Age | Commit message (Collapse) | Author |
|
reuses IPv4 signature file (assuming that TCP code is shared among IPv4/v6).
mcbride ok.
|
|
was obviously intended to check all three. has been wrong since the
beginning, 4 years... noticed by Earl Lapus <earl.lapus@gmail.com>,
Vasil Dimov <vd@FreeBSD.org> mailed me then, ok mcbride
|
|
-k argument for killing states; From Berk D. Demir <bdd@mindcast.org>
ok dhartmei henning
|
|
ok henning@
|
|
|
|
as pf_find_or_create_ruleset() will mangle relative anchor names and wildcards.
Also fixes some nits with nesting and printing inline anchors.
ok deraadt@
|
|
contains rules. Fixes DIOCXCOMMIT: Device busy when multiple anchors with
the same name are specified.
reported by ckuethe@ and mkb@crypt.org.ru
|
|
|
|
|
|
|
|
|
|
reserved names, if a trailing * is specified in the anchor name.
e.g. recursively print the main ruleset:
pfctl -a '*' -sr
Recursively print the spam anchor:
pfctl -a 'spam*'
pfctl -a 'spam/*'
Also fix a bug which prevented the contents of inline anchors with
explicit names from being loaded into the kernel.
ok henning@
|
|
|
|
"set" "ruleset-optimization" [ "none" | "basic" | "profile" ]
You can optionally control ruleset optimization with these keywords on the
command line with the -o option; the command line setting will override the
pf.conf setting. The existing -o/-oo flags continue to work as expected.
cleanup and ok henning@
|
|
command line (but they can still be viewed)
- don't allow users to specify _* as an anchor name in the ruleset
- don't print _* anchor names with pfctl -sA unless -v is specified
'looks sensible' deraadt@
|
|
for anchors loaded inline in pf.conf, enclosed in a brace-delimited
block ("{" "}").
anchor on fxp0 {
pass in proto tcp port 22
}
The anchor name is optional on inline loaded anchors.
testing ckuethe@
ok henning@ dhartmei@
|
|
logif is to be considered invalid unless log is set, but we need this to
please the optimizer...
|
|
|
|
|
|
|
|
pass log(to pflog5)
block out log(to pflog2)
input & ok mcbride
|
|
now that it is the default;
ok henning mcbride camield (ftp-proxy bits) deraadt
|
|
pointed out by david@
ok mpf@ dhartmei@
|
|
|
|
the anchor, terminate ruleset evaluation when stepping out of the anchor.
This means that if you absolutely want the anchor to be terminal, you
probably want to use a 'block all' or 'pass all' rule at the start of the
anchor.
ok dhartmei@ henning@ deraadt@
|
|
|
|
|
|
|
|
|
|
a suggestion from dhartmei@. Also add 'flags any' and 'no state' options
to disable flag matching and stateful filtering respectively.
IMPORTANT NOTE:
Current rulesets will continue to load, but the behaviour may be slightly
changed as these defaults are more restrictive. If you are purposefully
filtering statelessly ('no state') or have a requirement to create states
on intermediate packets ('flags any') you should update your ruleset to
make use of the new keywords to explicitly request the behaviour.
Note that creation of states from intermediate packets in a connection is
not recommended, and will increasingly cause problems as more OSs enable
window scaling and increase buffer sizes by default.
ok dhartmei@ deraadt@ henning@
|
|
for nat rules. sorry, existing functionality trumps syntactic sugar. feel
free to resubmit a complete patch. closes PR 5207.
|
|
reported by andrew fresh
|
|
with & ok claudio hshoexer
|
|
|
|
|
|
|
|
timeouts.
|
|
state limit and adaptive.end of 120% of the state limit.
Explicitly setting the adaptive timeouts will override the default,
and it can be disabled by setting both adaptive.start and adaptive.end to 0.
ok henning@
|
|
other things work. ok henning
|
|
account for that. fixes PR5130, ok dhartmei
|
|
|
|
only bar under foo, not /bar as well.
secondly, when using "load anchor from" from a sub-anchor, the loading
point should be relative to the sub-anchor doing the load (unless absolute
paths are used, of course).
from Boris Polevoy. probably a -stable candidate.
|
|
|
|
from Jon Simola, ok henning@
|
|
are done.''
From NetBSD from Coverity CID 2057.
OK henning@ and jaredy@
|
|
cannot be 0.
From NetBSD from Coverity CID 577.
OK henning@
|
|
quite some time... theo likes
|
|
end-of-array NULL marker, shuts up source analysis tool, from deraadt@
|
|
which optionally verifies that a packet is received on the interface
that holds the route back to the packet's source address. This makes
it an automatic ingress filter, but only when routing is fully
symmetric.
bugfix feedback claudio@; ok claudio@ and dhartmei@
|
|
From: Andrey Matveev <evol@online.ptt.ru>
|