Age | Commit message (Collapse) | Author |
|
instead of indirectly trough struct pf_rule_addr.
Ryan McBride says:
If I'm not mistaken, the code _used_ to use the ports in pf_rule_addr as
well. The code was changed to fix some of the bugs with port ranges, but
it was too late in the release cycle to make kernel API changes, so the
structure was left as is.
Needless to say: KERNEL/USERLAND SYNC REQUIRED.
ok henning@ mcbride@
|
|
ok dhartmei@
|
|
I need vacations.
Found and verified by Pyun YongHyeon.
ok dhartmei@
|
|
|
|
- remove the tableaddrs and tableaddr yacc production and reuse
host_list instead.
- produce better error messages.
- do not load addresses from external file when it is not
required (like with -R option).
- store initializers in a new node_tinit linked list before
putting them into the address buffer (see next point).
- add a new print_tabledef() function, which makes "pfctl -nvf"
print something useful for table definitions, which in turn
makes it possible to write better regress tests (see first chunk
of the diff) and bring table definition consistant with other
parsed rules.
ok dhartmei@
|
|
ok dhartmei@ henning@
|
|
|
|
|
|
|
|
nat pass on $ext_if from $a to $b -> $ext_if
when the pass modifier is given, the filter ruleset is _not_ evaluated but
the packets matching this translation rule are passed unconditionally.
ok dhartmei@ cedric@ markus@
|
|
The pfctl.c part will probably need some further improvements.
ok henning@
|
|
and a couple of parsing functions moved to parse.y or pfctl_parser
where they belong.
I also took the opportunity to replace "void" functions with exit(1)
or err() inside by "int" functions, with the caller checking the
return value for errors (much cleaner and an old request from Theo)
ok dhartmei@ henning@
|
|
ok dhartmei@
|
|
|
|
Thanks to Max Laier.
|
|
ok dhartmei@
|
|
|
|
traffic reporting w/ pfsync; ok dhartmei@
Note: ABI change (new fields in struct pf_state), requires a rebuild of
pfctl and tcpdump.
|
|
|
|
|
|
if .. else if .. else, and handle PF_ADDR_NOROUTE as well.
inspired by a comment from cedric.
|
|
a table refernence, don't print nonsense but the table name.
found by claudio jeker, fix by me, agreement by cedric
|
|
ok henning@
|
|
PF_ADDRMASK. due to the union this resulted in "masking" interface names in
the dynaddr case...
<henning@quigon:1>$ echo "pass inet from (le0)/8" | pfctl -nvf -
pass inet from (l)/8 to any
reported by AARON SUEN <ags137 at psu.edu> on misc@
|
|
- routing header declaration with RFC3542
(note: sizeof(ip6_rthdr0) has changed!)
also, sync up with RFC2460 routing header definition (no "strict" source
routing mode any more)
part of advanced API update (RFC2292 -> 3542).
markus, todd, millert, henning ok
|
|
- pf_get_sport() leaves the translated port in the packet in network byte order
- merge code for the p1=0 p2=0 case and static-port case in pr_get_sport()
NOTE: people who use the static-port keyword in their pf.conf need to make sure pfctl is updated along with their kernel.
|
|
The following two pfctl functions work with an "-a" option:
- pfctl [-a foo[:bar]] -sT
- pfctl [-a foo[:bar]] -FT
ok dhartmei@
|
|
address family. fixes the ipv4/128:port output in pfctl -ss.
|
|
|
|
|
|
wrong for the redirection target.
reported by jared r r spiegel <jrrs@ice-nine.org>
|
|
help canacar@
ok canacar@ cedric@
|
|
More to come for the error case.
ok henning@
|
|
ok cedric@
|
|
|
|
helps finding assignment bugs.
|
|
dynaddr rules after we know the address family
ok dhartmei@, inspired by a session with bob
|
|
|
|
|
|
load bullshit
|
|
and off independently. so only complain if there's a real error.
ok dhartmei@ pb@ camield@
|
|
|
|
ok henning dhartmei
|
|
|
|
newline. requested by markus@, dhartmei and myself agree
|
|
|
|
ok henning@
|
|
block in ! tagged sometag
ok dhartmei@ pb@
|
|
'synproxy state' for TCP connections. pf will complete the TCP handshake
with the active endpoint before passing any packets to the passive end-
point, preventing spoofed SYN floods from reaching the passive endpoint.
No additional memory requirements, no cookies needed, random initial
sequence numbers, uses the existing sequence number modulators to translate
packets after the handshakes.
ok frantzen@
|
|
|