summaryrefslogtreecommitdiff
path: root/sbin/pfctl
AgeCommit message (Collapse)Author
2003-07-19Simplify struct pf_pooladdr to include struct pf_addr_wrap directlyCedric Berger
instead of indirectly trough struct pf_rule_addr. Ryan McBride says: If I'm not mistaken, the code _used_ to use the ports in pf_rule_addr as well. The code was changed to fix some of the bugs with port ranges, but it was too late in the release cycle to make kernel API changes, so the structure was left as is. Needless to say: KERNEL/USERLAND SYNC REQUIRED. ok henning@ mcbride@
2003-07-18Simplify handling of flags (-R, -N...). Remove PFCTL_FLAG_ALL.Cedric Berger
ok dhartmei@
2003-07-15Repair memory managment in table parsing code.Cedric Berger
I need vacations. Found and verified by Pyun YongHyeon. ok dhartmei@
2003-07-14tpoDaniel Hartmeier
2003-07-11Better parsing and -v support for tables:Cedric Berger
- remove the tableaddrs and tableaddr yacc production and reuse host_list instead. - produce better error messages. - do not load addresses from external file when it is not required (like with -R option). - store initializers in a new node_tinit linked list before putting them into the address buffer (see next point). - add a new print_tabledef() function, which makes "pfctl -nvf" print something useful for table definitions, which in turn makes it possible to write better regress tests (see first chunk of the diff) and bring table definition consistant with other parsed rules. ok dhartmei@
2003-07-10Fix merging of host lists.Cedric Berger
ok dhartmei@ henning@
2003-07-06knf (cedric did not do it right)Theo de Raadt
2003-07-04KNF after cedric (grmpf)Henning Brauer
2003-07-04KNFHenning Brauer
2003-07-04allow for a "pass" modifier on translation rules:Henning Brauer
nat pass on $ext_if from $a to $b -> $ext_if when the pass modifier is given, the filter ruleset is _not_ evaluated but the packets matching this translation rule are passed unconditionally. ok dhartmei@ cedric@ markus@
2003-07-03Bye bye atexit(), bye bye globals...Cedric Berger
The pfctl.c part will probably need some further improvements. ok henning@
2003-07-03This patch finally cleanup pfctl_table.c. No more global buffer,Cedric Berger
and a couple of parsing functions moved to parse.y or pfctl_parser where they belong. I also took the opportunity to replace "void" functions with exit(1) or err() inside by "int" functions, with the caller checking the return value for errors (much cleaner and an old request from Theo) ok dhartmei@ henning@
2003-06-30Buffer management functions.Cedric Berger
ok dhartmei@
2003-06-29Replace assert(3) calls with warnx(3), if the warning is relevant at all.Daniel Hartmeier
2003-06-28No need to include the same header twice.Cedric Berger
Thanks to Max Laier.
2003-06-27Reorg part I: move 3 functions out of pf_table.c to pf_radix.cCedric Berger
ok dhartmei@
2003-06-21fflush(stdout) in pfctl -vvsq endless output.Daniel Hartmeier
2003-06-21count packets and bidirectionally on state entries, allowing for fine-grainedDamien Miller
traffic reporting w/ pfsync; ok dhartmei@ Note: ABI change (new fields in struct pf_state), requires a rebuild of pfctl and tcpdump.
2003-06-20some cleanings recommended by lint; dhartmei okTheo de Raadt
2003-06-19knfTheo de Raadt
2003-06-18change expand_label_addr() to use a switch (h->addr.type) instead ofHenning Brauer
if .. else if .. else, and handle PF_ADDR_NOROUTE as well. inspired by a comment from cedric.
2003-06-18when expanding the $srcaddr/$dstaddr label macros and the address is actuallyHenning Brauer
a table refernence, don't print nonsense but the table name. found by claudio jeker, fix by me, agreement by cedric
2003-06-13Make "show Anchor" obey quiet flag.Cedric Berger
ok henning@
2003-06-12in set_ipmask, do not try to mask off irrelevant bits of anything butHenning Brauer
PF_ADDRMASK. due to the union this resulted in "masking" interface names in the dynaddr case... <henning@quigon:1>$ echo "pass inet from (le0)/8" | pfctl -nvf - pass inet from (l)/8 to any reported by AARON SUEN <ags137 at psu.edu> on misc@
2003-06-11- sync up MLD declaration with RFC3542 (s/MLD6/MLD/)Jun-ichiro itojun Hagino
- routing header declaration with RFC3542 (note: sizeof(ip6_rthdr0) has changed!) also, sync up with RFC2460 routing header definition (no "strict" source routing mode any more) part of advanced API update (RFC2292 -> 3542). markus, todd, millert, henning ok
2003-06-09Attempt to resolve byte order confusion in nat code once and for all.Ryan Thomas McBride
- pf_get_sport() leaves the translated port in the packet in network byte order - merge code for the p1=0 p2=0 case and static-port case in pr_get_sport() NOTE: people who use the static-port keyword in their pf.conf need to make sure pfctl is updated along with their kernel.
2003-06-08A table in an anchor creates a real anchor: pfctl -sA works.Cedric Berger
The following two pfctl functions work with an "-a" option: - pfctl [-a foo[:bar]] -sT - pfctl [-a foo[:bar]] -FT ok dhartmei@
2003-06-07in print_host(), don't set the mask blindly to /128 but adhere to theHenning Brauer
address family. fixes the ipv4/128:port output in pfctl -ss.
2003-06-06simplify license. pfctl_altq.c with kenjiro's permission of course.Henning Brauer
2003-06-03process show options before ruleset reloadHenning Brauer
2003-05-25must not run check_netmask() before remove_invalid_hosts() - binat case had itHenning Brauer
wrong for the redirection target. reported by jared r r spiegel <jrrs@ice-nine.org>
2003-05-24better netmask checkHenning Brauer
help canacar@ ok canacar@ cedric@
2003-05-24Properly reset buffers after each "table" command.Cedric Berger
More to come for the error case. ok henning@
2003-05-24tweak;Jason McIntyre
ok cedric@
2003-05-24syncCedric Berger
2003-05-19print out the full netmask; don't just ignore the upper bits in the v4 caseHenning Brauer
helps finding assignment bugs.
2003-05-19reject invalid netmasks like 10.0.0.0/68, and fix up the netmask forHenning Brauer
dynaddr rules after we know the address family ok dhartmei@, inspired by a session with bob
2003-05-19all host() receivers have to test for NULLHenning Brauer
2003-05-19err out on obviously wrong netmasksHenning Brauer
2003-05-19if host() returns NULL, it is an error, so err the fuck out and don'tHenning Brauer
load bullshit
2003-05-19don't print altq en-/disabled - there's no point, you can't turn them onHenning Brauer
and off independently. so only complain if there's a real error. ok dhartmei@ pb@ camield@
2003-05-19style consistencyHenning Brauer
2003-05-19Use a decaying average for smoother rate estimates.Camiel Dobbelaar
ok henning dhartmei
2003-05-18indent here in the same way as in -vsr for consistencyHenning Brauer
2003-05-18in the pfctl -vsr output (-vvsr/-gvvsr as well), indent instead of extraHenning Brauer
newline. requested by markus@, dhartmei and myself agree
2003-05-17Fix proxy related output.Daniel Hartmeier
2003-05-17A little bugfix. We want pfioc_states, not pfioc_state.Ryan Thomas McBride
ok henning@
2003-05-17support inverse matching on tags likeHenning Brauer
block in ! tagged sometag ok dhartmei@ pb@
2003-05-16TCP SYN proxy. Instead of 'keep state' or 'modulate state', one can useDaniel Hartmeier
'synproxy state' for TCP connections. pf will complete the TCP handshake with the active endpoint before passing any packets to the passive end- point, preventing spoofed SYN floods from reaching the passive endpoint. No additional memory requirements, no cookies needed, random initial sequence numbers, uses the existing sequence number modulators to translate packets after the handshakes. ok frantzen@
2003-05-15properly complain about too long tagsHenning Brauer