Age | Commit message (Collapse) | Author |
|
|
|
single table causing a ruleset load error and eventually a double-free.
bug report and testing from martin{AT}spamcop net
|
|
the table calls fails and the optimizer is gonna bomb out
|
|
also, spelling while i'm in here;
from joel knight;
|
|
pass in from route dtag keep state queue reallyslow
tested by Gabriel Kihlman <gk@stacken.kth.se> and
Michael Knudsen <e@molioner.dk> and ryan
ok ryan
|
|
fix some cut-n-paste mayhem in other related checks.
|
|
pfvar.h. builds kernel and userland.
|
|
|
|
|
|
----
Change the default for 'overload <table> flush' to flush only states from the
offending source created by the rule. 'flush global' flushes all states
originating from the offending source. ABI change, requires kernel and pfctl
to be in sync.
ok deraadt@ henning@ dhartmei@
|
|
offending source created by the rule. 'flush global' flushes all states
originating from the offending source. ABI change, requires kernel and pfctl
to be in sync.
ok deraadt@ henning@ dhartmei@
|
|
|
|
keep state (max-src-conn 1000, max-src-conn-rate 100/10, overflow <bad> flush)
allow a maximum of 1000 open connections or 100 new connections in 10 seconds.
The addresses of offenders are added to the <bad> table which can be used in
the ruleset, and existing states from that host are flushed.
ok deraadt@ dhartmei@
|
|
reported by Alexey E. Suslikov, ok henning@
|
|
|
|
ok mcbride henning
|
|
First match wins, just like "no {binat,nat,rdr}". henning@, dhartmei@ ok
|
|
reminded by jmc, ok deraadt
|
|
includes:
- simplify -a syntax
- change an anchor example to mention authpf, which is more useful
- document "pfctl -a anchor -vsA" for showing anchors recursively
ok dhartmei jmc henning
|
|
|
|
spotted by Tamas Tevesh, via dhartmei@;
also, add -o to usage(), and note that /ruleset is now the correct syntax,
not :ruleset;
ok dhartmei@
|
|
From Chris Pascoe.
ok dhartmei@
|
|
- remove identical and subsetted rules
- when advantageous merge rules w/ similar addresses into a table and one rule
- re-order rules to improve skip step performance (can do better w/ kernel mods)
- 'pfctl -oo' will load the currently running ruleset and use it as a profile
to direct the optimization of quicked rules
ok henning@ mcbride@. man page help from jmc@
|
|
this was meant to verify that ne3 is a valid interface that could show
up, but bogus0 is not. while this might sound like a good idea it is
completely broken and causes a shitload of problems. just allow for anything
as interface name, the kernel abstracts that nice enough. if no interface
by that name exists (or shows up) the rule never matches; that matches
pf semantics used everywhere else.
this also fixes the "pfctl always has to run as root" issue that cedric
did not fix over the last 6 months despite being bugged to regularily.
help & ok mcbride@
|
|
a interface name's slack space past the \0. will be needed for the optimizer.
ok henning@
|
|
ok canacar@ mcbride@
|
|
|
|
ok beck@ claudio@
|
|
|
|
Reported by James J. Lippard. ok otto@
|
|
|
|
keyword in C++. ok henning@, cedric@
|
|
|
|
From: Andrey Matveev <andrushock@korovino.net>
|
|
the parser now needs quotes around paths containing separators.
ok mcbride@
|
|
|
|
levels deep). More work required, but this is already
functional. authpf users will need to adjust their anchor
calls, but this will change again soon. ok beck@, cedric@,
henning@, mcbride@
|
|
From: Jared Yanovich <phirerunner@comcast.net>
|
|
sequence numbers by taking advantage of the maximum 1KHz clock as an upperbound
on the timestamp. Typically gains 10 to 18 bits of additional security against
blind data insertion attacks. More if the TS Echo wasn't optional :-(
Enabled with: scrub on !lo0 all reassemble tcp
ok dhartmei@. documentation help from jmc@
|
|
queue to show the state.
requested by "Alexey E. Suslikov" <cruel@texnika.com.ua>
ok henning@
|
|
- fix a bug in HFSC that does not take the newly added
queue into account when computing the bandwidth for
admission control.
- warn when the sum of the child bandwidth exceeds
parent's bandwidth for both CBQ and HFSC.
- allow to explicitly specify 0bps to bandwidth.
HFSC can have only the real-time sc, and it means
a blackhole queue for CBQ.
problem reports by "Alexey E. Suslikov" <cruel@texnika.com.ua>
ok henning@
|
|
|
|
|
|
|
|
Found by Mike Wolman, ok dhartmei@ mcbride@
|
|
|
|
|
|
pointed out by David Hill <davidh at wmis dot net>
|
|
ok henning@ cedric@
|
|
|