| Age | Commit message (Collapse) | Author |
|---|
|
ok henning@
|
|
by the parser but not passed to the kernel. This allows filtering based on
uid, gid, icmp options, tcp flags, os fingerprint, tos, tags, and probability;
It also allows the label to be set. State options and tagging are not
permitted.
ok henning mpf
|
|
in the inline anchor. Fixes optimizer bug where automatic table creation in
inline anchors fails because rules are now loaded after optimization
and no transaction has been opened for the anchor.
bug reported by Henrik Johansen
ok henning dhartmei
|
|
|
|
from tobias@
ok mcbride@ tobias@
|
|
sys/dev/pci/pciide.c from naddy@
|
|
I forgot to think about hex numbers when I removed it.
OK deraadt@
|
|
it with a simple filter in the yylex() loop.
The compression in lgetc() didn't happen for quoted strings,
thus creating a regression when tabs were used in variables.
Some testing by todd@ and pyr@
OK deraadt@
|
|
Add support for probablities of 0% and 100%.
With and OK deraadt@
|
|
yuck & ok henning@
|
|
ok deraadt@
|
|
|
|
Change 'set hostid' to NUMBER and remove unneeded converter.
Add '=' to allowed_to_end_number(x) to make varsets like 4=5 illegal.
OK deraadt@
|
|
expand to space or tab, and a \ followed by newline should be ignored
(as a line continuation). compatible with the needs of hoststated
(which has the most strict quoted string requirements), and ifstated
(where one commonly does line continuations in strings).
pointed out by mpf, discussed with pyr
|
|
|
|
the main configuration file; ok henning
|
|
yylex implementation and the code which interacts with yylex. this also
brings the future potential for include support to all of the parsers.
in the future please do not silly modifications to one of these files
without checking if you are de-unifying the code.
checked by developers in all these areas.
|
|
as found in hoststated, and make all the code diff as clean as possible. a
few issues remain mostly surrounding include support, which will likely be
added to more of the grammers soon.
ok norby pyr, others
|
|
Requested by deraadt@
|
|
Using a group sums up the statistics of all members.
Modify pfctl(1) slightly to allow a groupname "all",
which gives us an overall pf(4) statistic.
OK henning@, markus@
|
|
While there, also restrict the use of concatenated, unquoted
strings for variable assignments only.
Eyeballed by markus@, OK henning@
|
|
|
|
this in the parser. because the new numbers are int64_t, many new
range checks for < 0 are needed. re-check and improve all the
existing rangechecks while at it. thanks for help by cloder and
dhartmei
|
|
criteria. ok mcbride@
|
|
|
|
since only the first letter matters in the end and state still matches
states since we do strncmp this does not change xisting behaviour and
just allows plural states to be used as well.
pt out by Tom Van Looy <tom@ctors.net>
|
|
|
|
OK henning@, ``passt scho'' markus@
|
|
|
|
ok henning@ toby@ pyr@
|
|
at the code with jdixon@
|
|
|
|
is invalid now, it doesn't serve any purpose any more anyway since that is
the default. ok mcbride
|
|
to reflect this;
whilst there i had to wrap -t in Xo/Xc to stop line split,
and i zapped some extra whitespace in usage();
fixes user/5441 from sthen
|
|
ok deraadt henning
|
|
|
|
to 200,000 instead of the conservative 100,000; ok dhartmei beck
tested by ckuethe
|
|
|
|
with -z instead of DIOCCLRRULECTRS. Unbreaks -z with anchors and makes the
read & reset operation atomic.
innstrument pfctl_show_rules() to clear counters while reading rules and
add a new output format for it, showing nothing, if only resetting counters
without actually displaying them is requested. minor cleanups on the way.
ok dhartmei & agreement from theo and ryan
|
|
when ALL entries have this specific AF (when even just one entry has no
specific AF, use any). found by Maurice Janssen, ok henning@
|
|
from Janne Johansson, tweaked by myself;
ok dhartmei
|
|
"pfctl -t tablename -T expire 3600" would expire all entries in the given
table that are older than 3600 seconds. ok dhartmei, manpage help & ok jmc
|
|
already.
|
|
reuses IPv4 signature file (assuming that TCP code is shared among IPv4/v6).
mcbride ok.
|
|
was obviously intended to check all three. has been wrong since the
beginning, 4 years... noticed by Earl Lapus <earl.lapus@gmail.com>,
Vasil Dimov <vd@FreeBSD.org> mailed me then, ok mcbride
|
|
-k argument for killing states; From Berk D. Demir <bdd@mindcast.org>
ok dhartmei henning
|
|
ok henning@
|
|
|
|
as pf_find_or_create_ruleset() will mangle relative anchor names and wildcards.
Also fixes some nits with nesting and printing inline anchors.
ok deraadt@
|
|
contains rules. Fixes DIOCXCOMMIT: Device busy when multiple anchors with
the same name are specified.
reported by ckuethe@ and mkb@crypt.org.ru
|
