summaryrefslogtreecommitdiff
path: root/sbin/pfctl
AgeCommit message (Collapse)Author
2006-11-07Only try to recursively print rules if they are actually anchors.Ryan Thomas McBride
2006-11-07Unbreak authpf by handling non-inline anchors separately from the { } anchorsRyan Thomas McBride
as pf_find_or_create_ruleset() will mangle relative anchor names and wildcards. Also fixes some nits with nesting and printing inline anchors. ok deraadt@
2006-11-05Don't open a transaction for a ruleset unless it's a brace ruleset thatRyan Thomas McBride
contains rules. Fixes DIOCXCOMMIT: Device busy when multiple anchors with the same name are specified. reported by ckuethe@ and mkb@crypt.org.ru
2006-11-01sync usage(); ok mcbrideJason McIntyre
2006-11-01tweaks;Jason McIntyre
2006-11-01Don't recures ALL the time.Ryan Thomas McBride
2006-11-01Document recursive printing of anchors via -a '*' or -a 'anchor/*'.Ryan Thomas McBride
2006-10-31Allow a user to recursively print anchors including those withoutRyan Thomas McBride
reserved names, if a trailing * is specified in the anchor name. e.g. recursively print the main ruleset: pfctl -a '*' -sr Recursively print the spam anchor: pfctl -a 'spam*' pfctl -a 'spam/*' Also fix a bug which prevented the contents of inline anchors with explicit names from being loaded into the kernel. ok henning@
2006-10-31Document new behaviour of the -o (ruleset optimization) flag.Ryan Thomas McBride
2006-10-31Allow pfctl ruleset optimizer to be controlled from the ruleset.Ryan Thomas McBride
"set" "ruleset-optimization" [ "none" | "basic" | "profile" ] You can optionally control ruleset optimization with these keywords on the command line with the -o option; the command line setting will override the pf.conf setting. The existing -o/-oo flags continue to work as expected. cleanup and ok henning@
2006-10-31- don't allow anchors with _* names to be cleared or loaded from theRyan Thomas McBride
command line (but they can still be viewed) - don't allow users to specify _* as an anchor name in the ruleset - don't print _* anchor names with pfctl -sA unless -v is specified 'looks sensible' deraadt@
2006-10-28Load all rules into memory before loading into the kernel, and add supportRyan Thomas McBride
for anchors loaded inline in pf.conf, enclosed in a brace-delimited block ("{" "}"). anchor on fxp0 { pass in proto tcp port 22 } The anchor name is optional on inline loaded anchors. testing ckuethe@ ok henning@ dhartmei@
2006-10-25make absolutely sure logif is 0 unless set specifically, even if log is 0.Henning Brauer
logif is to be considered invalid unless log is set, but we need this to please the optimizer...
2006-10-25teach the optimizer about logif, with & ok frantzenHenning Brauer
2006-10-25and another nit, $$.log should be set to 0 explicitely on quick without logHenning Brauer
2006-10-25urgs, $$.quick needs to be set to 0 explicitely on log (without quick)Henning Brauer
2006-10-25allow the log interface to be selected likeHenning Brauer
pass log(to pflog5) block out log(to pflog2) input & ok mcbride
2006-10-23no need to use "keep state" and "flags S/SA" in pf rules,Jason McIntyre
now that it is the default; ok henning mcbride camield (ftp-proxy bits) deraadt
2006-10-17Don't automatically set 'flags S/SA' on stateless rules.Ryan Thomas McBride
pointed out by david@ ok mpf@ dhartmei@
2006-10-11quotes around filename, pr 5253, sthen@zephyr.spacehopper.orgTheo de Raadt
2006-10-11Allow the 'quick' keyword on an anchor. IFF there is a matching rule insideRyan Thomas McBride
the anchor, terminate ruleset evaluation when stepping out of the anchor. This means that if you absolutely want the anchor to be terminal, you probably want to use a 'block all' or 'pass all' rule at the start of the anchor. ok dhartmei@ henning@ deraadt@
2006-10-06Print 'flags any' correctly and handle anchors.Ryan Thomas McBride
2006-10-06'no state' should only be printed on pass rules, though.Ryan Thomas McBride
2006-10-06Print out 'no state' when the rule is not stateful.Ryan Thomas McBride
2006-10-06Oops, flags S/SA doesn't work on fragments.Ryan Thomas McBride
2006-10-06Make 'flags S/SA keep state' the implicit for filter rules, based onRyan Thomas McBride
a suggestion from dhartmei@. Also add 'flags any' and 'no state' options to disable flag matching and stateful filtering respectively. IMPORTANT NOTE: Current rulesets will continue to load, but the behaviour may be slightly changed as these defaults are more restrictive. If you are purposefully filtering statelessly ('no state') or have a requirement to create states on intermediate packets ('flags any') you should update your ruleset to make use of the new keywords to explicitly request the behaviour. Note that creation of states from intermediate packets in a connection is not recommended, and will increasingly cause problems as more OSs enable window scaling and increase buffer sizes by default. ok dhartmei@ deraadt@ henning@
2006-08-22back out -r1.497 (support for "tagged {}" lists), it broke "tagged" supportDaniel Hartmeier
for nat rules. sorry, existing functionality trumps syntactic sugar. feel free to resubmit a complete patch. closes PR 5207.
2006-08-08properly join host lists in ifa_grouplookup(), closes PR 5195,Daniel Hartmeier
reported by andrew fresh
2006-07-06add "rtable" to select alternate routing tables.Henning Brauer
with & ok claudio hshoexer
2006-06-30spacesTheo de Raadt
2006-06-17KNFHenning Brauer
2006-06-09Xo/Xc not needed here; from davidJason McIntyre
2006-05-28Make per-rule adaptive timeouts behave the same way as the global adaptiveRyan Thomas McBride
timeouts.
2006-05-28Enable adaptive timeouts by default, with adaptive.start of 60% of theRyan Thomas McBride
state limit and adaptive.end of 120% of the state limit. Explicitly setting the adaptive timeouts will override the default, and it can be disabled by setting both adaptive.start and adaptive.end to 0. ok henning@
2006-05-26\<char> is <char> except for \<newline> -- no exceptions. much like howTheo de Raadt
other things work. ok henning
2006-05-23member interfaces of groups might have no IPs and ifa_lookup retun NULL,Henning Brauer
account for that. fixes PR5130, ok dhartmei
2006-05-14better english to describe interfaces without bandwidth info; ok henningTheo de Raadt
2006-05-02fix creation of sub-anchors, e.g. if you create an anchor /foo/bar, createDaniel Hartmeier
only bar under foo, not /bar as well. secondly, when using "load anchor from" from a sub-anchor, the loading point should be relative to the sub-anchor doing the load (unless absolute paths are used, of course). from Boris Polevoy. probably a -stable candidate.
2006-05-01add support for "tagged {}" lists, from Pierre-Yves RitschardDaniel Hartmeier
2006-04-24don't clear interface flags (set skip on) when -N/-F is used without -O,Daniel Hartmeier
from Jon Simola, ok henning@
2006-04-08Plug simple memory leak. ``Don't forget to free tcpopts when youRay Lai
are done.'' From NetBSD from Coverity CID 2057. OK henning@ and jaredy@
2006-04-08Remove a little bit of dead code; minburst is set to 2 earlier, andRay Lai
cannot be 0. From NetBSD from Coverity CID 577. OK henning@
2006-04-06allow lists inside lists for address specs, has been in my tree forHenning Brauer
quite some time... theo likes
2006-03-21instead of sizeof(array) / sizeof(element) computation, use the existingDaniel Hartmeier
end-of-array NULL marker, shuts up source analysis tool, from deraadt@
2006-03-14implement a Unicast Reverse Path Forwarding (uRPF) check for pf(4)Damien Miller
which optionally verifies that a packet is received on the interface that holds the route back to the packet's source address. This makes it an automatic ingress filter, but only when routing is fully symmetric. bugfix feedback claudio@; ok claudio@ and dhartmei@
2006-01-28zap unused functionHenning Brauer
From: Andrey Matveev <evol@online.ptt.ru>
2005-11-17for pfctl -f rules, open the file before resetting options. when openingDaniel Hartmeier
the file fails, produce only the error message and leave options unchanged. reported by Tamas TEVESZ, ok deraadt@
2005-11-12return; at end of function is dorkyTheo de Raadt
2005-11-04crank pf_state and pf_src_node byte and packet counters to u_in64_t, sinceRyan Thomas McBride
we're breaking pfsync compatibility this cycle anyways. Requested by djm@, ok henning@, 'wheee!' deraadt@
2005-10-18add support for static interface group expansion, i. e.Henning Brauer
pass to group ok hshoexer, hacked at linux-kongress last week