summaryrefslogtreecommitdiff
path: root/sbin/pfctl
AgeCommit message (Collapse)Author
2001-12-13o) start new sentence on a new line;Mike Pechkin
o) wrap long lines; o) fix bogus .Xr usage; o) we don't like blank lines; o) always close .Bl tags; o) OpenBSD -> .Ox; o) don't like .Pp before .Ss; millert@ ok;
2001-12-10Convert usage of 'you' to third person. Reword some sentences.Daniel Hartmeier
2001-12-10Add stateful filtering for other (non-TCP/UDP/ICMP) protocol, based onDaniel Hartmeier
source/destination addresses/ports only. Add RDR for ICMP. Add NAT/RDR/BINAT for other protocols. Destination and redirection port(s) are now optional for RDR rules. Not specifying destination port(s) means 'redirect all ports', not specifying redirection port(s) means 'redirect to the original port'.
2001-12-05Correctly parse hex numbers. Spotted by Claudio Jeker. Closes PR 2234.Daniel Hartmeier
2001-12-03For nat, binat and rdr rules, don't allow different address families inDaniel Hartmeier
one rule. pf can't translate IPv4 <-> IPv6 packets. Such rules didn't work, even if they were falsely accepted before.
2001-12-01wipe print_nat()'s nose (use dnot correctly instead of snot). i need to startMike Frantzen
naming variables 'bugger'. yes, thats what i'll do
2001-11-26add fastroute options similar to what is found in ipfjasoni
ok dhartmei@, frantzen@
2001-11-05noone responds.Theo de Raadt
this diff makes } and { not be part of symbols
2001-10-24Check interface names using ifa0_lookup() and print error message forDaniel Hartmeier
non-existant interfaces (instead of the generic ioctl error returned by the kernel in this case).
2001-10-24Use snot/dnot correctly in print_rdr. RDR rules with '!' used on theDaniel Hartmeier
destination address were printed incorrectly before (though the rules worked correctly).
2001-10-15Add 'allow-opts' to rules. Packets with IP options will be blocked byDaniel Hartmeier
default now, and can be allowed per rule. ok deraadt@
2001-10-11Don't htonl() past buffer bounds if ipmask == 128Mike Frantzen
2001-10-11Corrections from Brian J. Kifiak.Daniel Hartmeier
2001-10-07Add interface name to address translation to pfctl, document it and addDaniel Hartmeier
a regress test. Translation is done on rule set load-time only, so the rule sets must be reloaded when an interface address changes. parse.y patch from Cedric Berger. Similar patch from Jonathon Fletcher. Thanks to both.
2001-10-04Honour -v flag when printing states, print only one line per state whenDaniel Hartmeier
non-verbose. Suggested by gwyllion@ace.ulyssis.org.
2001-10-02Remove duplication from simultaneous commitsMike Frantzen
2001-10-02Typo fixes (thanks gwyllion@ace.ulyssis.org)Mike Frantzen
2001-10-02'pfctl -O foo' dumped core. A check was there, but didn't work.Daniel Hartmeier
2001-10-01print variable asignments only if -v is given. ok dhartmei/deraadtMarkus Friedl
2001-10-01Print error message when pfctl -N/-R can't open the specified fileDaniel Hartmeier
(instead of failing silently). Found by niklas@.
2001-09-30Selectable preset FSM optimizations for several network environments.Mike Frantzen
Thanks to everyone who sent me packet captures!
2001-09-28Support underscores in macro names and document it in the man page.Daniel Hartmeier
2001-09-22remove debug printfTheo de Raadt
2001-09-20Fix uninitialized structure fields. Problem reported by Cedric Berger.Daniel Hartmeier
2001-09-15Implement return-icmp(number), return-icmp6(number)Peter Stromberg
Differentiate between return-icmp and return-icmp6, icmp-type and ipv6-icmp-type. ok dhartmei@
2001-09-15ICMP6_DST_UNREACH_NOROUTE <-> _ADMIN, reported by Wouter Coene.Daniel Hartmeier
2001-09-15Fix 'binat ... to any ...' (binat.af wasn't set).Daniel Hartmeier
2001-09-15Parse bug, found by wilfried@Daniel Hartmeier
2001-09-15IPv6 support from Ryan McBride (mcbride@countersiege.com)Mike Frantzen
2001-09-12check calloc() return valueMarkus Friedl
2001-09-06- you can only binat between hostsjasoni
- add binat example and description
2001-09-061:1 bidrectional NAT (binat); ok dhartmei@ and frantzen@jasoni
2001-09-06Initial idea from aaron@: Last char of .Xr group in SEE ALSO section shouldMike Pechkin
be a single digit. Powered by mantoya@. millert@ ok.
2001-09-04Support parameter lists {} for interfaces in filter rules, likeDaniel Hartmeier
pass in on { gm0, kue0 } from any to any
2001-09-02Print rule numbers zero-based. Noted by primus@gblx.net.Daniel Hartmeier
2001-08-28move '!' from host_list to host: "xhost : '!' host | host;"; ok dhartmei@Markus Friedl
2001-08-28check for malloc/strdup == NULLMarkus Friedl
2001-08-28Support ! operator in host parameter lists. Fixes PR system/2030. ReportedDaniel Hartmeier
by Kamil Andrusz <wizz@mniam.net>.
2001-08-28Bump state timeouts and allow tweaking them from pfctl.Mike Frantzen
(The state timeouts need some _serious_ tuning)
2001-08-26sort keywordsTheo de Raadt
2001-08-25PF ISN randomization. Or in trekkie techno-babble, ISN phase modulation.Mike Frantzen
2001-08-23o for a port_item, initialize the "next" pointer to NULLTodd C. Miller
o for an address, use calloc() instead of malloc() so the struct is zeroed Fixes a SEGV in pfctl due to uninitialized "next" pointers.
2001-08-23Support var="string". Expansion (at lex time) done using $var, for instance:Theo de Raadt
okproto="{ssh, smtp, domain, auth}" pass in on key0 proto tcp from any to any port $okproto keep state Can I ask someone else to document this in pf.conf(5)?
2001-08-23KNFTheo de Raadt
2001-08-23for -s all, do not error out when the first ioctl failsTheo de Raadt
2001-08-22ftp-proxyBob Beck
2001-08-19do not spin if no states are foundTheo de Raadt
2001-08-19Document per-rule byte counter.Daniel Hartmeier
2001-08-19Add per-rule byte counter, so mickey can do accounting. We're counting theDaniel Hartmeier
data part (without IP and TCP/UDP/ICMP headers), like the state counter does.
2001-08-19Document per-rule statistics. If the evaluation counters look funny,Daniel Hartmeier
think skip steps.
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-12 19:03:03 +0000