| Age | Commit message (Collapse) | Author |
|---|
|
ok mikeb henning
|
|
|
|
pfctl should not infer the af-to behavior from the af/naf difference.
instead, we should be clear that this is an af-to rule. essentially
this change converts FOM_AFTO marker into a rule flag PFRULE_AFTO so
that we don't rely on ambiguous checks (like r->af != r->naf) when
setting things up.
positive review and comments from claudio, ok henning, sperreault
|
|
void function instead.
ok dlg
|
|
by bzero()ing the 'struct pfsync' properly.
ok dlg mpf
|
|
2/2 from Lawrence Teo <lteo at devio dot us>
ok sthen dlg and myself
|
|
1/2 from Lawrence Teo <lteo at devio dot us>
ok sthen dlg myself and gcc
|
|
|
|
The general syntax is:
pass in inet from any to 192.168.1.1 af-to inet6 from 2001::1 to 2001::2
In the NAT64 case the "to" is not needed in af-to and the IP is extraced
from the IPv6 dst (assuming a /64 prefix).
Again most work by sperreault@, mikeb@ and reyk@
OK mcbride@, put it in deraadt@
|
|
|
|
ok henning, mcbride
|
|
ok henning
|
|
Diff from zinke@ with a some minor cleanup.
ok henning claudio deraadt
|
|
attributes (this is now required by pf_rule_test().
ok sthen henning
|
|
for the new priority queueing implementation. valid range is 0 to 7. the old
trick for priorizing empty ACKs etc remains thru the latter notation
ok ryan mpf sthen plus pea testing and halex and claudio reading
|
|
- Did not include PF_SKIP_RDOM
- Changed order of address and ports.
|
|
been implicit for years now.
ok henning@
|
|
a bunch of bugs with fragment handling not being in sync with the
rest of the ruleset.
Much feedback from mpf, bluhm & markus
Thanks to Tony Sarendal for help with testing
ok bluhm; various previous versions ok henning, claudio, mpf, markus
|
|
|
|
i added that button many many many years ago since the order (options, scrub,
nat, filter) was enforced back then, which I hated. now we had that turned
off for ages, and with the scrub and nat rulesets being gone, there is very
little reason to enforce an order at all. so let's get rid of it.
introducing this button was one of my very early commits to openbsd... feels
a bit strange to remove it now :)
ok ryan dlg theo
|
|
|
|
|
|
print that as flag then
|
|
ok mcbride@ henning@
|
|
has changed to conform with modern groff releases.
diff for route6d(8) written mostly by schwarze@, with lots of useful
advice from jmc@.
ok jmc@, schwarze@
|
|
This allows to write rules like "pass in on rdomain 1".
Tested by phessler@, OK henning@
|
|
route-to and friends were introduced making it obsolete. one even
has to look it up int the ipf manual to get and idea what it's
supposed to do. reuse some kernel bits for the upcoming nat64
stuff. "kill it with fire" from mcbride, "what mcbride said"
from mpf, "kill kill kill" and ok henning.
|
|
"no priority" priority named "none". This makes 'pfctl -x none'
equivalent to 'pfctl -x crit'.
ok mcbride@ henning@
|
|
no-df, random-id, set-tos for IPv6 rules. Check this in pfctl and
document it in pf.conf(5).
ok henning@ jmc@
|
|
From: Thomas Pfaff <tpfaff@tp76.info>
|
|
ok henning@ mcbride@
|
|
order and therefore a ntohs is needed to show the rdomain correctly.
OK henning@ dlg@
|
|
who decided to just do it on their own. henning, mcbride, jsing -- shame
on you -- if you had shown this diff to just 1 other network developer,
the astounding mistake in it would have been noticed. Start practicing
inclusionary development instead of going alone.
ok claudio
|
|
by mcbride@.
ok mcbride@ henning@
|
|
correctly. A zero address field is used to identify divert-reply
rules. If the rule's address family is unspecified, PF_AZERO()
always returns false. So use AF_INET6 as address family, to check
all bits of the address.
ok markus@
|
|
|
|
convert a long .Op line into a few lines of .Xo ... .Xc. no "binary" change
with mandoc.
|
|
by numeric ID in combination with the "-s rules" or "-s labels" options.
For example, this allows you to dump the statistics of a specified rule
only (pfctl -sr -v -R 0).
ok henning@
|
|
both now can be used in both directions. the kernel allowed that ever since
we did the great NAT rewrite.
still enforce that a direction is given, a rule with rdr-to and/or nat-to
and no direction is pretty certainly an error (which it would work,
technically)
ok ryan claudio dlg
|
|
awesome for debugging, a rule like
match log(matches) from $testbox
will show you exactly which subsequent rules match on that packet
real ok theo assumed oks ryan & dlg bikeshedding many
implementation time ~1 min bikeshedding about the keyword longish.
i voted for "matches" since i like to play with matches
idea was theo's, actually
|
|
|
|
While here, remove .Xo macros that were ugly workarounds
to deal with groff-1.15 bugs, but are required neither by modern groff
nor by mandoc nor by any documentation we are aware of.
Problem originally noticed by jmc@ running mandoc -Tlint;
patch ok by jmc@.
|
|
worded. i think what is there now is clear enough.
|
|
- note that -f replaces the current ruleset
based on a diff from Anders Langworthy, but altered by mcbride and henning;
ok henning
|
|
|
|
written with help from henning@, who suggested ensuring that there
are no changes in the digests for object files, thanks!
ok henning@
|
|
to recursively print anchors with wildcards when not
requested via the command line but in practice only
applied to automatically generated inline anchors
(which don't have wildcards) or when recursion
was requested.
Found by the clang static analyser and behaviour explained
by mcbride@
ok henning@ mcbride@
|
|
problem reported with the obvious fix for bgpd by Sebastian Benoit
<benoit-lists at fb12.de>, also PR 6432
applied to all the others by yours truly. ok theo
isn't it amazing how far this parser (and more) spread?
|
|
|
|
printing, both of inline anchors and when requested explicitly with a '*'
in the anchor.
- Correct recursive printing of wildcard anchors (recurse into child anchors
rather than rules, which don't exist)
- Print multi-part anchor paths correctly (pr6065)
- Fix comments and prevent users from specifying multi-component names for
inline anchors.
tested by phessler
ok henning
|
