| Age | Commit message (Collapse) | Author |
|---|
|
|
|
ok deraadt@ henning@
|
|
1) PF should do the right thing when unplugging/replugging or cloning/
destroying NICs.
2) Rules can be loaded in the kernel for not-yet-existing devices
(USB, PCMCIA, Cardbus). For example, it is valid to write:
"pass in on kue0" before kue USB is plugged in.
3) It is possible to write rules that apply to group of interfaces
(drivers), like "pass in on ppp all"
4) There is a new ":peer" modifier that completes the ":broadcast"
and ":network" modifiers.
5) There is a new ":0" modifier that will filter out interface aliases.
Can also be applied to DNS names to restore original PF behaviour.
6) The dynamic interface syntax (foo) has been vastly improved, and
now support multiple addresses, v4 and v6 addresses, and all userland
modifiers, like "pass in from (fxp0:network)"
7) Scrub rules now support the !if syntax.
8) States can be bound to the specific interface that created them or
to a group of interfaces for example:
- pass all keep state (if-bound)
- pass all keep state (group-bound)
- pass all keep state (floating)
9) The default value when only keep state is given can be selected by
using the "set state-policy" statement.
10) "pfctl -ss" will now print the interface scope of the state.
This diff change the pf_state structure slighltly, so you should
recompile your userland tools (pfctl, authpf, pflogd, tcpdump...)
Tested on i386, sparc, sparc64 by Ryan
Tested on macppc, sparc64 by Daniel
ok deraadt@ mcbride@
|
|
Implemented as an in-kernel multicast IP protocol.
Turn it on like this:
# ifconfig pfsync0 up syncif fxp0
There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.
NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.
Much more to come.
ok deraadt@
|
|
to:
- Ensure that clients get a consistent IP mapping with load-balanced
translation/routing rules
- Limit the number of simultaneous connections a client can make
- Limit the number of clients which can connect through a rule
ok dhartmei@ deraadt@
|
|
ok cedric@
|
|
This brings us close to 100% atomicity for a "pfctl -f pf.conf" command.
(some splxxx work remain in the kernel). Basically, improvements are:
- Anchors/Rulesets cannot disappear unexpectedly anymore.
- No more leftover in the kernel if "pfctl -f" fail.
- Commit is now done in a single atomic IOCTL.
WARNING: The kernel code is fully backward compatible, but the new
pfctl/authpf userland utilities will only run on a new kernel.
The following ioctls are deprecated (i.e. will be deleted sooner or
later, depending on how many 3rd party utilities use them and how soon
they can be upgraded):
- DIOCBEGINRULES
- DIOCCOMMITRULES
- DIOCBEGINALTQS
- DIOCCOMMITALTQS
- DIOCRINABEGIN
- DIOCRINADEFINE
They are replaced by the following ioctls (yes, PF(4) will follow)
which operate on a vector of rulesets:
- DIOCXBEGIN
- DIOCXCOMMIT
- DIOCXROLLBACK
Ok dhartmei@ mcbride@
|
|
Exposes the source IP's operating system to the filter language.
Interesting policy decisions are now enforceable:
. block proto tcp from any os SCO
. block proto tcp from any os Windows to any port smtp
. rdr ... from any os "Windows 98" to port WWW -> 127.0.0.1 port 8001
|
|
Make table tickets u_int32_t for consistency with other parts of PF.
Ok dhartmei@ henning@
|
|
ok dhartmei@
|
|
- remove the tableaddrs and tableaddr yacc production and reuse
host_list instead.
- produce better error messages.
- do not load addresses from external file when it is not
required (like with -R option).
- store initializers in a new node_tinit linked list before
putting them into the address buffer (see next point).
- add a new print_tabledef() function, which makes "pfctl -nvf"
print something useful for table definitions, which in turn
makes it possible to write better regress tests (see first chunk
of the diff) and bring table definition consistant with other
parsed rules.
ok dhartmei@
|
|
The pfctl.c part will probably need some further improvements.
ok henning@
|
|
and a couple of parsing functions moved to parse.y or pfctl_parser
where they belong.
I also took the opportunity to replace "void" functions with exit(1)
or err() inside by "int" functions, with the caller checking the
return value for errors (much cleaner and an old request from Theo)
ok dhartmei@ henning@
|
|
dynaddr rules after we know the address family
ok dhartmei@, inspired by a session with bob
|
|
load anchor anchorname:rulesetname file /path/to/file
ok pb@ dhartmei@ cedric@
|
|
Most pfctl table commands (excluding 'show' and 'flush') support the "-a"
modifier.
ok dhartmei@
|
|
print_altq/print_hfsc -> print_hfsc_opts and extract struct node_hfsc_sc
there for each service curve and pass those down to print_hfsc_sc. now
bandwidth specifications in the service curves are printed correct in the
case of a queue belonging to more than one interface/parent queue, the
parent queues having different bandwidths and the bandwith on teh service
curve beeing specified in percent.
|
|
of dintinct bw_percent
|
|
contain bandwidth specifications and we need to carry the unprocessed bw
specs around for quite some time until we can break them down to absolute
values.
|
|
to expand_altq/expand_queue -> eval_pfaltq/eval_pfqueue and
further down to the new eval_queue_opts() instead of evaluating them directly
in the yacc grammar.
this will be needed to process the hfsc options which can contain relative
bandwidth specifications, and we can't break them down to an absolute one
earlier.
|
|
let eval_pfqueue() and eval_pfaltq() take a pointer to a struct
node_queue_bw instead of two distince bw_absolute and bw_percent parameters.
|
|
input theo, ok dhartmei@
|
|
ok dhartmei@ henning@
|
|
from David Hill <david at phobia.ms> a while ago
|
|
calculation, in verbose output (pfctl -vvsr). Instead, use a new flag -g for
that.
result of a longer discussion with dhartmei@ and jakob@
ok cedric@ pb@
|
|
due to a bug in the loadopt check options were always loaded no matter which
loadopts where specified.
while beeing there, move the prints for that to where they belong, into the
appropriate pfctl_set_* functions, and thus only print when the options are
actually loaded.
fixes regress tests pfopt3, pfopt4, pfopt5 I added earlier.
ok dhartmei@
|
|
|
|
ok henning@
|
|
given; they used to check for their parent interface/queue even in this
case.
ok dhartmei@ cedric@
|
|
part of the struct pfctl.
|
|
ok theo
|
|
|
|
Cleaning up of the table options parsing, more flexible.
idea+cleanup deraadt@, ok dhartmei@, pass all regress tests.
|
|
but do something useful when the user has no access to /dev/pf.
Tested on i386, sparc64.
ok henning@
|
|
-move host(), set_ipmask and the ifa_* functions to pfctl_parser.[c|h]
-extend host() to handle /mask itself, plus minor adjustments
-use that in pfctl_table.c instead of coding the same shit again
discussed w/ cedric@
ok cedric@ dhartmei@
|
|
Add table definition/initialisation construct in pfctl parser.
Add and fix documentation for pf.4 and pf.conf.5.
Tested on i386 and sparc64 by myself, macppc by Daniel.
ok dhartmei@
|
|
from, but whoever thought of it is stupid.
|
|
ruleset, make authpf manage its rules inside anchors.
|
|
evaluation, packet, byte and state entry counters similar to -vsr. Helps
verify whether/how often translation rules are evaluated/matched.
ok frantzen@, henning@
|
|
to prevent tickets from getting overwritten.
bug reported by dhartmei@
ok dhartmei@
|
|
ok dhartmei@ henning@
|
|
extra regress testing opportunities (an excellent idea by markus@).
only print rule numbers in case of pfctl -v -v; but not with pfctl -v.
ok markus@ frantzen@ mcbride@
|
|
|
|
|
|
- Allow keys to be specified in hex (must be 128 bits, mainly to make
pfctl -v output paresable by pfctl) or as a string. Randomly generate key
if one is not specified.
Suggestions and fixes from camield@
ok mickey@ camield@ henning@
|
|
|
|
(in nat, rdr, route-to, dup-to and reply-to)
Syntax looks like this, see pf.conf(5) for details:
nat on wi0 proto { tcp, icmp } from any to 192.168.0.2 -> \
192.168.0.16/29 source-hash random
rdr on wi0 proto { tcp } from any to 192.168.0.34 port 22 -> \
{ 192.168.0.8/31, 192.168.0.15 } port 22 round-robin
ok dhartmei@ henning@
|
|
this isn't 100% done yet: the print_ stuff isn't finished, some features
will be added later, and there is no documetation yet, but committing now
enables a few more people to work on.
print_altq_node stuff hacked by Daniel at euroBSDcon; lotsa stuff from kjc,
debugging help also pb and camiel. lots of good ideas by theo.
"commit now" theo philipp daniel
|
|
- move unmask code to correct file
- whitespace
ok mcbride@ dhartmei@
|
|
"set" keyword. example rulefile:
set optimization aggressive
set timeout { tcp.closing 6, tcp.opening 6 }
set limit { states 1000, frags 1000 }
set loginterface wi0
pass out all keep state label "$nr:$srcaddr:$srcport:$dstaddr:$dstport"
block in all
fries@ is working on an updated pf.conf(5)
discussed at c2k2 and on icb
ok dhartmei@, kjell@
|
