Age | Commit message (Collapse) | Author |
|
ok mcbride henning
|
|
First match wins, just like "no {binat,nat,rdr}". henning@, dhartmei@ ok
|
|
reminded by jmc, ok deraadt
|
|
includes:
- simplify -a syntax
- change an anchor example to mention authpf, which is more useful
- document "pfctl -a anchor -vsA" for showing anchors recursively
ok dhartmei jmc henning
|
|
|
|
spotted by Tamas Tevesh, via dhartmei@;
also, add -o to usage(), and note that /ruleset is now the correct syntax,
not :ruleset;
ok dhartmei@
|
|
From Chris Pascoe.
ok dhartmei@
|
|
- remove identical and subsetted rules
- when advantageous merge rules w/ similar addresses into a table and one rule
- re-order rules to improve skip step performance (can do better w/ kernel mods)
- 'pfctl -oo' will load the currently running ruleset and use it as a profile
to direct the optimization of quicked rules
ok henning@ mcbride@. man page help from jmc@
|
|
this was meant to verify that ne3 is a valid interface that could show
up, but bogus0 is not. while this might sound like a good idea it is
completely broken and causes a shitload of problems. just allow for anything
as interface name, the kernel abstracts that nice enough. if no interface
by that name exists (or shows up) the rule never matches; that matches
pf semantics used everywhere else.
this also fixes the "pfctl always has to run as root" issue that cedric
did not fix over the last 6 months despite being bugged to regularily.
help & ok mcbride@
|
|
a interface name's slack space past the \0. will be needed for the optimizer.
ok henning@
|
|
ok canacar@ mcbride@
|
|
|
|
ok beck@ claudio@
|
|
|
|
Reported by James J. Lippard. ok otto@
|
|
|
|
keyword in C++. ok henning@, cedric@
|
|
|
|
From: Andrey Matveev <andrushock@korovino.net>
|
|
the parser now needs quotes around paths containing separators.
ok mcbride@
|
|
|
|
levels deep). More work required, but this is already
functional. authpf users will need to adjust their anchor
calls, but this will change again soon. ok beck@, cedric@,
henning@, mcbride@
|
|
From: Jared Yanovich <phirerunner@comcast.net>
|
|
sequence numbers by taking advantage of the maximum 1KHz clock as an upperbound
on the timestamp. Typically gains 10 to 18 bits of additional security against
blind data insertion attacks. More if the TS Echo wasn't optional :-(
Enabled with: scrub on !lo0 all reassemble tcp
ok dhartmei@. documentation help from jmc@
|
|
queue to show the state.
requested by "Alexey E. Suslikov" <cruel@texnika.com.ua>
ok henning@
|
|
- fix a bug in HFSC that does not take the newly added
queue into account when computing the bandwidth for
admission control.
- warn when the sum of the child bandwidth exceeds
parent's bandwidth for both CBQ and HFSC.
- allow to explicitly specify 0bps to bandwidth.
HFSC can have only the real-time sc, and it means
a blackhole queue for CBQ.
problem reports by "Alexey E. Suslikov" <cruel@texnika.com.ua>
ok henning@
|
|
|
|
|
|
|
|
Found by Mike Wolman, ok dhartmei@ mcbride@
|
|
|
|
|
|
pointed out by David Hill <davidh at wmis dot net>
|
|
ok henning@ cedric@
|
|
|
|
|
|
ok pb deraadt
|
|
ok mcbride@ pb@ dhartmei@
|
|
plug a memory leak in the lexer.
the issue is this code fragement from yylex():
. token = lookup(buf);
. yylval.v.string = strdup(buf);
. if (yylval.v.string == NULL)
. err(1, "yylex: strdup");
. return (token);
lookup() tries to match buf against a list of keywords, and returns the
associated token if it has a match, or the token STRING otherwise.
STRING is the only token that needs (and free()s) yylval.v.string. however,
we assigned memory for it with the strdup in yylex for each and every token.
the fix is obviously only setting yylval.v.string when lookup() returns STRING.
Patrick Latifi noticed that something was leaking with token handling,
analysis and fix by me.
ok deraadt@
|
|
|
|
ok henning@, cedric@
|
|
OS fingerprints and a list of interface drivers...
cedric deraadt ok
|
|
|
|
|
|
Ok mcbride@ pb@
|
|
unless 'source-track global' is explicit, in which case error out. Lots of
help from cedric@.
ok cedric@ henning@
|
|
|
|
ok cedric@ henning@
|
|
ok dhartmei@ markus@ mcbride@
|
|
Kernel/Userland Sync needed. ok dhartmei@ jmc@ markus@ mcbride@
|