| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2006-10-23 | no need to use "keep state" and "flags S/SA" in pf rules, | Jason McIntyre | |
| now that it is the default; ok henning mcbride camield (ftp-proxy bits) deraadt | |||
| 2006-10-17 | Don't automatically set 'flags S/SA' on stateless rules. | Ryan Thomas McBride | |
| pointed out by david@ ok mpf@ dhartmei@ | |||
| 2006-10-11 | quotes around filename, pr 5253, sthen@zephyr.spacehopper.org | Theo de Raadt | |
| 2006-10-11 | Allow the 'quick' keyword on an anchor. IFF there is a matching rule inside | Ryan Thomas McBride | |
| the anchor, terminate ruleset evaluation when stepping out of the anchor. This means that if you absolutely want the anchor to be terminal, you probably want to use a 'block all' or 'pass all' rule at the start of the anchor. ok dhartmei@ henning@ deraadt@ | |||
| 2006-10-06 | Print 'flags any' correctly and handle anchors. | Ryan Thomas McBride | |
| 2006-10-06 | 'no state' should only be printed on pass rules, though. | Ryan Thomas McBride | |
| 2006-10-06 | Print out 'no state' when the rule is not stateful. | Ryan Thomas McBride | |
| 2006-10-06 | Oops, flags S/SA doesn't work on fragments. | Ryan Thomas McBride | |
| 2006-10-06 | Make 'flags S/SA keep state' the implicit for filter rules, based on | Ryan Thomas McBride | |
| a suggestion from dhartmei@. Also add 'flags any' and 'no state' options to disable flag matching and stateful filtering respectively. IMPORTANT NOTE: Current rulesets will continue to load, but the behaviour may be slightly changed as these defaults are more restrictive. If you are purposefully filtering statelessly ('no state') or have a requirement to create states on intermediate packets ('flags any') you should update your ruleset to make use of the new keywords to explicitly request the behaviour. Note that creation of states from intermediate packets in a connection is not recommended, and will increasingly cause problems as more OSs enable window scaling and increase buffer sizes by default. ok dhartmei@ deraadt@ henning@ | |||
| 2006-08-22 | back out -r1.497 (support for "tagged {}" lists), it broke "tagged" support | Daniel Hartmeier | |
| for nat rules. sorry, existing functionality trumps syntactic sugar. feel free to resubmit a complete patch. closes PR 5207. | |||
| 2006-08-08 | properly join host lists in ifa_grouplookup(), closes PR 5195, | Daniel Hartmeier | |
| reported by andrew fresh | |||
| 2006-07-06 | add "rtable" to select alternate routing tables. | Henning Brauer | |
| with & ok claudio hshoexer | |||
| 2006-06-30 | spaces | Theo de Raadt | |
| 2006-06-17 | KNF | Henning Brauer | |
| 2006-06-09 | Xo/Xc not needed here; from david | Jason McIntyre | |
| 2006-05-28 | Make per-rule adaptive timeouts behave the same way as the global adaptive | Ryan Thomas McBride | |
| timeouts. | |||
| 2006-05-28 | Enable adaptive timeouts by default, with adaptive.start of 60% of the | Ryan Thomas McBride | |
| state limit and adaptive.end of 120% of the state limit. Explicitly setting the adaptive timeouts will override the default, and it can be disabled by setting both adaptive.start and adaptive.end to 0. ok henning@ | |||
| 2006-05-26 | \<char> is <char> except for \<newline> -- no exceptions. much like how | Theo de Raadt | |
| other things work. ok henning | |||
| 2006-05-23 | member interfaces of groups might have no IPs and ifa_lookup retun NULL, | Henning Brauer | |
| account for that. fixes PR5130, ok dhartmei | |||
| 2006-05-14 | better english to describe interfaces without bandwidth info; ok henning | Theo de Raadt | |
| 2006-05-02 | fix creation of sub-anchors, e.g. if you create an anchor /foo/bar, create | Daniel Hartmeier | |
| only bar under foo, not /bar as well. secondly, when using "load anchor from" from a sub-anchor, the loading point should be relative to the sub-anchor doing the load (unless absolute paths are used, of course). from Boris Polevoy. probably a -stable candidate. | |||
| 2006-05-01 | add support for "tagged {}" lists, from Pierre-Yves Ritschard | Daniel Hartmeier | |
| 2006-04-24 | don't clear interface flags (set skip on) when -N/-F is used without -O, | Daniel Hartmeier | |
| from Jon Simola, ok henning@ | |||
| 2006-04-08 | Plug simple memory leak. ``Don't forget to free tcpopts when you | Ray Lai | |
| are done.'' From NetBSD from Coverity CID 2057. OK henning@ and jaredy@ | |||
| 2006-04-08 | Remove a little bit of dead code; minburst is set to 2 earlier, and | Ray Lai | |
| cannot be 0. From NetBSD from Coverity CID 577. OK henning@ | |||
| 2006-04-06 | allow lists inside lists for address specs, has been in my tree for | Henning Brauer | |
| quite some time... theo likes | |||
| 2006-03-21 | instead of sizeof(array) / sizeof(element) computation, use the existing | Daniel Hartmeier | |
| end-of-array NULL marker, shuts up source analysis tool, from deraadt@ | |||
| 2006-03-14 | implement a Unicast Reverse Path Forwarding (uRPF) check for pf(4) | Damien Miller | |
| which optionally verifies that a packet is received on the interface that holds the route back to the packet's source address. This makes it an automatic ingress filter, but only when routing is fully symmetric. bugfix feedback claudio@; ok claudio@ and dhartmei@ | |||
| 2006-01-28 | zap unused function | Henning Brauer | |
| From: Andrey Matveev <evol@online.ptt.ru> | |||
| 2005-11-17 | for pfctl -f rules, open the file before resetting options. when opening | Daniel Hartmeier | |
| the file fails, produce only the error message and leave options unchanged. reported by Tamas TEVESZ, ok deraadt@ | |||
| 2005-11-12 | return; at end of function is dorky | Theo de Raadt | |
| 2005-11-04 | crank pf_state and pf_src_node byte and packet counters to u_in64_t, since | Ryan Thomas McBride | |
| we're breaking pfsync compatibility this cycle anyways. Requested by djm@, ok henning@, 'wheee!' deraadt@ | |||
| 2005-10-18 | add support for static interface group expansion, i. e. | Henning Brauer | |
| pass to group ok hshoexer, hacked at linux-kongress last week | |||
| 2005-10-13 | unused parameters | Henning Brauer | |
| 2005-10-13 | dead defines | Henning Brauer | |
| 2005-08-17 | with pfctl -vsI, indicate which interfaces are being skipped. | Daniel Hartmeier | |
| ok henning@, markus@, mpf@ | |||
| 2005-07-11 | clear PFI_IFLAG_SKIP when clearing interface flags, found by David Hill, | Daniel Hartmeier | |
| ok henning@ | |||
| 2005-06-30 | in order for pfvar.h not to conflict with openssl's crypto.h, use | Nikolay Sturm | |
| PF_MD5_DIGEST_LENGTH instead of including crypto/md5.h ok markus@, henning@, mpf@ | |||
| 2005-06-14 | no need to restrict tagging to stateful rules any more, dhartmei ok | Henning Brauer | |
| From: "Alexey E. Suslikov" <cruel@texnika.com.ua> | |||
| 2005-06-13 | document extended pfctl -sl format | Henning Brauer | |
| 2005-06-13 | make the packet and byte counters on rules and src nodes per direction, | Henning Brauer | |
| matches the counters on states now. also fix the counting on scrub rules where we previously did not handle the byte counters at all. extend pfctl -sl output to include the new seperate in/out counters hacked on the ferry from Earls Cove to Saltery Bay ok ryan | |||
| 2005-06-13 | free memory in show_src_nodes and show_states, as reported by | Jared Yanovich | |
| Henrik Gustafsson <openbsd@fnord.se> via tech@. ok henning | |||
| 2005-05-28 | don't print the "[ Inserted: uid pid ]" line when -g is used, so the | Daniel Hartmeier | |
| regress tests don't have to deal with it (and it's a useless thing to check from there). | |||
| 2005-05-27 | Hide Hostid and Checksum in pfctl -si output unless the -v flag is used. | Ryan Thomas McBride | |
| Prodded by henning@ | |||
| 2005-05-27 | Calculate an MD5 checksum over the main pf ruleset. | Marco Pfatschbacher | |
| This is the basis for further pfsync improvements, to ensure that pf rules are in sync with the master. "get it in" mcbride@ | |||
| 2005-05-27 | get rid of 'log-all'. now that we have 'log (options)', make 'all' an | Daniel Hartmeier | |
| option to log. so, 'log-all' becomes 'log (all)'. | |||
| 2005-05-27 | get rid of shift/reduce conflicts, don't support empty logopts | Daniel Hartmeier | |
| 2005-05-27 | log two pairs of uid/pid through pflog: the uid/pid of the process that | Daniel Hartmeier | |
| inserted the rule which causes the logging. secondly, the uid/pid of the process in case the logged packet is delivered to/from a local socket. a lookup of the local socket can be forced for logged packets with a new option, 'log (user)'. make tcpdump print the additional information when -e and -v is used. note: this changes the pflog header struct, rebuild all dependancies. ok bob@, henning@. | |||
| 2005-05-27 | allow 'tagged' in 'anchor' rules (without complaining about missing | Daniel Hartmeier | |
| 'keep state'), as a condition to branch into the anchor. suggested by Bill Marquette. | |||
| 2005-05-26 | The illegalness of "no nat log" is already enforced by the grammar. | Camiel Dobbelaar | |
| ok dhartmei | |||
 |
index : src | |
| OpenBSD base system |
| summaryrefslogtreecommitdiff |