
|
|
"set" keyword. example rulefile:
set optimization aggressive
set timeout { tcp.closing 6, tcp.opening 6 }
set limit { states 1000, frags 1000 }
set loginterface wi0
pass out all keep state label "$nr:$srcaddr:$srcport:$dstaddr:$dstport"
block in all
fries@ is working on an updated pf.conf(5)
discussed at c2k2 and on icb
ok dhartmei@, kjell@
|
|
pfctl -f <rulefile> they allow just the nat or filter rules to
be reloaded, respectively. The default (no flags) is to load everything.
If -N is specified, any existing filter rules are retained,
similarly for -R.
ok deraadt@, dhartmei@
|
|
moment.
|
|
source ports can mapped to privileged proxy ports, or source port 500
to proxy port 500. ok frantzen@
|
|
move FCNT_NAMES from pfvar.h to pfctl_parser.h, only used by pfctl
some input by nick@
ok frantzen@, dhartmei@
|
|
|
|
pass in from any to any port www keep state (tcp.established 60)
ok frantzen@
|
|
evaluated at parse time.
ok dhartmei@
|
|
functional change; dhartmei@ ok
|
|
|
|
From John Kerbawy.
|
|
counter. Helps debugging rule sets that are not loaded. Suggested by
John Kerbawy.
|
|
tags that will be used to tag packets later on). Add pfctl -z to clear
per-rule counters. Add pfctl -s labels to output per-rule counters in
terse format and only for rules that have labels. Suggested by
Henning Brauer.
|
|
non-verbose. Suggested by gwyllion@ace.ulyssis.org.
|
|
|
|
|
|
|
|
|
|
counting is lex dependent, and will need to be tweaked
|
