summaryrefslogtreecommitdiff
path: root/sbin/pfctl
AgeCommit message (Collapse)Author
2002-01-11use bsearch() for keywords lookup, swap couple of entries to make the ↵Michael Shalayeff
keywords array sorted and add a comment to keep it that way; dhartmei@ ok
2002-01-10Let port 0 be specified as it's not special here.Hugh Graham
Agreement with Daniel and others.
2002-01-09Port must be >0 and <=65535. Idea while have fun with ssh.Mike Pechkin
dhartmei@ ok
2002-01-09free() 'interface' in {nat,binat,rdr}ruleMike Pechkin
dhartmei@ ok
2002-01-09Add labels to rules. These are arbitrary names (not to be confused withDaniel Hartmeier
tags that will be used to tag packets later on). Add pfctl -z to clear per-rule counters. Add pfctl -s labels to output per-rule counters in terse format and only for rules that have labels. Suggested by Henning Brauer.
2002-01-08Add "no nat/rdr/binat" to nat.conf. The first matching rule applies.Daniel Hartmeier
If it is a "no" rule, no translation occurs. Useful to exclude certain packets from translation. Suggested by Henning Brauer.
2002-01-07Next issue:Mike Pechkin
af is always u_int8_t, not int; dhartmei@ ok
2002-01-07remove 3rd argument from ipmask(), not used.Mike Pechkin
dhartmei@ ok
2002-01-06-x needs read-write access for DIOCSETDEBUG ioctlDaniel Hartmeier
2002-01-04check (p != NULL), not n.Mike Pechkin
dhartmei@ ok
2001-12-31only open device for writing if we gonna modify anythingMichael Shalayeff
2001-12-23find correct line number in lval, instead of valTheo de Raadt
2001-12-21Initial patch for a new mdoc issue.Mike Pechkin
Powered by @mantoya: o) kill extra line in the end of file; o) kill extra space in the end of line; o) replace blank lines with .Pp; millert@ ok
2001-12-13o) start new sentence on a new line;Mike Pechkin
o) wrap long lines; o) fix bogus .Xr usage; o) we don't like blank lines; o) always close .Bl tags; o) OpenBSD -> .Ox; o) don't like .Pp before .Ss; millert@ ok;
2001-12-10Convert usage of 'you' to third person. Reword some sentences.Daniel Hartmeier
2001-12-10Add stateful filtering for other (non-TCP/UDP/ICMP) protocol, based onDaniel Hartmeier
source/destination addresses/ports only. Add RDR for ICMP. Add NAT/RDR/BINAT for other protocols. Destination and redirection port(s) are now optional for RDR rules. Not specifying destination port(s) means 'redirect all ports', not specifying redirection port(s) means 'redirect to the original port'.
2001-12-05Correctly parse hex numbers. Spotted by Claudio Jeker. Closes PR 2234.Daniel Hartmeier
2001-12-03For nat, binat and rdr rules, don't allow different address families inDaniel Hartmeier
one rule. pf can't translate IPv4 <-> IPv6 packets. Such rules didn't work, even if they were falsely accepted before.
2001-12-01wipe print_nat()'s nose (use dnot correctly instead of snot). i need to startMike Frantzen
naming variables 'bugger'. yes, thats what i'll do
2001-11-26add fastroute options similar to what is found in ipfjasoni
ok dhartmei@, frantzen@
2001-11-05noone responds.Theo de Raadt
this diff makes } and { not be part of symbols
2001-10-24Check interface names using ifa0_lookup() and print error message forDaniel Hartmeier
non-existant interfaces (instead of the generic ioctl error returned by the kernel in this case).
2001-10-24Use snot/dnot correctly in print_rdr. RDR rules with '!' used on theDaniel Hartmeier
destination address were printed incorrectly before (though the rules worked correctly).
2001-10-15Add 'allow-opts' to rules. Packets with IP options will be blocked byDaniel Hartmeier
default now, and can be allowed per rule. ok deraadt@
2001-10-11Don't htonl() past buffer bounds if ipmask == 128Mike Frantzen
2001-10-11Corrections from Brian J. Kifiak.Daniel Hartmeier
2001-10-07Add interface name to address translation to pfctl, document it and addDaniel Hartmeier
a regress test. Translation is done on rule set load-time only, so the rule sets must be reloaded when an interface address changes. parse.y patch from Cedric Berger. Similar patch from Jonathon Fletcher. Thanks to both.
2001-10-04Honour -v flag when printing states, print only one line per state whenDaniel Hartmeier
non-verbose. Suggested by gwyllion@ace.ulyssis.org.
2001-10-02Remove duplication from simultaneous commitsMike Frantzen
2001-10-02Typo fixes (thanks gwyllion@ace.ulyssis.org)Mike Frantzen
2001-10-02'pfctl -O foo' dumped core. A check was there, but didn't work.Daniel Hartmeier
2001-10-01print variable asignments only if -v is given. ok dhartmei/deraadtMarkus Friedl
2001-10-01Print error message when pfctl -N/-R can't open the specified fileDaniel Hartmeier
(instead of failing silently). Found by niklas@.
2001-09-30Selectable preset FSM optimizations for several network environments.Mike Frantzen
Thanks to everyone who sent me packet captures!
2001-09-28Support underscores in macro names and document it in the man page.Daniel Hartmeier
2001-09-22remove debug printfTheo de Raadt
2001-09-20Fix uninitialized structure fields. Problem reported by Cedric Berger.Daniel Hartmeier
2001-09-15Implement return-icmp(number), return-icmp6(number)Peter Stromberg
Differentiate between return-icmp and return-icmp6, icmp-type and ipv6-icmp-type. ok dhartmei@
2001-09-15ICMP6_DST_UNREACH_NOROUTE <-> _ADMIN, reported by Wouter Coene.Daniel Hartmeier
2001-09-15Fix 'binat ... to any ...' (binat.af wasn't set).Daniel Hartmeier
2001-09-15Parse bug, found by wilfried@Daniel Hartmeier
2001-09-15IPv6 support from Ryan McBride (mcbride@countersiege.com)Mike Frantzen
2001-09-12check calloc() return valueMarkus Friedl
2001-09-06- you can only binat between hostsjasoni
- add binat example and description
2001-09-061:1 bidrectional NAT (binat); ok dhartmei@ and frantzen@jasoni
2001-09-06Initial idea from aaron@: Last char of .Xr group in SEE ALSO section shouldMike Pechkin
be a single digit. Powered by mantoya@. millert@ ok.
2001-09-04Support parameter lists {} for interfaces in filter rules, likeDaniel Hartmeier
pass in on { gm0, kue0 } from any to any
2001-09-02Print rule numbers zero-based. Noted by primus@gblx.net.Daniel Hartmeier
2001-08-28move '!' from host_list to host: "xhost : '!' host | host;"; ok dhartmei@Markus Friedl
2001-08-28check for malloc/strdup == NULLMarkus Friedl