Age | Commit message (Collapse) | Author |
|
behaviour noticed by Paul de Weerd, thanks!
ok dhartmei@
|
|
ok henning@
|
|
and null-terminate the interface name. Found by Michael Wallis.
ok henning@
|
|
errors on subsequent lines are reported with wrong line numbers.
From Paul B. Henson.
|
|
|
|
|
|
ok pb@
|
|
pointed out by mpech@
ok pb@
|
|
|
|
in some cases, on non-tcp rules flags weren't resetted. cosmetical only
problem. but, well, checking for r->flags and r->flagset if we could have
assigned them zero just one round ago is just stupid, and it's not needed to
check them at all.
ok pb@, dhartmei@
|
|
these are valid:
pass in from any to any flags S
pass in proto { tcp, udp, icmp } from any to any flags S
pass in proto tcp from any to any flags S
these are invalid:
pass in proto { udp, icmp } from any to any flags S
pass in proto udp from any to any flags S
ok "I've lost my slacker status for at least a week" frantzen@
ok pb@, dhartmei@, deraadt@
|
|
block in log quick all
and
block in quick log all
work.
ok dhartmei@, deraadt@
|
|
ok theo
|
|
|
|
useful. Now you can
in = ssh domain www
out = $in ftp finger
pass in proto tcp from any to any port { $in }
pass out proto tcp from any to any port { $out }
a poor example, but the idea is obvious
|
|
a=a b
c=$a $a
|
|
|
|
|
|
|
|
|
|
less and easier code than before.
no functional changes.
ok frantzen@, dhartmei@
|
|
literals, so you can do things like
macro="{ foo, # first entry
bar, # second entry
baz }" # last entry
or
pass in on $ext_if \ # external interface
proto tcp \ # TCP connections
from any to $ext_if \ # to the gateway itself
keep state
And sneaking in two minor fixes for KNF.
|
|
lookups with pfctl -r. Makes things actually simpler.
|
|
the result of an interface expansion. in this case ifa_pick_ip does an
address family check (that's actually a (wanted) side effect). Thus, we need
to spit out a meaningfull error message in case of a mismatch.
also adjust all the other error messages, they were also assuming that nh is
the result of an interface expansion.
after a looooong discussion on icb (dhartmei@, pb@, me) we agreed on the term
"translation address" for that.
okay dhartmei@
|
|
|
|
the machine, on all interfaces. I wanted
block in log on ! lo0 from any to self
for years, and now it's possible.
ok "I may lose my slacking status if I OK it" frantzen@
ok dhartmei@
documentation in pf.conf.5 to come with pb@'s rewrite
|
|
after rule expansion, similar to rule_consistent(). Fixes the
non-effective test for rdr rules for non-TCP/UDP protocols with ports,
found by mpech@, ok frantzen@
|
|
pass|block on ! $interface ...
ok dhartmei@
will be documented in pf.conf(5) by "I'm not slacking!" pb@ who's currently
reworking this manpage
|
|
ok henning@, dhartmei@
|
|
o complain about return-rst on rules which aren't limited to tcp
pointed out by not-slacking-but-testing pb@
ok pb@, dhartmei@
|
|
rules (interface was already there). since the nat.conf/pf.conf merge the
parser accepted these but didn't expand them. ugh.
ok dhartmei@
|
|
for scoped address (unlikely due to the deployed codebase...).
|
|
into proper sockaddr_in6.
|
|
you can use interface names instead of an IP in most places. However, until
now, it was only expanded to the interface's first IPv4 address if existant
(and address family unset or inet) and the first IPv6 address otherwise.
this diff changes that. the interface is proper expanded to all IPs, IPv4
_and_ IPv6, now.
it also cleans up the lookup procedures (well, in fact, they are replaced by
a new one), there's no need for different procedures for IPv4 and IPv6. we
now just have one list of interfaces (AF_LINK) and one list with IPs
(AF_INET and AF_INET6) with corresponding lookup functions, ifa_exists and
ifa_lookup.
nat, rdr & friends now use the new function ifa_pick_ip to get the IP in
rules like
nat on $interface from $whatever to any -> $interface
ifa_pick_ip tries to be smart.
if the interface has only one IP address and the nat rule doesn't specify an
address family (or it matches with this address), take this one.
If the address family is specified in the nat rule and there is only one IP
for the given address family, this one is used. if the address family is not
specified and there is more than one IP pfctl throws an error. The same
applies for multiple IPs per address family.
This causes regression tests 18 and 20 to fail because the address family
isn't specified there; diff for those coming.
also fix some prototypes while I'm here.
pb@ found another problem while testing that we must have introduced somewhat
after 3.1.
$cat t
nat on ne3 from any to any -> 213.128.133.5
$pfctl -nvf t
nat on ne3 all -> ?
it's only a representation bug as far as I've checked, nontheless it should
be fixed. as a nat/rdr rule always nats/redirects to one IP only we can just
steal its target's IP af and set the rule's af accordingly. then inet_ntop
does play nice.
binat rules already enforce having an address family set always and thus are
not affected.
ok dhartmei@, pb@, kjell@
"It looks good" frantzen@
|
|
|
|
|
|
we don't support
pass/block in on ! <interface>
(at least, not yet)
let the parser complain instead of ignoring the '!'
ok pb@, dhartmei@
|
|
set loginterface none
ok dhartmei@
|
|
going to go away).
add explicit pushback buffer, to be able to push IPv6 failed parses back.
handle pushback + parse buffer interactions by using negative indices.
okay dhartmei@, deraadt@
|
|
|
|
rules will expand to all valid combinations, and there's an error when
none is found. Makes "nat on tun0 from 10.0.0.0/8 to any -> (tun0)"
work (again).
|
|
ok pb@
|
|
one and thus the field lengths need to be adjusted.
ok dhartmei@, pb@
|
|
"set" keyword. example rulefile:
set optimization aggressive
set timeout { tcp.closing 6, tcp.opening 6 }
set limit { states 1000, frags 1000 }
set loginterface wi0
pass out all keep state label "$nr:$srcaddr:$srcport:$dstaddr:$dstport"
block in all
fries@ is working on an updated pf.conf(5)
discussed at c2k2 and on icb
ok dhartmei@, kjell@
|
|
|
|
|
|
|
|
|
|
ok dhartmei@
|
|
'frag' -- they aren't applied anyway
ok dhartmei@ and henning@
|