summaryrefslogtreecommitdiff
path: root/sbin/pfctl
AgeCommit message (Collapse)Author
2010-12-01remove some unused tokensJonathan Gray
ok henning@ mcbride@
2010-11-12The ioctl to show states returns a pfsync_state which is in network byteClaudio Jeker
order and therefore a ntohs is needed to show the rdomain correctly. OK henning@ dlg@
2010-10-18Revert non-compatible and undocumented bullshit commited by 3 developersTheo de Raadt
who decided to just do it on their own. henning, mcbride, jsing -- shame on you -- if you had shown this diff to just 1 other network developer, the astounding mistake in it would have been noticed. Start practicing inclusionary development instead of going alone. ok claudio
2010-10-17Add quirks support to operating system fingerprinting. tcpdump partJoel Sing
by mcbride@. ok mcbride@ henning@
2010-10-12pfctl -sr did not show divert-reply rules without address familyAlexander Bluhm
correctly. A zero address field is used to identify divert-reply rules. If the rule's address family is unspecified, PF_AZERO() always returns false. So use AF_INET6 as address family, to check all bits of the address. ok markus@
2010-10-03tweak previous;Jason McIntyre
2010-10-01the grammar of my last commit worked with mandoc, but didn't work with nroff;Reyk Floeter
convert a long .Op line into a few lines of .Xo ... .Xc. no "binary" change with mandoc.
2010-10-01Add the -R id option to pfctl that allows to show only a specified ruleReyk Floeter
by numeric ID in combination with the "-s rules" or "-s labels" options. For example, this allows you to dump the statistics of a specified rule only (pfctl -sr -v -R 0). ok henning@
2010-09-24remove the check that enforced rdr-to only inbound and nat-to only outbound.Henning Brauer
both now can be used in both directions. the kernel allowed that ever since we did the great NAT rewrite. still enforce that a direction is given, a rule with rdr-to and/or nat-to and no direction is pretty certainly an error (which it would work, technically) ok ryan claudio dlg
2010-09-22new log opt "matches"Henning Brauer
awesome for debugging, a rule like match log(matches) from $testbox will show you exactly which subsequent rules match on that packet real ok theo assumed oks ryan & dlg bikeshedding many implementation time ~1 min bikeshedding about the keyword longish. i voted for "matches" since i like to play with matches idea was theo's, actually
2010-09-20tweak previous; ok schwarzeJason McIntyre
2010-09-19Do not break .Op scope by .Oc.Ingo Schwarze
While here, remove .Xo macros that were ugly workarounds to deal with groff-1.15 bugs, but are required neither by modern groff nor by mandoc nor by any documentation we are aware of. Problem originally noticed by jmc@ running mandoc -Tlint; patch ok by jmc@.
2010-09-17back out the -Fr hunk from previous: deraadt points out it is incorrectlyJason McIntyre
worded. i think what is there now is clear enough.
2010-09-16- note that -Fr puts the filer in a "pass all" stateJason McIntyre
- note that -f replaces the current ruleset based on a diff from Anders Langworthy, but altered by mcbride and henning; ok henning
2010-09-12spacing fix;Jason McIntyre
2010-09-02remove trailing spaces and tabs; no binary change.Igor Sobrado
written with help from henning@, who suggested ensuring that there are no changes in the digests for object files, thanks! ok henning@
2010-08-11Fix a logic problem which could in theory cause pfctlJonathan Gray
to recursively print anchors with wildcards when not requested via the command line but in practice only applied to automatically generated inline anchors (which don't have wildcards) or when recursion was requested. Found by the clang static analyser and behaviour explained by mcbride@ ok henning@ mcbride@
2010-08-03fix linecount bug with comments spanning multiple linesHenning Brauer
problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
2010-07-13Fix (pflow) display in rule printing. Spotted by dhill@, ok henning@Stuart Henderson
2010-07-03Fix a couple of problems with printing of anchors, in particular recursiveRyan Thomas McBride
printing, both of inline anchors and when requested explicitly with a '*' in the anchor. - Correct recursive printing of wildcard anchors (recurse into child anchors rather than rules, which don't exist) - Print multi-part anchor paths correctly (pr6065) - Fix comments and prevent users from specifying multi-component names for inline anchors. tested by phessler ok henning
2010-07-03Use our own enum here rather than abusing the PF rule type enums, whichRyan Thomas McBride
will be getting cleaned up soon. ok henning
2010-07-01Fix 'pfctl -a anchor -Fa' segfault introduced in r1.298.Stefan Sperling
ok mcbride
2010-06-29Fix use after free. Found by regress tests.Charles Longeau
ok henning@ krw@
2010-06-28Clean up iterface stats handling:Ryan Thomas McBride
- 'make -Fi' reset ALL the interface statistics can be restricted with -i ifname - 'make -Fa -i ifname' fail (it's meaningless) - get rid of a silly little struct that's only used for one thing ok henning
2010-06-25remove -m (merge).Henning Brauer
it is violating the transactional model we have and made stronger in pf, it is broken in some cases and since some options are passed to the kernel while some are userland only and affect how the rules are parsed it is complete bullshit anyway - obviously, changing options that affect ruleset parsing without reloading and thus reparsing the ruleset cannot work. so stop pretending it could and cut the crap. ok dlg krw deraadt
2010-05-16plug memory leak. `ps' was allocated with strdup(3), but on error pathzinovik
program does not free(3) it.
2010-04-02Use a dedicated variable to prevent attempting to open multipleStuart Henderson
ALTQ transactions when anchors are loaded. Fixes pfctl when using 'load anchor ... from' as seen by beck@ and Toni Mueller, which stopped working after r1.295 removed loadopt (which was overloaded to do this job as well as indicate command- line flags). ok henning@
2010-03-23oops - i obviously missed -r1.142;Jason McIntyre
2010-03-23remove -A, -O, -R and -T loadHenning Brauer
the partial loading of a ruleset (leaving ancors aside) is wrong and conflicts with the general idea of how pf works. last not least it breaks with the optimizer generating tables automagically. ok deraadt sthen krw manpage jmc
2010-03-22Following diff fixes memory leak. `debug' is allocated via asprintf(3) so weTheo de Raadt
need to free it with free(3). from zinovik
2010-03-18Fix rdr-to printing in pfctl -sr when reply-to is in use.Stuart Henderson
Found by Marcus Muelbuesch. ok henning@
2010-01-18Convert pf debug logging to using log()/addlog(), a single standardisedRyan Thomas McBride
definition of DPFPRINTF(), and log priorities from syslog.h. Old debug levels will still work for now, but will eventually be phased out. discussed with henning, ok dlg
2010-01-13Move tokens before productions into more consistant placesTheo de Raadt
ok mcbride
2010-01-13repair a double-free suggested by parfait; ok mcbrideTheo de Raadt
2010-01-13fix some leaks found by parfaitJonathan Gray
ok mcbride@ henning@
2010-01-13In some cases the netmask gets set to a full 128 bit mask even if noRyan Thomas McBride
address family is selected; don't print the v6 mask if it's a v4 address.
2010-01-13Allow /netmask notation in redir spec, fix the rest of the regressRyan Thomas McBride
tests for illegal conditions in translation/routing.
2010-01-12We actually have to keep the translate/route spec addresses around afterRyan Thomas McBride
collapsing into tables, so that we can handle all possible address family expansions.
2010-01-12Set roundrobin flag correctly, and don't treat a bare interfaceRyan Thomas McBride
like a dynamic one in the routespec.
2010-01-12Only print route specs with @if notation if there is an IP address.Ryan Thomas McBride
2010-01-12Add restrictions to make @if illegal in outside of routing specs;Ryan Thomas McBride
Fix binat-to sanity checks.
2010-01-12Unbreak 10/8 and friends.Ryan Thomas McBride
2010-01-12Fix some issues in redir spec handling, discovered thanks to dlg testingRyan Thomas McBride
- purge irrelevant addresses from the lists before collapsing - ensure the lists are freed after they're collapsed - more careful ifname copying, avoiding double-free / use-after-free traps
2010-01-12Don't leak @if0 format routing host names, pointed out by claudio.Ryan Thomas McBride
2010-01-12First pass at removing the 'pf_pool' mechanism for translation and routingRyan Thomas McBride
actions. Allow interfaces to be specified in special table entries for the routing actions. Lists of addresses can now only be done using tables, which pfctl will generate automatically from the existing syntax. Functionally, this deprecates the use of multiple tables or dynamic interfaces in a single nat or rdr rule. ok henning dlg claudio
2010-01-10lex <=, >=, and != into a single token for correctness and to reduce theTheo de Raadt
lookahead in the parser ok henning otto
2010-01-10In the non-optimized case, an address list containing "any" (ie. { any ↵Theo de Raadt
10.0.0.1 }) should be folded in the parser to any, not to 10.0.0.1. How long this bug has been with us is unclear. ok guenther mcbride
2009-12-24spelling fixes, from Brad Tilley; we will not fix src/sbin/dump/dump.hIgor Sobrado
as neither arrayified not arrayfied exist -- sanctioned dictionaries like Merriam-Webster ones suggest a few alternatives (e.g., arrayed), however these made up words are easy to understand and we are not certain that current ones are not ok. ok jmc@
2009-12-24add support to pf for filtering a packet by the interface it was receivedDavid Gwynne
on. use the received-on IFNAME filter option on a pf.conf rule to restrict which packet the interface had to be received on. eg: pass out on em0 from $foo to $bar received-on fxp0 ive been running this in production for a week now. i find it particularly usefull with interface groups. no objections, and a few "i like"s from henning, claudio, deraadt, mpf
2009-12-14fix sticky-address - by pretty much re-implementing it. still followingHenning Brauer
the original approach using a source tracking node. the reimplementation i smore flexible than the original one, we now have an slist of source tracking nodes per state. that is cheap because more than one entry will be an absolute exception. ok beck and jsg, also stress tested by Sebastian Benoit <benoit-lists at fb12.de>