Age | Commit message (Collapse) | Author |
|
|
|
|
|
|
|
|
|
Implemented as an in-kernel multicast IP protocol.
Turn it on like this:
# ifconfig pfsync0 up syncif fxp0
There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.
NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.
Much more to come.
ok deraadt@
|
|
to:
- Ensure that clients get a consistent IP mapping with load-balanced
translation/routing rules
- Limit the number of simultaneous connections a client can make
- Limit the number of clients which can connect through a rule
ok dhartmei@ deraadt@
|
|
excluding boundaries) is legal. already supported by kernel, requires only
removal of three error messages. ok henning@
|
|
to commit a diff from 11/6...
do not insert the "block in on ! interface" rule for antispoof statements when
the interface in question does not have any IP address, because that then
expands to
block in on ! interface all
which is obviously bad.
niklas@ found it, dhartmei@ ok, and I think some more ppl ok I don't remember
|
|
-print debuglevel "Loud", this was omitted before (catched by mpech@)
-use the fine PF_DEBUG_* defines instead of magic numbers
ok markus
|
|
ok cedric@
|
|
created by this rule from appearing on the pfsync(4) interface. e.g.
pass in proto tcp to self flags S/SA keep state (no-sync)
ok cedric@ henning@ dhartmei@
|
|
|
|
|
|
|
|
|
|
the idea is not mine and I'dlove to get credit, but I cannot find the mail
any more :-((
ok canacar@ dhartmei@
|
|
|
|
int is not the same as u_long
caused an integer overflow on our 64 bit archs and thus made pf not working
there
ok mcbride@ marc@ millert@ cedric@
|
|
ok deraadt@ henning@
|
|
This brings us close to 100% atomicity for a "pfctl -f pf.conf" command.
(some splxxx work remain in the kernel). Basically, improvements are:
- Anchors/Rulesets cannot disappear unexpectedly anymore.
- No more leftover in the kernel if "pfctl -f" fail.
- Commit is now done in a single atomic IOCTL.
WARNING: The kernel code is fully backward compatible, but the new
pfctl/authpf userland utilities will only run on a new kernel.
The following ioctls are deprecated (i.e. will be deleted sooner or
later, depending on how many 3rd party utilities use them and how soon
they can be upgraded):
- DIOCBEGINRULES
- DIOCCOMMITRULES
- DIOCBEGINALTQS
- DIOCCOMMITALTQS
- DIOCRINABEGIN
- DIOCRINADEFINE
They are replaced by the following ioctls (yes, PF(4) will follow)
which operate on a vector of rulesets:
- DIOCXBEGIN
- DIOCXCOMMIT
- DIOCXROLLBACK
Ok dhartmei@ mcbride@
|
|
ok henning@ mcbride@
|
|
ok henning@
|
|
|
|
|
|
Add a warning on global/anchor name clashes to help prevent mistakes from our
users during the 3.3 -> 3.4 switch.
ok henning@
|
|
You MUST test nework stack changes on BOTH BYTE-ORDERS.
Someone can fix this later, but right now I need to get the damn
firewall up. Grr.
|
|
ok frantzen@
|
|
|
|
|
|
|
|
- Make sure we allow only tables in round-robin pools for routing options,
same as what we do for translation rules.
- Don't reject rules like: "nat on sis0 -> <foo>" because
"no address family is given". This is perfectly valid.
ok henning@
|
|
|
|
ok dhartmei@ jmc@
|
|
(like pfctl -t spammers -vvTt -f file, causing EPERM on DIOCOSFPFLUSH).
|
|
|
|
Exposes the source IP's operating system to the filter language.
Interesting policy decisions are now enforceable:
. block proto tcp from any os SCO
. block proto tcp from any os Windows to any port smtp
. rdr ... from any os "Windows 98" to port WWW -> 127.0.0.1 port 8001
|
|
|
|
prodded by mpech@
|
|
|
|
|
|
redirection rules...
The advantage of using tables in redirection/routing rules is not efficiency,
in fact it will run slower than straight address pools. However, this brings
a lot of flexibility to PF, allowing simple scripts/daemons to add/remove
addresses from redirection/routing pools easily.
This implementation support all table features, including cidr blocks and
negated addresses. So specifying { 10.0.0.0/29 !10.0.0.0 !10.0.0.7 } will
correctly round-robin between the six addresses: .1, .2, .3, .4, .5, .6.
Tables can also be combined with simple addresses, so the following rule
will work as expected: "nat on foo0 -> { 1.1.1.1 <bar> }"
ok henning@ mcbride@
|
|
ERRX() has two effects: the message printing and goto _error; which causes
exit(1). While we don't want the message if pfctl was invoked with -n, we
DO want to abort. Otherwise subsequent 'load anchor' statements will get
executed, for instance, and the return value is handy for scripts.
|
|
(with pfctl -n)
Jared Yanovich <phirerunner@comcast.net>
|
|
Make table tickets u_int32_t for consistency with other parts of PF.
Ok dhartmei@ henning@
|
|
this fixes printing obsolete (non-existent) queues.
ok henning@
|
|
Ok dhartmei@ henning@
|
|
|
|
|
|
instead of indirectly trough struct pf_rule_addr.
Ryan McBride says:
If I'm not mistaken, the code _used_ to use the ports in pf_rule_addr as
well. The code was changed to fix some of the bugs with port ranges, but
it was too late in the release cycle to make kernel API changes, so the
structure was left as is.
Needless to say: KERNEL/USERLAND SYNC REQUIRED.
ok henning@ mcbride@
|
|
ok dhartmei@
|