| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2001-08-23 | o for a port_item, initialize the "next" pointer to NULL | Todd C. Miller | |
| o for an address, use calloc() instead of malloc() so the struct is zeroed Fixes a SEGV in pfctl due to uninitialized "next" pointers. | |||
| 2001-08-23 | Support var="string". Expansion (at lex time) done using $var, for instance: | Theo de Raadt | |
| okproto="{ssh, smtp, domain, auth}" pass in on key0 proto tcp from any to any port $okproto keep state Can I ask someone else to document this in pf.conf(5)? | |||
| 2001-08-23 | KNF | Theo de Raadt | |
| 2001-08-23 | for -s all, do not error out when the first ioctl fails | Theo de Raadt | |
| 2001-08-22 | ftp-proxy | Bob Beck | |
| 2001-08-19 | do not spin if no states are found | Theo de Raadt | |
| 2001-08-19 | Document per-rule byte counter. | Daniel Hartmeier | |
| 2001-08-19 | Add per-rule byte counter, so mickey can do accounting. We're counting the | Daniel Hartmeier | |
| data part (without IP and TCP/UDP/ICMP headers), like the state counter does. | |||
| 2001-08-19 | Document per-rule statistics. If the evaluation counters look funny, | Daniel Hartmeier | |
| think skip steps. | |||
| 2001-08-19 | Print per-rule statistics when -v is used with -sr (show rules). | Daniel Hartmeier | |
| 2001-08-19 | Unfuck some TCP state stuff that would drop the SYN|ACK. | Mike Frantzen | |
| Enumerated the TCP states. Here's a mapping new->old tcp states if anyone gives a shit: TCPS_CLOSED 0 TCPS_SYN_SENT 1 TCPS_ESTABLISHED 2 TCPS_CLOSING 3 TCPS_FIN_WAIT_2 4 TCPS_TIME_WAIT 5 | |||
| 2001-08-19 | Add parameter list support to parser. Handles lists for protocol, hosts | Daniel Hartmeier | |
| and ports in filter rules, like block in from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } to any pass in proto tcp from any to any port { ssh, 1024 >< 2000, > 65000 } block in proto { udp, igmp } and does rule expansion (generate all needed rule combinations). | |||
| 2001-08-18 | make pfctl -s state SCREAM; frantzen is now happy | Theo de Raadt | |
| 2001-08-18 | prettier printing of states | Theo de Raadt | |
| 2001-08-16 | track the line number per-token, so that we can report errors correctly | Theo de Raadt | |
| 2001-08-14 | optimize the flags parsing; markus@ ok | Michael Shalayeff | |
| 2001-08-11 | Add support for ICMP errors referring to ICMP queries/replies. Fixes | Daniel Hartmeier | |
| 'ICMP error message for bad proto' messages. Reported by Mark Grimes and Steve Rumble. Add debugging level with ioctl interface and pfctl switch. Default is 'None'. | |||
| 2001-08-11 | \+\n support, and spit out cc-style error messages. the parser's line | Theo de Raadt | |
| counting is lex dependent, and will need to be tweaked | |||
| 2001-08-03 | o) We always closes .Bl and .Bd tags; | Mike Pechkin | |
| millert@ ok | |||
| 2001-07-31 | allow to test that flags are unset, ok dhartmei@, mickey@ | Peter Stromberg | |
| 2001-07-28 | start sentence on new line, from mpech@ | Daniel Hartmeier | |
| 2001-07-26 | sort SEE ALSO section correctly, from mpech@. | Daniel Hartmeier | |
| 2001-07-26 | usage() with __progname according to style(9), typo in man page. both from ↵ | Daniel Hartmeier | |
| mpech@. | |||
| 2001-07-20 | we don't like: | Mike Pechkin | |
| o) .Pp before/after .Sh; o) .Pp before/after .Rs/.Re; o) .Nm without argument in SYNOPSIS; | |||
| 2001-07-19 | Fix/complete the handling of the binary ops >< and <> to behave | Kenneth R Westerback | |
| like the ipf operators. The 'n >< m' construct (Include Range = PF_OP_IRG) should match ports greater than n and less than m, not greater than or equal to n and less than or equal to m. The 'n <> m' construct (Exclude Range = PF_OP_XRG) should match all ports less than n OR greater than m, not be treated as an alias for ><. Thus PF_OP_GL, which was used for both <> and >< is replaced with PF_OP_IRG and PF_OP_XRG with the 'correct' semantics. OK dhartmei@ | |||
| 2001-07-18 | new ERROR token, errx() -> warnx() + ERROR; ok deraadt@ | Markus Friedl | |
| 2001-07-18 | KNF for return | Markus Friedl | |
| 2001-07-18 | check number range to fit in 32 bits | Michael Shalayeff | |
| 2001-07-18 | put range checks on NUMBER, pointed out by deraadt | Michael Shalayeff | |
| 2001-07-17 | spaces, parens, err instead of errx+strerror | Michael Shalayeff | |
| 2001-07-17 | warnx()/YYERROR instead of errx(); suggested by mickey@ | Markus Friedl | |
| 2001-07-17 | markus doesnt like min-ttl =, begone | Niels Provos | |
| 2001-07-17 | support min-ttl, okay dhartmei@ | Niels Provos | |
| 2001-07-17 | normalize ip_off, make IP_DF stripping optional, return rst is a flag now. | Niels Provos | |
| okay markus@ | |||
| 2001-07-17 | bitch about ! in pf rule; ok dhartmei@ and markus@ | Marco S Hyman | |
| 2001-07-17 | bitch about extra command line args; ok dhartmei@ and markus@ | Marco S Hyman | |
| 2001-07-17 | Only set default proto in the rdr case; markus@ OK | Todd C. Miller | |
| 2001-07-16 | errx() if getservbyname() fails | Markus Friedl | |
| 2001-07-16 | get rid of cleanfiles by getting rid of cleanfiles; markus@ ok | Michael Shalayeff | |
| 2001-07-16 | better flags parsing; dhartmei | Markus Friedl | |
| 2001-07-16 | add a yacc parser for pf.conf and nat.conf, with help from mickey@, | Markus Friedl | |
| plus: -n now turns off all operations, and just parses the conf files ok deraadt@ | |||
| 2001-07-11 | Error on invalid ports | Constantine Sapuntzakis | |
| 2001-07-10 | Oops, we can't use 0 as next_addr()'s error return since 0.0.0.0 is | Todd C. Miller | |
| a valid address. Instead I add a pointer to the result as a parameter and return 0 on failure and 1 on success. Also uses inet_pton() instead of inet_aton(). | |||
| 2001-07-10 | Resolve as a host name if not an IP address; dhartmei@ OK | Todd C. Miller | |
| 2001-07-10 | move "proto" in the nat case as well | Todd C. Miller | |
| 2001-07-09 | Move the proto field to be after the "on" argument which is consistent | Todd C. Miller | |
| with pf.conf. If no proto is specified tcp is assumed. dhartmei@ OK | |||
| 2001-07-09 | Extend nat/rdr syntax. Add source/destination selection. Make | Daniel Hartmeier | |
| interface optional. Suggested by rdump@river.com. nat [on [!] <ifname>] from (any | [!] <addr>[/<mask>]) to (any | [!] <addr>[/<mask>]) -> <addr> [proto (tcp | udp | icmp)] rdr [on [!] <ifname>] from (any | [!] <addr>[/<mask>]) to (any | [!] <addr>[/<mask>]) port <a>[:<b>] -> <addr> port <c>[:*] [proto (tcp | udp | icmp)] | |||
| 2001-07-06 | Allow negative match on interface name for nat and rdr | Chris Cappuccio | |
| ok dhartmei@ | |||
| 2001-07-05 | &, not &&. Pointed out by dhartmei@. | Hakan Olsson | |
| 2001-07-04 | cleaner | Theo de Raadt | |
 |
index : src | |
| OpenBSD base system |
| summaryrefslogtreecommitdiff |