summaryrefslogtreecommitdiff
path: root/sbin/pfctl
AgeCommit message (Collapse)Author
2013-07-21zap one redundant line, replacing it with a note that althoughJason McIntyre
SYNOPSIS suggests no options are neccessary, in fact a minimum of one is required; ok henning
2013-07-21tidy up DESCRIPTION somewhat, and format nicer;Jason McIntyre
ok henning
2013-07-21re-zap the previous paragraph, but this time in its place documentJason McIntyre
what happens when a broken pf config is encountered, both generally and at system startup; ok henning
2013-07-20reverting previous until i can work out what henning is telling me...Jason McIntyre
2013-07-19remove redundant paragraph; from Pieter VerberneJason McIntyre
2013-07-05Collect and display 'match' counters for pf tables.Bret Lambert
While here, fix pf table displays to fit within 80 chars. Manpage input jmc@ ok henning@ reyk@
2013-06-01remove set-tos backwards compat, moved into the set {} block a year agoHenning Brauer
ok ryan
2013-04-21avoid truncating a time_t division into daysTheo de Raadt
2013-03-21fetch NMBCLUSTERS at runtime from the sysctl kern.maxclustersTheo de Raadt
ok sthen
2013-03-20MCLBYTES does not belong in here.Theo de Raadt
2013-03-13Describe the counters that "pfctl -s info" displays. Tweaks jmc@, ok deraadt@Stuart Henderson
2013-03-02When a PF rule contains 'set tos' *followed by* a scrub option, the tosStuart Henderson
value is changed to 0x00. Left-over from the previous implementation where set-tos was part of "scrub". Problem reported by Jason Mader, ok henning
2013-01-16for consistency with prio etc, the queue assignment really belongsHenning Brauer
into the set block. so make pfctl accept, print and the manpage document . match set queue foo instead of . match queue foo but keep accepting the old way without the explicit set. ok bob, man jmc
2012-12-04remove some unnecessary sys/param.h inclusionsTheo de Raadt
2012-10-19rtableid must be BREAK instead of MERGE, otherwise the optimizer mightHenning Brauer
reorder rules incorrectly, i. e.: pass rtable 2 pass from 10/16 rtable 0 pass from 10.1/16 rtable 1 so with this ruleset a packet from 10/16 will end up in rtable 0. now let's see what pfctl makes out of it, with default optimization: <brahe@tachi> pfctl $ pfctl -nvf t.conf pass inet from 10.0.0.0/16 to any flags S/SA rtable 0 pass inet from 10.1.0.0/16 to any flags S/SA rtable 1 pass all flags S/SA rtable 2 OUPS! a packet from 10/16 will end up in rtable 2 now. found by phessler, fix by your's truly, from EuroBSDcon ok beck phessler benno mikeb sthen
2012-10-18Disallow tables and interface address pools for rdr-to, nat-to andReyk Floeter
route-to with any other scheduling algorithms than round-robin or least-states. Before this change, pfctl accepted and loaded invalid address pools, eg. "rdr-to <table> source-hash", but it is not supported by the kernel and was silently ignored in operation. Also clarify the manpage a bit by mentioning that tables are only valid with round-robin or least-states. ok zinke@
2012-09-29Remove extra .PpLawrence Teo
ok jmc
2012-09-19Show which limit cannot be set. idea mikebCamiel Dobbelaar
ok mikeb henning beck
2012-09-18prio 0 is valid, therefore, I chose an "impossible" value for prio meaningHenning Brauer
"not set" and used a PF_PRIO_NOTSET define for it. now that means that everything that creates a struct pf_rule doesn't get away with bzero'ing it, which turned out to be not so nice. so get rid of PF_PRIO_NOTSET, instead, make a rule+state flag PFSTATE_SETPRIO which indicates wether the prio should be set. ok benno claudio mikeb
2012-08-17Don't forget to byteswap the state_flags since it's a uint16_t now.Mike Belopuhov
From Hrvoje Popovski via Florian Obser, ok henning
2012-07-26load os passive fingerprints when testing the ruleset; ok henningMike Belopuhov
2012-07-10use PFSTATE_SCRUBMASKHenning Brauer
whenever you see (flags >= ONE_OF_THE_FLAGS), run. that must break sooner or later.
2012-07-10Allow an implicit address family for af-to rules. If the addressAlexander Bluhm
family can be determined by the "from" or "to" parameter in the matching part, it is no longer necessary to specify "inet" or "inet6" there. OK henning@ mikeb@
2012-07-10intermediate hack^Wugly "fix" to prevent spurious "scrub ()" printsHenning Brauer
+ XXX comment as reminder to clean this up for good
2012-07-10set { ... } -> set ( ... )Henning Brauer
brought up by ryan, discussed with him and theo and they convinced me
2012-07-09fix some of the confusion we have in pf regarding filter criteria vsHenning Brauer
options that "write" to the packet by putting the latter in a set { } block. for now prio and tos, maintain set-tos backwards compat for the moment. "match set { prio 6, tos lowdelay }" "match set prio 6" from a discussion with ryan in tokyo a while ago, ok ryan phessler
2012-07-08New attempt to make the -P flag work with -ss, so that states can beLawrence Teo
printed with port names if desired. tcpdump's pf_print_state.c has diverged significantly from pfctl's, so the change to tcpdump's pf_print_state.c is not exactly the same as pfctl's. ok henning sthen
2012-07-07remove incorrect check in pfctl preventing set-tos for ipvshit.Henning Brauer
the kernel has code to deal with set-tos and that crap. don't ask for details. stuart ok
2012-07-07rename prio in struct pf_rule and related structs to set_prio so it isHenning Brauer
utterly clear this is not a filter criteria but a packet modification thing. also preparation for upcoming changes, including one to unscrew this mess (I should not have to touch half the tree for this - ifixitlater) not user visible, ok gcc
2012-06-01revert previous, breaks tcpdumpJonathan Gray
spotted by jmc@
2012-06-01Make the -P flag work with -ss, so that states can be printed with portLawrence Teo
names if desired. ok henning
2012-05-07fix printing of wildcard anchors, from lteo, ok phessler sthen meHenning Brauer
2012-05-02remove redundant check; from lteo; ok haesbaertHenning Brauer
2012-05-02don't call getifmtu in -n mode, assume 1500. calling getifmtu requiresHenning Brauer
the interface in question to be there, breaking ruleset verification From: Silamael <Silamael at coronamundi dot de>
2012-04-18not (unsigned); ok henningTheo de Raadt
2012-01-15convert an snprintf to strlcpyDavid Hill
ok mikeb henning
2011-12-19unbreak rule optimizer; ok henning, looksMike Belopuhov
2011-12-12fixup af-to regression with match rulesMike Belopuhov
pfctl should not infer the af-to behavior from the af/naf difference. instead, we should be clear that this is an af-to rule. essentially this change converts FOM_AFTO marker into a rule flag PFRULE_AFTO so that we don't rely on ambiguous checks (like r->af != r->naf) when setting things up. positive review and comments from claudio, ok henning, sperreault
2011-12-03pfctl_set_hostid always returns 0; don't pretend otherwise and make it aRyan Thomas McBride
void function instead. ok dlg
2011-12-03Avoid loading garbage hostid and other values not always initialised,Ryan Thomas McBride
by bzero()ing the 'struct pfsync' properly. ok dlg mpf
2011-11-23print ports as numbers by default; -P prints names insteadHenning Brauer
2/2 from Lawrence Teo <lteo at devio dot us> ok sthen dlg and myself
2011-11-23print_rule: rename opts -> ropts, no binary changeHenning Brauer
1/2 from Lawrence Teo <lteo at devio dot us> ok sthen dlg myself and gcc
2011-11-08Fixup skip step printout: rdomains come after direction; ok mcbride, henningMike Belopuhov
2011-10-13pfctl change for af-to / NAT64 support.Claudio Jeker
The general syntax is: pass in inet from any to 192.168.1.1 af-to inet6 from 2001::1 to 2001::2 In the NAT64 case the "to" is not needed in af-to and the IP is extraced from the IPv6 dst (assuming a /64 prefix). Again most work by sperreault@, mikeb@ and reyk@ OK mcbride@, put it in deraadt@
2011-09-07Avoid possible SIGSEGV when wrong tos option.Christiano F. Haesbaert
2011-08-30One shot rules can be used in pf.conf by specifying a "once" filter option.Mike Belopuhov
ok henning, mcbride
2011-07-29Remove requirement to quote 'debug' loglevel for the 'debug' option.Ryan Thomas McBride
ok henning
2011-07-27Add support for weighted round-robin in load balancing pools and tables.Ryan Thomas McBride
Diff from zinke@ with a some minor cleanup. ok henning claudio deraadt
2011-07-13Force user to specify protocol when filtering on user, gid, and osRyan Thomas McBride
attributes (this is now required by pf_rule_test(). ok sthen henning
2011-07-08allow rules to specify "prio X" or "prio (X, Y)" to assign priority levelsHenning Brauer
for the new priority queueing implementation. valid range is 0 to 7. the old trick for priorizing empty ACKs etc remains thru the latter notation ok ryan mpf sthen plus pea testing and halex and claudio reading