| Age | Commit message (Collapse) | Author |
|---|
|
pointed out by, and ok david@, go ahead henning@
|
|
From: Gleydson Soares <gsoares@gmail.com>, ryan ok
|
|
ok henning
|
|
and the state-related pf(4) ioctls, and make functions in state creation and
destruction paths more robust in error conditions.
All values in struct pfsync_state now in network byte order, as with pfsync.
testing by david
ok henning, systat parts ok canacar
|
|
the kernel to be deleted.
|
|
|
|
Use the 'counters' table option in pf.conf if you actually need them.
If enabled, memory is not allocated until packets match an address.
This saves about 40% memory if counters are not being used, and paves the way
for some more significant cleanups coming soon.
ok henning mpf deraadt
|
|
into one 8 bit flags field.
shrinks the state structure by 4 bytes on 32bit archs
ryan ok
|
|
|
|
of the good one. ok theo ryan reyk
|
|
- Mechanical change: Use arrays for state key pointers in pf_state, and
addr/port in pf_state_key, to allow the use of indexes.
- Fix NAT, pfsync, pfctl, and tcpdump to handle the new state structures.
In struct pfsync_state, both state keys are included even when identical.
- Also fix some bugs discovered in the existing code during testing.
(in particular, "block return" for TCP packets was not returning an RST)
ok henning beck deraadt
tested by otto dlg beck laurent
Special thanks to users Manuel Pata and Emilio Perea who did enough testing
to actually find some bugs.
|
|
pf_ioctl.c r1.196.
|
|
|
|
Remove it from the name section.
OK mcbride, henning
|
|
Fix printing of the state id in pfctl -ss -vv.
Remove the psnk_af hack to return the number of killed states.
OK markus, beck. "I like it" henning, deraadt.
Manpage help from jmc.
|
|
numbers with one, and fix a few other bugs along the way
ok mpf henning
|
|
|
|
makes transparent proxies much easier; ok beck@, feedback claudio@
|
|
requested by reyk, ok reyk mpf
|
|
blocks, as requested by reyk; ok reyk mpf henning
|
|
to a sequence of strings and numbers, which get folded together into one
string (and later, when used, is re-lexed)
ok mpf
|
|
|
|
|
|
|
|
|
|
It shows up in pfctl verbose mode and in the 7th field of the labels
output. Also remove the label printing for scrub rules, as they
do not support labels.
OK dhartmei@ (on an earlier version), henning@, mcbride@
|
|
leads to a variety of errors; ok mcbride
|
|
ok henning@
|
|
by the parser but not passed to the kernel. This allows filtering based on
uid, gid, icmp options, tcp flags, os fingerprint, tos, tags, and probability;
It also allows the label to be set. State options and tagging are not
permitted.
ok henning mpf
|
|
in the inline anchor. Fixes optimizer bug where automatic table creation in
inline anchors fails because rules are now loaded after optimization
and no transaction has been opened for the anchor.
bug reported by Henrik Johansen
ok henning dhartmei
|
|
|
|
from tobias@
ok mcbride@ tobias@
|
|
sys/dev/pci/pciide.c from naddy@
|
|
I forgot to think about hex numbers when I removed it.
OK deraadt@
|
|
it with a simple filter in the yylex() loop.
The compression in lgetc() didn't happen for quoted strings,
thus creating a regression when tabs were used in variables.
Some testing by todd@ and pyr@
OK deraadt@
|
|
Add support for probablities of 0% and 100%.
With and OK deraadt@
|
|
yuck & ok henning@
|
|
ok deraadt@
|
|
|
|
Change 'set hostid' to NUMBER and remove unneeded converter.
Add '=' to allowed_to_end_number(x) to make varsets like 4=5 illegal.
OK deraadt@
|
|
expand to space or tab, and a \ followed by newline should be ignored
(as a line continuation). compatible with the needs of hoststated
(which has the most strict quoted string requirements), and ifstated
(where one commonly does line continuations in strings).
pointed out by mpf, discussed with pyr
|
|
|
|
the main configuration file; ok henning
|
|
yylex implementation and the code which interacts with yylex. this also
brings the future potential for include support to all of the parsers.
in the future please do not silly modifications to one of these files
without checking if you are de-unifying the code.
checked by developers in all these areas.
|
|
as found in hoststated, and make all the code diff as clean as possible. a
few issues remain mostly surrounding include support, which will likely be
added to more of the grammers soon.
ok norby pyr, others
|
|
Requested by deraadt@
|
|
Using a group sums up the statistics of all members.
Modify pfctl(1) slightly to allow a groupname "all",
which gives us an overall pf(4) statistic.
OK henning@, markus@
|
|
While there, also restrict the use of concatenated, unquoted
strings for variable assignments only.
Eyeballed by markus@, OK henning@
|
|
|
|
this in the parser. because the new numbers are int64_t, many new
range checks for < 0 are needed. re-check and improve all the
existing rangechecks while at it. thanks for help by cloder and
dhartmei
|
