Age | Commit message (Collapse) | Author | |
---|---|---|---|
2006-01-28 | zap unused function | Henning Brauer | |
From: Andrey Matveev <evol@online.ptt.ru> | |||
2005-11-17 | for pfctl -f rules, open the file before resetting options. when opening | Daniel Hartmeier | |
the file fails, produce only the error message and leave options unchanged. reported by Tamas TEVESZ, ok deraadt@ | |||
2005-11-12 | return; at end of function is dorky | Theo de Raadt | |
2005-11-04 | crank pf_state and pf_src_node byte and packet counters to u_in64_t, since | Ryan Thomas McBride | |
we're breaking pfsync compatibility this cycle anyways. Requested by djm@, ok henning@, 'wheee!' deraadt@ | |||
2005-10-18 | add support for static interface group expansion, i. e. | Henning Brauer | |
pass to group ok hshoexer, hacked at linux-kongress last week | |||
2005-10-13 | unused parameters | Henning Brauer | |
2005-10-13 | dead defines | Henning Brauer | |
2005-08-17 | with pfctl -vsI, indicate which interfaces are being skipped. | Daniel Hartmeier | |
ok henning@, markus@, mpf@ | |||
2005-07-11 | clear PFI_IFLAG_SKIP when clearing interface flags, found by David Hill, | Daniel Hartmeier | |
ok henning@ | |||
2005-06-30 | in order for pfvar.h not to conflict with openssl's crypto.h, use | Nikolay Sturm | |
PF_MD5_DIGEST_LENGTH instead of including crypto/md5.h ok markus@, henning@, mpf@ | |||
2005-06-14 | no need to restrict tagging to stateful rules any more, dhartmei ok | Henning Brauer | |
From: "Alexey E. Suslikov" <cruel@texnika.com.ua> | |||
2005-06-13 | document extended pfctl -sl format | Henning Brauer | |
2005-06-13 | make the packet and byte counters on rules and src nodes per direction, | Henning Brauer | |
matches the counters on states now. also fix the counting on scrub rules where we previously did not handle the byte counters at all. extend pfctl -sl output to include the new seperate in/out counters hacked on the ferry from Earls Cove to Saltery Bay ok ryan | |||
2005-06-13 | free memory in show_src_nodes and show_states, as reported by | Jared Yanovich | |
Henrik Gustafsson <openbsd@fnord.se> via tech@. ok henning | |||
2005-05-28 | don't print the "[ Inserted: uid pid ]" line when -g is used, so the | Daniel Hartmeier | |
regress tests don't have to deal with it (and it's a useless thing to check from there). | |||
2005-05-27 | Hide Hostid and Checksum in pfctl -si output unless the -v flag is used. | Ryan Thomas McBride | |
Prodded by henning@ | |||
2005-05-27 | Calculate an MD5 checksum over the main pf ruleset. | Marco Pfatschbacher | |
This is the basis for further pfsync improvements, to ensure that pf rules are in sync with the master. "get it in" mcbride@ | |||
2005-05-27 | get rid of 'log-all'. now that we have 'log (options)', make 'all' an | Daniel Hartmeier | |
option to log. so, 'log-all' becomes 'log (all)'. | |||
2005-05-27 | get rid of shift/reduce conflicts, don't support empty logopts | Daniel Hartmeier | |
2005-05-27 | log two pairs of uid/pid through pflog: the uid/pid of the process that | Daniel Hartmeier | |
inserted the rule which causes the logging. secondly, the uid/pid of the process in case the logged packet is delivered to/from a local socket. a lookup of the local socket can be forced for logged packets with a new option, 'log (user)'. make tcpdump print the additional information when -e and -v is used. note: this changes the pflog header struct, rebuild all dependancies. ok bob@, henning@. | |||
2005-05-27 | allow 'tagged' in 'anchor' rules (without complaining about missing | Daniel Hartmeier | |
'keep state'), as a condition to branch into the anchor. suggested by Bill Marquette. | |||
2005-05-26 | The illegalness of "no nat log" is already enforced by the grammar. | Camiel Dobbelaar | |
ok dhartmei | |||
2005-05-26 | use PF_LOG, PF_LOGALL instead of numeric constants | Daniel Hartmeier | |
2005-05-26 | support 'log' and 'log-all' in 'nat/rdr/binat pass' rules. original patch | Daniel Hartmeier | |
from camield@. use #defines PF_LOG, PF_LOGALL instead of magic constants. ok frantzen@, camield@ | |||
2005-05-26 | switch the max_src_{states,conn,conn_rate} from superblock breaks to superblock | Mike Frantzen | |
optimization barriers to prevent table merging or rule re-ordering ok dhartmei@ | |||
2005-05-25 | make the remaining pf_rule fields named superblock BREAKs instead just letting | Mike Frantzen | |
them default to BREAKs. no functional change | |||
2005-05-25 | make the optimizer safe in the presence of interface groups. they must act as | Mike Frantzen | |
an optimization block break ok dhartmei@ | |||
2005-05-24 | Identify states that will not be synchronised in pfctl -vvss output. | Christopher Pascoe | |
ok mcbride@ henning@ | |||
2005-05-23 | change pool allocation of table entries, no longer use the oldnointr | Daniel Hartmeier | |
allocator and two pools, but PR_WAITOK when called from non-interrupt context (ioctl). add configurable hard limits for tables and table entries (set limit tables/table-entries), defaulting to 1000/100000. ok aaron@, henning@, mcbride@, art@ | |||
2005-05-23 | remove code that duplicates getservice() | Camiel Dobbelaar | |
ok dhartmei mcbride | |||
2005-05-22 | Add support to kill states that match networks. | Marco Pfatschbacher | |
man page from jmc@ OK dhartmei@ | |||
2005-05-21 | clean up and rework the interface absraction code big time, rip out multiple | Henning Brauer | |
useless layers of indirection and make the code way cleaner overall. this is just the start, more to come... worked very hard on by Ryan and me in Montreal last week, on the airplane to vancouver and yesterday here in calgary. it hurt. ok ryan theo | |||
2005-05-05 | typo | Joel Knight | |
2005-04-22 | Catch bad flags, ie. flags that always evaluate to false. This happens | Camiel Dobbelaar | |
if there are flags on the lefthandside that are masked off by the righthand side. ok mcbride@ (long time ago) dhartmei@ henning@ | |||
2005-03-07 | fd leaks in error paths, From: Andrey Matveev <andrushock@korovino.net> | Henning Brauer | |
2005-03-07 | print unsigned long with %lu, not with %d and not with %ld. | Henning Brauer | |
From: Andrey Matveev <andrushock@korovino.net> | |||
2005-03-06 | allow commas in the hfsc service curve spec, inconsistency pointed out in | Henning Brauer | |
PR4134 / geoff@collyer.net and a longer mail exhcange with han boetes | |||
2005-03-06 | print "set skip on" with -v in such a way that the output is valid input | Daniel Hartmeier | |
syntax, instead of the cryptic hex flags output. | |||
2005-02-28 | use the linkshar keyword when gtalking about the link sharing service | Henning Brauer | |
curve, inspired by PR4127 | |||
2005-02-27 | support 'tagged' in translation rules, non-delayed tag lookup | Daniel Hartmeier | |
ok henning@, deraadt@ | |||
2005-02-26 | ypu sure get the impression the number of memory leaks in error pathes | Henning Brauer | |
is infinite... Andrey Matveev <andrushock@korovino.net> spotted a few again! | |||
2005-02-17 | Fix indentation as to not mislead the code reader. No functional change. | Aaron Campbell | |
2005-02-07 | KNF; ok henning@ | David Krause | |
2005-01-28 | add messages for syntax errors that caused silent failure before. | Daniel Hartmeier | |
found by Peter Fraser, ok henning@ | |||
2005-01-27 | dynamic interface names must start with a letter. catches the nonsensical | Daniel Hartmeier | |
"(10.1.2.3)" that results from a simple typo like "$(ext_ip)" instead of "$(ext_if)". | |||
2005-01-06 | Missing braces in pfctl_load_debug(), pointed out by camield@ | Ryan Thomas McBride | |
2005-01-05 | spelling; | Jason McIntyre | |
2005-01-05 | Document -m flag. | Ryan Thomas McBride | |
2005-01-05 | Modify pfctl behaviour so that 'set ...' options are no longer "sticky", ie. | Ryan Thomas McBride | |
they are reset to default values if omitted from a subsequent ruleset load. Also: - make sure 'set ...' options are not loaded in anchors. - add a -m ("merge") flag to pfctl which allows an individual option to be set without reseting the others, eg: # echo "set loginterface fxp0" | pfctl -mf - ok henning@ dhartmei@ | |||
2005-01-03 | don't merge a rule's source address into a table if we're already trying to | Mike Frantzen | |
merge its destination address. caught by an assertion. it's tempting to do recursive reduction here to pick that low hanging fruit.... bug report from <gustavo AT hades DOT uint8t DOT org> |