| Age | Commit message (Collapse) | Author |
|---|
|
ok henning@ cedric@
|
|
|
|
|
|
ok pb deraadt
|
|
ok mcbride@ pb@ dhartmei@
|
|
plug a memory leak in the lexer.
the issue is this code fragement from yylex():
. token = lookup(buf);
. yylval.v.string = strdup(buf);
. if (yylval.v.string == NULL)
. err(1, "yylex: strdup");
. return (token);
lookup() tries to match buf against a list of keywords, and returns the
associated token if it has a match, or the token STRING otherwise.
STRING is the only token that needs (and free()s) yylval.v.string. however,
we assigned memory for it with the strdup in yylex for each and every token.
the fix is obviously only setting yylval.v.string when lookup() returns STRING.
Patrick Latifi noticed that something was leaking with token handling,
analysis and fix by me.
ok deraadt@
|
|
|
|
ok henning@, cedric@
|
|
OS fingerprints and a list of interface drivers...
cedric deraadt ok
|
|
|
|
|
|
Ok mcbride@ pb@
|
|
unless 'source-track global' is explicit, in which case error out. Lots of
help from cedric@.
ok cedric@ henning@
|
|
|
|
ok cedric@ henning@
|
|
ok dhartmei@ markus@ mcbride@
|
|
Kernel/Userland Sync needed. ok dhartmei@ jmc@ markus@ mcbride@
|
|
is no longer needed in pfctl.
ok, henning@
|
|
|
|
- add -p to SYNOPSIS
- uppercase start of sentence
- sync usage() w/ SYNOPSIS
|
|
from deraadt@
|
|
Fix "antispoof for foo" when foo has no addresses.
ok+help dhartmei@, ok mcbride@
|
|
|
|
|
|
and an off by one
|
|
|
|
|
|
ok henning@ mcbride@
|
|
fix a check of the return value to cope woth that
inspired by PR3675 from Marc Huber <Marc.Huber@web.de>, fixed slightly
different.
|
|
ok dhartmei@ henning@
|
|
source-tracking. Found by Pyun YongHyeon.
Also add support to pfctl to set the src-nodes pool limit.
"Luckily" some of the bugs cancel each other out; update kernel before
pfctl.
ok dhartmei@
|
|
we need to save the unexpanded tag/tagged strings before entering the
expansion loop, and at each loop, start with the unexpanded tag, so that
on subsequent loops the macros are replaced with current values and not
the values from previous loop persist
ryan theo ok
|
|
==
to parse v4 adresses, only use inet_net_pton when we find a /, otherwise
use inet_pton.
helps bob who likes to type 1.2 3.4 instead of 1.2.3.4 and wonders why this
results in two addresses.
PR3638, bob ok
==
make sure bits is either 32 or what inet_net_pton tells us, and always call
set_ipmask to mask the boring bits away
ok dhartmei@ mcbride@ david@
|
|
ok deraadt@ henning@
|
|
1.2.3.4/0 is not equal to 1.2.3.4... this "helped" to make failure already
only omit the netmask when both the addr and the mask itself are all zero
(the "any" case)
ok dhartmei@ mcbride@
|
|
extremely unfluffy, King Bula is coming for your head.
|
|
use inet_pton.
helps bob who likes to type 1.2 3.4 instead of 1.2.3.4 and wonders why this
results in two addresses.
PR3638, bob ok
|
|
identifiers without embedded meanings.
this also allows us to make the semantics of the qid assignment in line
with the tag assignment in the next step.
ok, henning@
|
|
|
|
tests otto@, okay millert@
|
|
|
|
|
|
1) PF should do the right thing when unplugging/replugging or cloning/
destroying NICs.
2) Rules can be loaded in the kernel for not-yet-existing devices
(USB, PCMCIA, Cardbus). For example, it is valid to write:
"pass in on kue0" before kue USB is plugged in.
3) It is possible to write rules that apply to group of interfaces
(drivers), like "pass in on ppp all"
4) There is a new ":peer" modifier that completes the ":broadcast"
and ":network" modifiers.
5) There is a new ":0" modifier that will filter out interface aliases.
Can also be applied to DNS names to restore original PF behaviour.
6) The dynamic interface syntax (foo) has been vastly improved, and
now support multiple addresses, v4 and v6 addresses, and all userland
modifiers, like "pass in from (fxp0:network)"
7) Scrub rules now support the !if syntax.
8) States can be bound to the specific interface that created them or
to a group of interfaces for example:
- pass all keep state (if-bound)
- pass all keep state (group-bound)
- pass all keep state (floating)
9) The default value when only keep state is given can be selected by
using the "set state-policy" statement.
10) "pfctl -ss" will now print the interface scope of the state.
This diff change the pf_state structure slighltly, so you should
recompile your userland tools (pfctl, authpf, pflogd, tcpdump...)
Tested on i386, sparc, sparc64 by Ryan
Tested on macppc, sparc64 by Daniel
ok deraadt@ mcbride@
|
|
TAILQ_REMOVE is a no-no within a TAILQ_FOREACH loop.
also free the symbol itself after removal.
all found while hacking bgpd which incorporates pfctl's sym code (macros).
ok cedric@
|
|
ok deraadt@ cedric@
|
|
|
|
|
|
|
|
.Nm does not need an argument;
dashes should be escaped;
|
|
|
