summaryrefslogtreecommitdiff
path: root/sbin/pfctl/pfctl_table.c
AgeCommit message (Collapse)Author
2005-08-17with pfctl -vsI, indicate which interfaces are being skipped.Daniel Hartmeier
ok henning@, markus@, mpf@
2005-05-21clean up and rework the interface absraction code big time, rip out multipleHenning Brauer
useless layers of indirection and make the code way cleaner overall. this is just the start, more to come... worked very hard on by Ryan and me in Montreal last week, on the airplane to vancouver and yesterday here in calgary. it hurt. ok ryan theo
2004-12-22Introduce 'set skip on <ifspec>' to support a list of interfaces where noDaniel Hartmeier
packet filtering should occur (like loopback, for instance). Code from Max Laier, with minor improvements based on feedback from deraadt@. ok mcbride@, henning@
2004-06-12Fix table add/replace commands with securelevel=2.Cedric Berger
Reported by James J. Lippard. ok otto@
2004-05-19Allow recursive anchors (anchors within anchors, up to 64Daniel Hartmeier
levels deep). More work required, but this is already functional. authpf users will need to adjust their anchor calls, but this will change again soon. ok beck@, cedric@, henning@, mcbride@
2004-03-15cast %llu arguments to unsigned long long, from Max Laier,Daniel Hartmeier
ok henning@ cedric@
2004-02-26Fix pfctl -sa output. Found by David Krause, ok mcbride@Cedric Berger
2004-02-19Makes pfctl -ss and pfctl -sq use optional -i argument.Cedric Berger
ok dhartmei@ markus@ mcbride@
2004-02-17add -i flag, use it for -sI as a start. ok henning@, ok+test mcbride@Cedric Berger
2004-02-10KNFDaniel Hartmeier
2004-02-10lotsoflotsoflotsof KNFHenning Brauer
and an off by one
2004-01-29Clean up 'pfctl -s all' output.Ryan Thomas McBride
ok deraadt@ henning@
2003-12-31spacing. note this, cedricTheo de Raadt
2003-12-31Many improvements to the handling of interfaces in PF.Cedric Berger
1) PF should do the right thing when unplugging/replugging or cloning/ destroying NICs. 2) Rules can be loaded in the kernel for not-yet-existing devices (USB, PCMCIA, Cardbus). For example, it is valid to write: "pass in on kue0" before kue USB is plugged in. 3) It is possible to write rules that apply to group of interfaces (drivers), like "pass in on ppp all" 4) There is a new ":peer" modifier that completes the ":broadcast" and ":network" modifiers. 5) There is a new ":0" modifier that will filter out interface aliases. Can also be applied to DNS names to restore original PF behaviour. 6) The dynamic interface syntax (foo) has been vastly improved, and now support multiple addresses, v4 and v6 addresses, and all userland modifiers, like "pass in from (fxp0:network)" 7) Scrub rules now support the !if syntax. 8) States can be bound to the specific interface that created them or to a group of interfaces for example: - pass all keep state (if-bound) - pass all keep state (group-bound) - pass all keep state (floating) 9) The default value when only keep state is given can be selected by using the "set state-policy" statement. 10) "pfctl -ss" will now print the interface scope of the state. This diff change the pf_state structure slighltly, so you should recompile your userland tools (pfctl, authpf, pflogd, tcpdump...) Tested on i386, sparc, sparc64 by Ryan Tested on macppc, sparc64 by Daniel ok deraadt@ mcbride@
2003-08-29Document interactions between tables and anchors.Cedric Berger
Add a warning on global/anchor name clashes to help prevent mistakes from our users during the 3.3 -> 3.4 switch. ok henning@
2003-07-31Make table tickets per-ruleset instead of global.Cedric Berger
Make table tickets u_int32_t for consistency with other parts of PF. Ok dhartmei@ henning@
2003-07-11Better parsing and -v support for tables:Cedric Berger
- remove the tableaddrs and tableaddr yacc production and reuse host_list instead. - produce better error messages. - do not load addresses from external file when it is not required (like with -R option). - store initializers in a new node_tinit linked list before putting them into the address buffer (see next point). - add a new print_tabledef() function, which makes "pfctl -nvf" print something useful for table definitions, which in turn makes it possible to write better regress tests (see first chunk of the diff) and bring table definition consistant with other parsed rules. ok dhartmei@
2003-07-03Bye bye atexit(), bye bye globals...Cedric Berger
The pfctl.c part will probably need some further improvements. ok henning@
2003-07-03This patch finally cleanup pfctl_table.c. No more global buffer,Cedric Berger
and a couple of parsing functions moved to parse.y or pfctl_parser where they belong. I also took the opportunity to replace "void" functions with exit(1) or err() inside by "int" functions, with the caller checking the return value for errors (much cleaner and an old request from Theo) ok dhartmei@ henning@
2003-06-29Replace assert(3) calls with warnx(3), if the warning is relevant at all.Daniel Hartmeier
2003-06-27Reorg part I: move 3 functions out of pf_table.c to pf_radix.cCedric Berger
ok dhartmei@
2003-06-08A table in an anchor creates a real anchor: pfctl -sA works.Cedric Berger
The following two pfctl functions work with an "-a" option: - pfctl [-a foo[:bar]] -sT - pfctl [-a foo[:bar]] -FT ok dhartmei@
2003-05-24Properly reset buffers after each "table" command.Cedric Berger
More to come for the error case. ok henning@
2003-04-30Allow tables to be loaded into anchors.Cedric Berger
Most pfctl table commands (excluding 'show' and 'flush') support the "-a" modifier. ok dhartmei@
2003-04-27Update the pfioc_table IOCTL structure.Cedric Berger
Prepare for anchors, improve robustness. WARNING: need to sync kernel/userland. ok dhartmei@
2003-04-25check asprintf return value for error as well, some implementations doPeter Valchev
not set the pointer to NULL necessarily; ok dhartmei, henning, kjell
2003-04-05ease netmask handling a bitHenning Brauer
input theo, ok dhartmei@
2003-03-27lotsa const char *Henning Brauer
from David Hill <david at phobia.ms> a while ago
2003-03-07Only show non-active tables when the -g flag is given.Cedric Berger
ok dhartmei@ henning@
2003-02-14remove explicit table creation ( -T create ), it's useless.Henning Brauer
ok pb@ mcbride@ deraadt@
2003-02-05Do not scare ppl too much.Cedric Berger
Suggested by camield@
2003-02-04use size_t for struct size and offset calculations.Cedric Berger
check msize for overflow and realloc overflow.
2003-02-04Cleanup buffer before reuse. Consistency + defensive programming.Cedric Berger
2003-02-03remove loadopt global definition and cleanup a bit.Cedric Berger
ok henning@
2003-02-03More cleanup in tables thanks to Andrey Matveev:Cedric Berger
- get rid of unnecessary header netinet/in.h in pfctl_radix.c and pfctl_table.c - do fclose(3) only when we use config file, not STDIN - get rid of unneeded temporatory variables - minor KNF
2003-01-25Another nice cleanup patch from Andrey MatveevCedric Berger
KNF + remove/reorg headers.
2003-01-25Fix NOACTION with table statements.Cedric Berger
2003-01-25Permit initialisation of a table content from a file in pf.conf.Cedric Berger
Cleaning up of the table options parsing, more flexible. idea+cleanup deraadt@, ok dhartmei@, pass all regress tests.
2003-01-23Little cleanup thanks to Andrey MatveevCedric Berger
2003-01-22Automatically create tables for the "add" and "replace" table commands.Cedric Berger
Requested by deraadt@, pass all regress tests.
2003-01-18va_end() missing. Thanks to Andrey Matveev.Cedric Berger
2003-01-18Cleanup PF_OPT_NOACTION with tables. No changes on current behaviour,Cedric Berger
but do something useful when the user has no access to /dev/pf. Tested on i386, sparc64. ok henning@
2003-01-18Little cleanup from Andrey Matveev <andrushock@korovino.net>Cedric Berger
Thanks!
2003-01-14unified IP parser:Henning Brauer
-move host(), set_ipmask and the ifa_* functions to pfctl_parser.[c|h] -extend host() to handle /mask itself, plus minor adjustments -use that in pfctl_table.c instead of coding the same shit again discussed w/ cedric@ ok cedric@ dhartmei@
2003-01-14A bit of consistency in error messages. Before regress commit :)Cedric Berger
2003-01-11use errx instead of handcrufting the same with fprintf and exitHenning Brauer
2003-01-11-use inet_net_pton to parse IPv4 addresses, gains us support for CIDR (10/8)Henning Brauer
-remove a redundant strlen check ok cedric@
2003-01-10Fix adding and deleting addresses in a table when there is a conflict withCedric Berger
the "negated" attribute of an address. The previous behaviour was incorrect in both cases (too strict for the add command and too permissive for the delete command). ok dhartmei@
2003-01-10Be a bit more strict when parsing options.Cedric Berger
Disallow "pfctl -s rabbits" and friends. ok dhartmei@
2003-01-09knfDaniel Hartmeier