| Age | Commit message (Collapse) | Author |
|---|
|
ok henning@
|
|
|
|
|
|
Add a warning on global/anchor name clashes to help prevent mistakes from our
users during the 3.3 -> 3.4 switch.
ok henning@
|
|
You MUST test nework stack changes on BOTH BYTE-ORDERS.
Someone can fix this later, but right now I need to get the damn
firewall up. Grr.
|
|
ok frantzen@
|
|
|
|
|
|
|
|
- Make sure we allow only tables in round-robin pools for routing options,
same as what we do for translation rules.
- Don't reject rules like: "nat on sis0 -> <foo>" because
"no address family is given". This is perfectly valid.
ok henning@
|
|
|
|
ok dhartmei@ jmc@
|
|
(like pfctl -t spammers -vvTt -f file, causing EPERM on DIOCOSFPFLUSH).
|
|
|
|
Exposes the source IP's operating system to the filter language.
Interesting policy decisions are now enforceable:
. block proto tcp from any os SCO
. block proto tcp from any os Windows to any port smtp
. rdr ... from any os "Windows 98" to port WWW -> 127.0.0.1 port 8001
|
|
|
|
prodded by mpech@
|
|
|
|
|
|
redirection rules...
The advantage of using tables in redirection/routing rules is not efficiency,
in fact it will run slower than straight address pools. However, this brings
a lot of flexibility to PF, allowing simple scripts/daemons to add/remove
addresses from redirection/routing pools easily.
This implementation support all table features, including cidr blocks and
negated addresses. So specifying { 10.0.0.0/29 !10.0.0.0 !10.0.0.7 } will
correctly round-robin between the six addresses: .1, .2, .3, .4, .5, .6.
Tables can also be combined with simple addresses, so the following rule
will work as expected: "nat on foo0 -> { 1.1.1.1 <bar> }"
ok henning@ mcbride@
|
|
ERRX() has two effects: the message printing and goto _error; which causes
exit(1). While we don't want the message if pfctl was invoked with -n, we
DO want to abort. Otherwise subsequent 'load anchor' statements will get
executed, for instance, and the return value is handy for scripts.
|
|
(with pfctl -n)
Jared Yanovich <phirerunner@comcast.net>
|
|
Make table tickets u_int32_t for consistency with other parts of PF.
Ok dhartmei@ henning@
|
|
this fixes printing obsolete (non-existent) queues.
ok henning@
|
|
Ok dhartmei@ henning@
|
|
|
|
|
|
instead of indirectly trough struct pf_rule_addr.
Ryan McBride says:
If I'm not mistaken, the code _used_ to use the ports in pf_rule_addr as
well. The code was changed to fix some of the bugs with port ranges, but
it was too late in the release cycle to make kernel API changes, so the
structure was left as is.
Needless to say: KERNEL/USERLAND SYNC REQUIRED.
ok henning@ mcbride@
|
|
ok dhartmei@
|
|
I need vacations.
Found and verified by Pyun YongHyeon.
ok dhartmei@
|
|
|
|
- remove the tableaddrs and tableaddr yacc production and reuse
host_list instead.
- produce better error messages.
- do not load addresses from external file when it is not
required (like with -R option).
- store initializers in a new node_tinit linked list before
putting them into the address buffer (see next point).
- add a new print_tabledef() function, which makes "pfctl -nvf"
print something useful for table definitions, which in turn
makes it possible to write better regress tests (see first chunk
of the diff) and bring table definition consistant with other
parsed rules.
ok dhartmei@
|
|
ok dhartmei@ henning@
|
|
|
|
|
|
|
|
nat pass on $ext_if from $a to $b -> $ext_if
when the pass modifier is given, the filter ruleset is _not_ evaluated but
the packets matching this translation rule are passed unconditionally.
ok dhartmei@ cedric@ markus@
|
|
The pfctl.c part will probably need some further improvements.
ok henning@
|
|
and a couple of parsing functions moved to parse.y or pfctl_parser
where they belong.
I also took the opportunity to replace "void" functions with exit(1)
or err() inside by "int" functions, with the caller checking the
return value for errors (much cleaner and an old request from Theo)
ok dhartmei@ henning@
|
|
ok dhartmei@
|
|
|
|
Thanks to Max Laier.
|
|
ok dhartmei@
|
|
|
|
traffic reporting w/ pfsync; ok dhartmei@
Note: ABI change (new fields in struct pf_state), requires a rebuild of
pfctl and tcpdump.
|
|
|
|
|
|
if .. else if .. else, and handle PF_ADDR_NOROUTE as well.
inspired by a comment from cedric.
|
|
a table refernence, don't print nonsense but the table name.
found by claudio jeker, fix by me, agreement by cedric
|
|
ok henning@
|
