Age | Commit message (Collapse) | Author | |
---|---|---|---|
2004-05-30 | various improvements and fixes from jared yanovich; | Jason McIntyre | |
2004-05-27 | plug memleak in error path | Henning Brauer | |
From: Andrey Matveev <andrushock@korovino.net> | |||
2004-05-21 | Use '/' instead of ':' as separator for anchor path components. Note that | Daniel Hartmeier | |
the parser now needs quotes around paths containing separators. ok mcbride@ | |||
2004-05-20 | bzero() ifr before use, From: Andrey Matveev <andrushock@korovino.net> | Henning Brauer | |
2004-05-19 | Allow recursive anchors (anchors within anchors, up to 64 | Daniel Hartmeier | |
levels deep). More work required, but this is already functional. authpf users will need to adjust their anchor calls, but this will change again soon. ok beck@, cedric@, henning@, mcbride@ | |||
2004-05-07 | typos | Henning Brauer | |
From: Jared Yanovich <phirerunner@comcast.net> | |||
2004-05-05 | Use RFC1323 PAWS timestamps as a logical extension to the conventional TCP | Mike Frantzen | |
sequence numbers by taking advantage of the maximum 1KHz clock as an upperbound on the timestamp. Typically gains 10 to 18 bits of additional security against blind data insertion attacks. More if the TS Echo wasn't optional :-( Enabled with: scrub on !lo0 all reassemble tcp ok dhartmei@. documentation help from jmc@ | |||
2004-04-27 | make "pfctl -vvsq" to print "No queue in use" and exit when there is no | Kenjiro Cho | |
queue to show the state. requested by "Alexey E. Suslikov" <cruel@texnika.com.ua> ok henning@ | |||
2004-04-26 | do more careful altq bandwidth checking. | Kenjiro Cho | |
- fix a bug in HFSC that does not take the newly added queue into account when computing the bandwidth for admission control. - warn when the sum of the child bandwidth exceeds parent's bandwidth for both CBQ and HFSC. - allow to explicitly specify 0bps to bandwidth. HFSC can have only the real-time sc, and it means a blackhole queue for CBQ. problem reports by "Alexey E. Suslikov" <cruel@texnika.com.ua> ok henning@ | |||
2004-04-24 | Add "probability xxx" rule modifier. ok deraadt@ | Cedric Berger | |
2004-04-22 | typo, From: Jared Yanovich <jjy2+@pitt.edu> | Henning Brauer | |
2004-04-14 | make antispoof work with dynamic addresses. ok dhartmei@ mcbride@ | Cedric Berger | |
2004-04-14 | Better interface filtering. vlan1 should not match vlan19. | Cedric Berger | |
Found by Mike Wolman, ok dhartmei@ mcbride@ | |||
2004-04-09 | Do not try to load directories. found+ok mpech@ | Cedric Berger | |
2004-03-20 | spelling fix; ok dhartmei@ henning@ deraadt@ | David Krause | |
2004-03-20 | make pfctl -s osfp work and remove -o option from manpage; ok deraadt@ | David Krause | |
pointed out by David Hill <davidh at wmis dot net> | |||
2004-03-15 | cast %llu arguments to unsigned long long, from Max Laier, | Daniel Hartmeier | |
ok henning@ cedric@ | |||
2004-03-14 | #include fixes, from Max Laier, ok beck@ henning@ | Daniel Hartmeier | |
2004-03-10 | Actually use SRCS+= so that we don't have a wrapped line. | Ryan Thomas McBride | |
2004-03-10 | plug 3 memory leaks; 2 from andrushock, 1 by me | Henning Brauer | |
ok pb deraadt | |||
2004-03-08 | plug 124 memory leaks | Henning Brauer | |
ok mcbride@ pb@ dhartmei@ | |||
2004-03-06 | from bgpd: | Henning Brauer | |
plug a memory leak in the lexer. the issue is this code fragement from yylex(): . token = lookup(buf); . yylval.v.string = strdup(buf); . if (yylval.v.string == NULL) . err(1, "yylex: strdup"); . return (token); lookup() tries to match buf against a list of keywords, and returns the associated token if it has a match, or the token STRING otherwise. STRING is the only token that needs (and free()s) yylval.v.string. however, we assigned memory for it with the strdup in yylex for each and every token. the fix is obviously only setting yylval.v.string when lookup() returns STRING. Patrick Latifi noticed that something was leaking with token handling, analysis and fix by me. ok deraadt@ | |||
2004-03-03 | no newline in errx, bad cedric; spotted by tedu | Theo de Raadt | |
2004-03-01 | support "tagged <name>" on anchor rules, suggested by vd@vmunix.lt, | Daniel Hartmeier | |
ok henning@, cedric@ | |||
2004-02-27 | make pfctl -s all a bit more useful again by not printing a lllooooooottttt of | Henning Brauer | |
OS fingerprints and a list of interface drivers... cedric deraadt ok | |||
2004-02-26 | Fix/Simplify printing of titles with "pfctl -s all". ok mcbride@ | Cedric Berger | |
2004-02-26 | Fix pfctl -sa output. Found by David Krause, ok mcbride@ | Cedric Berger | |
2004-02-25 | Don't clear global stuff when an anchor is given in addition to -Fa. | Cedric Berger | |
Ok mcbride@ pb@ | |||
2004-02-24 | 'max-src-nodes' requires 'source-track rule'. Set that automatically, | Ryan Thomas McBride | |
unless 'source-track global' is explicit, in which case error out. Lots of help from cedric@. ok cedric@ henning@ | |||
2004-02-24 | fixup. | Cedric Berger | |
2004-02-24 | Check for 'source-track rule' with 'max-src-nodes'. | Ryan Thomas McBride | |
ok cedric@ henning@ | |||
2004-02-19 | Makes pfctl -ss and pfctl -sq use optional -i argument. | Cedric Berger | |
ok dhartmei@ markus@ mcbride@ | |||
2004-02-19 | Makes pfctl -Fs and pfctl -w works with the optional -i specifier. | Cedric Berger | |
Kernel/Userland Sync needed. ok dhartmei@ jmc@ markus@ mcbride@ | |||
2004-02-19 | now that qids are managed entirely in the kernel, the qid related code | Kenjiro Cho | |
is no longer needed in pfctl. ok, henning@ | |||
2004-02-17 | add -i flag, use it for -sI as a start. ok henning@, ok+test mcbride@ | Cedric Berger | |
2004-02-12 | - sort SYNOPSIS and options list | Jason McIntyre | |
- add -p to SYNOPSIS - uppercase start of sentence - sync usage() w/ SYNOPSIS | |||
2004-02-12 | add -p flag to specify the device - ok mcbride@, henning@ with no objections | Bob Beck | |
from deraadt@ | |||
2004-02-11 | Fix interface clobbering for link-local addresses. Found by Pyun YongHyeon. | Cedric Berger | |
Fix "antispoof for foo" when foo has no addresses. ok+help dhartmei@, ok mcbride@ | |||
2004-02-10 | KNF | Daniel Hartmeier | |
2004-02-10 | KNF | Henning Brauer | |
2004-02-10 | lotsoflotsoflotsof KNF | Henning Brauer | |
and an off by one | |||
2004-02-10 | KNF | Henning Brauer | |
2004-02-10 | fix at leats the worst of Cedric "KNF is for everybody but me" Berger's fuckup | Henning Brauer | |
2004-02-10 | new kernel reports enabled & disabled time - use that info. | Cedric Berger | |
ok henning@ mcbride@ | |||
2004-02-05 | pfctl_update_qstats() returns -1 on error and the # of queues otehrwise | Henning Brauer | |
fix a check of the return value to cope woth that inspired by PR3675 from Marc Huber <Marc.Huber@web.de>, fixed slightly different. | |||
2004-02-04 | Handle rules like 'pass ... proto { tcp udp icmp } ... modulate state' | Ryan Thomas McBride | |
ok dhartmei@ henning@ | |||
2004-02-04 | Fix a number of bugs with setting pool limits which I introduced with | Ryan Thomas McBride | |
source-tracking. Found by Pyun YongHyeon. Also add support to pfctl to set the src-nodes pool limit. "Luckily" some of the bugs cancel each other out; update kernel before pfctl. ok dhartmei@ | |||
2004-02-03 | fix PR 3664 / jared r r spiegel | Henning Brauer | |
we need to save the unexpanded tag/tagged strings before entering the expansion loop, and at each loop, start with the unexpanded tag, so that on subsequent loops the macros are replaced with current values and not the values from previous loop persist ryan theo ok | |||
2004-02-03 | bring back this fluffy change, of course without the bug: | Henning Brauer | |
== to parse v4 adresses, only use inet_net_pton when we find a /, otherwise use inet_pton. helps bob who likes to type 1.2 3.4 instead of 1.2.3.4 and wonders why this results in two addresses. PR3638, bob ok == make sure bits is either 32 or what inet_net_pton tells us, and always call set_ipmask to mask the boring bits away ok dhartmei@ mcbride@ david@ | |||
2004-01-29 | Clean up 'pfctl -s all' output. | Ryan Thomas McBride | |
ok deraadt@ henning@ |