summaryrefslogtreecommitdiff
path: root/sbin/pfctl
AgeCommit message (Collapse)Author
2002-08-20Increase lineno on newlines inside multi-line macro definitions, otherwiseDaniel Hartmeier
errors on subsequent lines are reported with wrong line numbers. From Paul B. Henson.
2002-08-16kill duplicated check for '(' and ')' in allowed_in_stringHenning Brauer
2002-08-12Catch null pointer deref (segfault), from wilfried@Daniel Hartmeier
2002-08-06missing free(), mpech@Henning Brauer
ok pb@
2002-08-06check fo strdup() allocation errorsHenning Brauer
pointed out by mpech@ ok pb@
2002-07-31KNF, esp. missing prototypesHenning Brauer
2002-07-30grmpf.Henning Brauer
in some cases, on non-tcp rules flags weren't resetted. cosmetical only problem. but, well, checking for r->flags and r->flagset if we could have assigned them zero just one round ago is just stupid, and it's not needed to check them at all. ok pb@, dhartmei@
2002-07-30allow to specify flags on all rules that include tcp.Henning Brauer
these are valid: pass in from any to any flags S pass in proto { tcp, udp, icmp } from any to any flags S pass in proto tcp from any to any flags S these are invalid: pass in proto { udp, icmp } from any to any flags S pass in proto udp from any to any flags S ok "I've lost my slacker status for at least a week" frantzen@ ok pb@, dhartmei@, deraadt@
2002-07-26make the order of log and quick irrelevant. now bothHenning Brauer
block in log quick all and block in quick log all work. ok dhartmei@, deraadt@
2002-07-23timeout_list/_spec and limit_list/_spec don't return anything -> no %type.Henning Brauer
ok theo
2002-07-21fix route-to alsoTheo de Raadt
2002-07-21make the , optional in many places. This makes string concat a lot moreTheo de Raadt
useful. Now you can in = ssh domain www out = $in ftp finger pass in proto tcp from any to any port { $in } pass out proto tcp from any to any port { $out } a poor example, but the idea is obvious
2002-07-21string concat, ie.Theo de Raadt
a=a b c=$a $a
2002-07-20minor indent tweaksTheo de Raadt
2002-07-20properly split yacc and lex useTheo de Raadt
2002-07-19minor tweaks, sighTheo de Raadt
2002-07-19And back out the last change again.Daniel Hartmeier
2002-07-19rework the interface lookup routines internals.Henning Brauer
less and easier code than before. no functional changes. ok frantzen@, dhartmei@
2002-07-19Support # comments at the end of lines and inside (multi-line) stringDaniel Hartmeier
literals, so you can do things like macro="{ foo, # first entry bar, # second entry baz }" # last entry or pass in on $ext_if \ # external interface proto tcp \ # TCP connections from any to $ext_if \ # to the gateway itself keep state And sneaking in two minor fixes for KNF.
2002-07-19Use getnameinfo() instead of gethostbyaddr() to support IPv6 reverseDaniel Hartmeier
lookups with pfctl -r. Makes things actually simpler.
2002-07-19deal with the fact that the struct node_host ifa_pick_ip gets is not alwaysHenning Brauer
the result of an interface expansion. in this case ifa_pick_ip does an address family check (that's actually a (wanted) side effect). Thus, we need to spit out a meaningfull error message in case of a mismatch. also adjust all the other error messages, they were also assuming that nh is the result of an interface expansion. after a looooong discussion on icb (dhartmei@, pb@, me) we agreed on the term "translation address" for that. okay dhartmei@
2002-07-18use inet_aton(), until this is made v6 awareTheo de Raadt
2002-07-17support "self" as address. self expands to all IPv4 and IPv6 addresses ofHenning Brauer
the machine, on all interfaces. I wanted block in log on ! lo0 from any to self for years, and now it's possible. ok "I may lose my slacking status if I OK it" frantzen@ ok dhartmei@ documentation in pf.conf.5 to come with pb@'s rewrite
2002-07-16Add nat_consistent() and rdr_consistent() for checks that should occurDaniel Hartmeier
after rule expansion, similar to rule_consistent(). Fixes the non-effective test for rdr rules for non-TCP/UDP protocols with ports, found by mpech@, ok frantzen@
2002-07-15add support forHenning Brauer
pass|block on ! $interface ... ok dhartmei@ will be documented in pf.conf(5) by "I'm not slacking!" pb@ who's currently reworking this manpage
2002-07-15cosmetics/consolidations to manpage in yyerror()sPhilipp Buehler
ok henning@, dhartmei@
2002-07-15o complain about keep state on block rulesHenning Brauer
o complain about return-rst on rules which aren't limited to tcp pointed out by not-slacking-but-testing pb@ ok pb@, dhartmei@
2002-07-13add list expansion for interface and proto in nat rules and for proto in rdrHenning Brauer
rules (interface was already there). since the nat.conf/pf.conf merge the parser accepted these but didn't expand them. ugh. ok dhartmei@
2002-07-09check sin6_scope_id field, just in case we change the routing socket APIJun-ichiro itojun Hagino
for scoped address (unlikely due to the deployed codebase...).
2002-07-09getifaddrs(3) grabs link-local addrs in kernel internal form, convert themJun-ichiro itojun Hagino
into proper sockaddr_in6.
2002-07-09rework the interface-to-IP routines.Henning Brauer
you can use interface names instead of an IP in most places. However, until now, it was only expanded to the interface's first IPv4 address if existant (and address family unset or inet) and the first IPv6 address otherwise. this diff changes that. the interface is proper expanded to all IPs, IPv4 _and_ IPv6, now. it also cleans up the lookup procedures (well, in fact, they are replaced by a new one), there's no need for different procedures for IPv4 and IPv6. we now just have one list of interfaces (AF_LINK) and one list with IPs (AF_INET and AF_INET6) with corresponding lookup functions, ifa_exists and ifa_lookup. nat, rdr & friends now use the new function ifa_pick_ip to get the IP in rules like nat on $interface from $whatever to any -> $interface ifa_pick_ip tries to be smart. if the interface has only one IP address and the nat rule doesn't specify an address family (or it matches with this address), take this one. If the address family is specified in the nat rule and there is only one IP for the given address family, this one is used. if the address family is not specified and there is more than one IP pfctl throws an error. The same applies for multiple IPs per address family. This causes regression tests 18 and 20 to fail because the address family isn't specified there; diff for those coming. also fix some prototypes while I'm here. pb@ found another problem while testing that we must have introduced somewhat after 3.1. $cat t nat on ne3 from any to any -> 213.128.133.5 $pfctl -nvf t nat on ne3 all -> ? it's only a representation bug as far as I've checked, nontheless it should be fixed. as a nat/rdr rule always nats/redirects to one IP only we can just steal its target's IP af and set the rule's af accordingly. then inet_ntop does play nice. binat rules already enforce having an address family set always and thus are not affected. ok dhartmei@, pb@, kjell@ "It looks good" frantzen@
2002-07-08Don't allow 'flags' option in non-TCP rules, found by mpech@Daniel Hartmeier
2002-07-05unbreak.Henning Brauer
2002-07-05another small bug I found while installing a -current pf firewall.Henning Brauer
we don't support pass/block in on ! <interface> (at least, not yet) let the parser complain instead of ignoring the '!' ok pb@, dhartmei@
2002-07-05allow unsetting the statusinterface viaHenning Brauer
set loginterface none ok dhartmei@
2002-07-01streamline parse buffer handling (no need to copy value that is notMarc Espie
going to go away). add explicit pushback buffer, to be able to push IPv6 failed parses back. handle pushback + parse buffer interactions by using negative indices. okay dhartmei@, deraadt@
2002-07-01KNFTheo de Raadt
2002-06-28Don't check for address family conflicts in nat/rdr before expansion,Daniel Hartmeier
rules will expand to all valid combinations, and there's an error when none is found. Makes "nat on tun0 from 10.0.0.0/8 to any -> (tun0)" work (again).
2002-06-27fix synopsis, closes pr2775Henning Brauer
ok pb@
2002-06-27repair formatting - the new "enabled since" format is longer than the oldHenning Brauer
one and thus the field lengths need to be adjusted. ok dhartmei@, pb@
2002-06-25move pfctl options -t, -m, -O and -l to pf.conf. These are set using theHenning Brauer
"set" keyword. example rulefile: set optimization aggressive set timeout { tcp.closing 6, tcp.opening 6 } set limit { states 1000, frags 1000 } set loginterface wi0 pass out all keep state label "$nr:$srcaddr:$srcport:$dstaddr:$dstport" block in all fries@ is working on an updated pf.conf(5) discussed at c2k2 and on icb ok dhartmei@, kjell@
2002-06-24Use interface when specified in scrub rule. No support for ! or {} yet.Daniel Hartmeier
2002-06-23uid_t and gid_t are unsignedTheo de Raadt
2002-06-20Copy address family from inet/inet6 keyword, if specified.Daniel Hartmeier
2002-06-19"Enabled for Ss" -> "Enabled for D days HH:MM:SS", ok frantzen@Daniel Hartmeier
2002-06-18propogate a '!' when a host resolves to multiple IP addressesMike Frantzen
ok dhartmei@
2002-06-18don't allow individual keep state rules to specify timeouts for 'interval' andMike Frantzen
'frag' -- they aren't applied anyway ok dhartmei@ and henning@
2002-06-16Rules must in order -> Rules must be in orderAaron Campbell
2002-06-15Reset rulestate in parse_rules(), so consecutive calls (like from authpf)Daniel Hartmeier
will not fail. Reported by Chris Kuethe.
2002-06-14make the output of pfctl -k look nice againHenning Brauer
noticed by pb@ ok dhartmei@