summaryrefslogtreecommitdiff
path: root/sbin/pfctl
AgeCommit message (Collapse)Author
2004-12-15missing free()s; with patHenning Brauer
2004-12-14&&/|| inversion would try to merge IP addresses with non-addresses into aMike Frantzen
single table causing a ruleset load error and eventually a double-free. bug report and testing from martin{AT}spamcop net
2004-12-14add two warn() calls to make sure a warning message gets printed if one ofMike Frantzen
the table calls fails and the optimizer is gonna bomb out
2004-12-13sync authpf anchor syntax;Jason McIntyre
also, spelling while i'm in here; from joel knight;
2004-12-10allow pf to filter on route labelsHenning Brauer
pass in from route dtag keep state queue reallyslow tested by Gabriel Kihlman <gk@stacken.kth.se> and Michael Knudsen <e@molioner.dk> and ryan ok ryan
2004-12-08Add "'overload' requires 'max-src-conn' or 'max-src-conn-rate'" sanity check,Ryan Thomas McBride
fix some cut-n-paste mayhem in other related checks.
2004-12-07re-commit mcbride@'s 'flush global', this time without the breakage inDaniel Hartmeier
pfvar.h. builds kernel and userland.
2004-12-07real backoutTheo de Raadt
2004-12-07oops, incomplete backoutTheo de Raadt
2004-12-07tree does not compile, spotted by dlg (not obvious how to fix)Theo de Raadt
---- Change the default for 'overload <table> flush' to flush only states from the offending source created by the rule. 'flush global' flushes all states originating from the offending source. ABI change, requires kernel and pfctl to be in sync. ok deraadt@ henning@ dhartmei@
2004-12-07Change the default for 'overload <table> flush' to flush only states from theRyan Thomas McBride
offending source created by the rule. 'flush global' flushes all states originating from the offending source. ABI change, requires kernel and pfctl to be in sync. ok deraadt@ henning@ dhartmei@
2004-12-05initialize $$->tail and $$->next for MAXSRCCONNRATEDaniel Hartmeier
2004-12-04Userland support for limiting open tcp connections per source. eg:Ryan Thomas McBride
keep state (max-src-conn 1000, max-src-conn-rate 100/10, overflow <bad> flush) allow a maximum of 1000 open connections or 100 new connections in 10 seconds. The addresses of offenders are added to the <bad> table which can be used in the ruleset, and existing states from that host are flushed. ok deraadt@ dhartmei@
2004-11-09do not assume entries in pf_timeouts[] are ordererd like PFTM_* in pfvar.hDaniel Hartmeier
reported by Alexey E. Suslikov, ok henning@
2004-09-30print invalid hostmask when refusing it, ok deraadt@Daniel Hartmeier
2004-09-27anchor rules referencing anchors using slashes may need quotes.Jared Yanovich
ok mcbride henning
2004-09-21Implement "no scrub" to allow exclusion of specific traffic from scrub rules.Aaron Campbell
First match wins, just like "no {binat,nat,rdr}". henning@, dhartmei@ ok
2004-08-26sync usage for -aJared Yanovich
reminded by jmc, ok deraadt
2004-08-26update w.r.t. recursive anchorsJared Yanovich
includes: - simplify -a syntax - change an anchor example to mention authpf, which is more useful - document "pfctl -a anchor -vsA" for showing anchors recursively ok dhartmei jmc henning
2004-08-08spacingTheo de Raadt
2004-07-23- make SYNOPSIS and usage() clear that -t precedes -T;Jason McIntyre
spotted by Tamas Tevesh, via dhartmei@; also, add -o to usage(), and note that /ruleset is now the correct syntax, not :ruleset; ok dhartmei@
2004-07-19print the correct labels when displaying timeouts with pfctl (eg, pfctl -st).David Gwynne
From Chris Pascoe. ok dhartmei@
2004-07-16'pfctl -o' ruleset optimizer that doesnt change the meaning of the final rulesetMike Frantzen
- remove identical and subsetted rules - when advantageous merge rules w/ similar addresses into a table and one rule - re-order rules to improve skip step performance (can do better w/ kernel mods) - 'pfctl -oo' will load the currently running ruleset and use it as a profile to direct the optimization of quicked rules ok henning@ mcbride@. man page help from jmc@
2004-06-29remove cedric's bogus interface name verification code.Henning Brauer
this was meant to verify that ne3 is a valid interface that could show up, but bogus0 is not. while this might sound like a good idea it is completely broken and causes a shitload of problems. just allow for anything as interface name, the kernel abstracts that nice enough. if no interface by that name exists (or shows up) the rule never matches; that matches pf semantics used everywhere else. this also fixes the "pfctl always has to run as root" issue that cedric did not fix over the last 6 months despite being bugged to regularily. help & ok mcbride@
2004-06-29convert a few memcpy()s to strlcpy() so we don't copy uninitialized junk intoMike Frantzen
a interface name's slack space past the \0. will be needed for the optimizer. ok henning@
2004-06-26add back PF_INOUT, fixes reassemble tcpDavid Krause
ok canacar@ mcbride@
2004-06-25repair tree nanobreak by the nanobumTheo de Raadt
2004-06-21Update manpage to reflect changes in anchor namingMathieu Sauve-Frankel
ok beck@ claudio@
2004-06-14Remove unused functions. ok beck@ henning@Cedric Berger
2004-06-12Fix table add/replace commands with securelevel=2.Cedric Berger
Reported by James J. Lippard. ok otto@
2004-06-10Work around an uncovered gcc problem on m88k until it receives proper cure.Miod Vallat
2004-06-10rename struct pf_rule_addr member 'not' to 'neg', as 'not' is a reservedDaniel Hartmeier
keyword in C++. ok henning@, cedric@
2004-05-30various improvements and fixes from jared yanovich;Jason McIntyre
2004-05-27plug memleak in error pathHenning Brauer
From: Andrey Matveev <andrushock@korovino.net>
2004-05-21Use '/' instead of ':' as separator for anchor path components. Note thatDaniel Hartmeier
the parser now needs quotes around paths containing separators. ok mcbride@
2004-05-20bzero() ifr before use, From: Andrey Matveev <andrushock@korovino.net>Henning Brauer
2004-05-19Allow recursive anchors (anchors within anchors, up to 64Daniel Hartmeier
levels deep). More work required, but this is already functional. authpf users will need to adjust their anchor calls, but this will change again soon. ok beck@, cedric@, henning@, mcbride@
2004-05-07typosHenning Brauer
From: Jared Yanovich <phirerunner@comcast.net>
2004-05-05Use RFC1323 PAWS timestamps as a logical extension to the conventional TCPMike Frantzen
sequence numbers by taking advantage of the maximum 1KHz clock as an upperbound on the timestamp. Typically gains 10 to 18 bits of additional security against blind data insertion attacks. More if the TS Echo wasn't optional :-( Enabled with: scrub on !lo0 all reassemble tcp ok dhartmei@. documentation help from jmc@
2004-04-27make "pfctl -vvsq" to print "No queue in use" and exit when there is noKenjiro Cho
queue to show the state. requested by "Alexey E. Suslikov" <cruel@texnika.com.ua> ok henning@
2004-04-26do more careful altq bandwidth checking.Kenjiro Cho
- fix a bug in HFSC that does not take the newly added queue into account when computing the bandwidth for admission control. - warn when the sum of the child bandwidth exceeds parent's bandwidth for both CBQ and HFSC. - allow to explicitly specify 0bps to bandwidth. HFSC can have only the real-time sc, and it means a blackhole queue for CBQ. problem reports by "Alexey E. Suslikov" <cruel@texnika.com.ua> ok henning@
2004-04-24Add "probability xxx" rule modifier. ok deraadt@Cedric Berger
2004-04-22typo, From: Jared Yanovich <jjy2+@pitt.edu>Henning Brauer
2004-04-14make antispoof work with dynamic addresses. ok dhartmei@ mcbride@Cedric Berger
2004-04-14Better interface filtering. vlan1 should not match vlan19.Cedric Berger
Found by Mike Wolman, ok dhartmei@ mcbride@
2004-04-09Do not try to load directories. found+ok mpech@Cedric Berger
2004-03-20spelling fix; ok dhartmei@ henning@ deraadt@David Krause
2004-03-20make pfctl -s osfp work and remove -o option from manpage; ok deraadt@David Krause
pointed out by David Hill <davidh at wmis dot net>
2004-03-15cast %llu arguments to unsigned long long, from Max Laier,Daniel Hartmeier
ok henning@ cedric@
2004-03-14#include fixes, from Max Laier, ok beck@ henning@Daniel Hartmeier