summaryrefslogtreecommitdiff
path: root/sbin/pfctl
AgeCommit message (Collapse)Author
2006-08-22back out -r1.497 (support for "tagged {}" lists), it broke "tagged" supportDaniel Hartmeier
for nat rules. sorry, existing functionality trumps syntactic sugar. feel free to resubmit a complete patch. closes PR 5207.
2006-08-08properly join host lists in ifa_grouplookup(), closes PR 5195,Daniel Hartmeier
reported by andrew fresh
2006-07-06add "rtable" to select alternate routing tables.Henning Brauer
with & ok claudio hshoexer
2006-06-30spacesTheo de Raadt
2006-06-17KNFHenning Brauer
2006-06-09Xo/Xc not needed here; from davidJason McIntyre
2006-05-28Make per-rule adaptive timeouts behave the same way as the global adaptiveRyan Thomas McBride
timeouts.
2006-05-28Enable adaptive timeouts by default, with adaptive.start of 60% of theRyan Thomas McBride
state limit and adaptive.end of 120% of the state limit. Explicitly setting the adaptive timeouts will override the default, and it can be disabled by setting both adaptive.start and adaptive.end to 0. ok henning@
2006-05-26\<char> is <char> except for \<newline> -- no exceptions. much like howTheo de Raadt
other things work. ok henning
2006-05-23member interfaces of groups might have no IPs and ifa_lookup retun NULL,Henning Brauer
account for that. fixes PR5130, ok dhartmei
2006-05-14better english to describe interfaces without bandwidth info; ok henningTheo de Raadt
2006-05-02fix creation of sub-anchors, e.g. if you create an anchor /foo/bar, createDaniel Hartmeier
only bar under foo, not /bar as well. secondly, when using "load anchor from" from a sub-anchor, the loading point should be relative to the sub-anchor doing the load (unless absolute paths are used, of course). from Boris Polevoy. probably a -stable candidate.
2006-05-01add support for "tagged {}" lists, from Pierre-Yves RitschardDaniel Hartmeier
2006-04-24don't clear interface flags (set skip on) when -N/-F is used without -O,Daniel Hartmeier
from Jon Simola, ok henning@
2006-04-08Plug simple memory leak. ``Don't forget to free tcpopts when youRay Lai
are done.'' From NetBSD from Coverity CID 2057. OK henning@ and jaredy@
2006-04-08Remove a little bit of dead code; minburst is set to 2 earlier, andRay Lai
cannot be 0. From NetBSD from Coverity CID 577. OK henning@
2006-04-06allow lists inside lists for address specs, has been in my tree forHenning Brauer
quite some time... theo likes
2006-03-21instead of sizeof(array) / sizeof(element) computation, use the existingDaniel Hartmeier
end-of-array NULL marker, shuts up source analysis tool, from deraadt@
2006-03-14implement a Unicast Reverse Path Forwarding (uRPF) check for pf(4)Damien Miller
which optionally verifies that a packet is received on the interface that holds the route back to the packet's source address. This makes it an automatic ingress filter, but only when routing is fully symmetric. bugfix feedback claudio@; ok claudio@ and dhartmei@
2006-01-28zap unused functionHenning Brauer
From: Andrey Matveev <evol@online.ptt.ru>
2005-11-17for pfctl -f rules, open the file before resetting options. when openingDaniel Hartmeier
the file fails, produce only the error message and leave options unchanged. reported by Tamas TEVESZ, ok deraadt@
2005-11-12return; at end of function is dorkyTheo de Raadt
2005-11-04crank pf_state and pf_src_node byte and packet counters to u_in64_t, sinceRyan Thomas McBride
we're breaking pfsync compatibility this cycle anyways. Requested by djm@, ok henning@, 'wheee!' deraadt@
2005-10-18add support for static interface group expansion, i. e.Henning Brauer
pass to group ok hshoexer, hacked at linux-kongress last week
2005-10-13unused parametersHenning Brauer
2005-10-13dead definesHenning Brauer
2005-08-17with pfctl -vsI, indicate which interfaces are being skipped.Daniel Hartmeier
ok henning@, markus@, mpf@
2005-07-11clear PFI_IFLAG_SKIP when clearing interface flags, found by David Hill,Daniel Hartmeier
ok henning@
2005-06-30in order for pfvar.h not to conflict with openssl's crypto.h, useNikolay Sturm
PF_MD5_DIGEST_LENGTH instead of including crypto/md5.h ok markus@, henning@, mpf@
2005-06-14no need to restrict tagging to stateful rules any more, dhartmei okHenning Brauer
From: "Alexey E. Suslikov" <cruel@texnika.com.ua>
2005-06-13document extended pfctl -sl formatHenning Brauer
2005-06-13make the packet and byte counters on rules and src nodes per direction,Henning Brauer
matches the counters on states now. also fix the counting on scrub rules where we previously did not handle the byte counters at all. extend pfctl -sl output to include the new seperate in/out counters hacked on the ferry from Earls Cove to Saltery Bay ok ryan
2005-06-13free memory in show_src_nodes and show_states, as reported byJared Yanovich
Henrik Gustafsson <openbsd@fnord.se> via tech@. ok henning
2005-05-28don't print the "[ Inserted: uid pid ]" line when -g is used, so theDaniel Hartmeier
regress tests don't have to deal with it (and it's a useless thing to check from there).
2005-05-27Hide Hostid and Checksum in pfctl -si output unless the -v flag is used.Ryan Thomas McBride
Prodded by henning@
2005-05-27Calculate an MD5 checksum over the main pf ruleset.Marco Pfatschbacher
This is the basis for further pfsync improvements, to ensure that pf rules are in sync with the master. "get it in" mcbride@
2005-05-27get rid of 'log-all'. now that we have 'log (options)', make 'all' anDaniel Hartmeier
option to log. so, 'log-all' becomes 'log (all)'.
2005-05-27get rid of shift/reduce conflicts, don't support empty logoptsDaniel Hartmeier
2005-05-27log two pairs of uid/pid through pflog: the uid/pid of the process thatDaniel Hartmeier
inserted the rule which causes the logging. secondly, the uid/pid of the process in case the logged packet is delivered to/from a local socket. a lookup of the local socket can be forced for logged packets with a new option, 'log (user)'. make tcpdump print the additional information when -e and -v is used. note: this changes the pflog header struct, rebuild all dependancies. ok bob@, henning@.
2005-05-27allow 'tagged' in 'anchor' rules (without complaining about missingDaniel Hartmeier
'keep state'), as a condition to branch into the anchor. suggested by Bill Marquette.
2005-05-26The illegalness of "no nat log" is already enforced by the grammar.Camiel Dobbelaar
ok dhartmei
2005-05-26use PF_LOG, PF_LOGALL instead of numeric constantsDaniel Hartmeier
2005-05-26support 'log' and 'log-all' in 'nat/rdr/binat pass' rules. original patchDaniel Hartmeier
from camield@. use #defines PF_LOG, PF_LOGALL instead of magic constants. ok frantzen@, camield@
2005-05-26switch the max_src_{states,conn,conn_rate} from superblock breaks to superblockMike Frantzen
optimization barriers to prevent table merging or rule re-ordering ok dhartmei@
2005-05-25make the remaining pf_rule fields named superblock BREAKs instead just lettingMike Frantzen
them default to BREAKs. no functional change
2005-05-25make the optimizer safe in the presence of interface groups. they must act asMike Frantzen
an optimization block break ok dhartmei@
2005-05-24Identify states that will not be synchronised in pfctl -vvss output.Christopher Pascoe
ok mcbride@ henning@
2005-05-23change pool allocation of table entries, no longer use the oldnointrDaniel Hartmeier
allocator and two pools, but PR_WAITOK when called from non-interrupt context (ioctl). add configurable hard limits for tables and table entries (set limit tables/table-entries), defaulting to 1000/100000. ok aaron@, henning@, mcbride@, art@
2005-05-23remove code that duplicates getservice()Camiel Dobbelaar
ok dhartmei mcbride
2005-05-22Add support to kill states that match networks.Marco Pfatschbacher
man page from jmc@ OK dhartmei@