summaryrefslogtreecommitdiff
path: root/sbin/pfctl
AgeCommit message (Collapse)Author
2004-09-27anchor rules referencing anchors using slashes may need quotes.Jared Yanovich
ok mcbride henning
2004-09-21Implement "no scrub" to allow exclusion of specific traffic from scrub rules.Aaron Campbell
First match wins, just like "no {binat,nat,rdr}". henning@, dhartmei@ ok
2004-08-26sync usage for -aJared Yanovich
reminded by jmc, ok deraadt
2004-08-26update w.r.t. recursive anchorsJared Yanovich
includes: - simplify -a syntax - change an anchor example to mention authpf, which is more useful - document "pfctl -a anchor -vsA" for showing anchors recursively ok dhartmei jmc henning
2004-08-08spacingTheo de Raadt
2004-07-23- make SYNOPSIS and usage() clear that -t precedes -T;Jason McIntyre
spotted by Tamas Tevesh, via dhartmei@; also, add -o to usage(), and note that /ruleset is now the correct syntax, not :ruleset; ok dhartmei@
2004-07-19print the correct labels when displaying timeouts with pfctl (eg, pfctl -st).David Gwynne
From Chris Pascoe. ok dhartmei@
2004-07-16'pfctl -o' ruleset optimizer that doesnt change the meaning of the final rulesetMike Frantzen
- remove identical and subsetted rules - when advantageous merge rules w/ similar addresses into a table and one rule - re-order rules to improve skip step performance (can do better w/ kernel mods) - 'pfctl -oo' will load the currently running ruleset and use it as a profile to direct the optimization of quicked rules ok henning@ mcbride@. man page help from jmc@
2004-06-29remove cedric's bogus interface name verification code.Henning Brauer
this was meant to verify that ne3 is a valid interface that could show up, but bogus0 is not. while this might sound like a good idea it is completely broken and causes a shitload of problems. just allow for anything as interface name, the kernel abstracts that nice enough. if no interface by that name exists (or shows up) the rule never matches; that matches pf semantics used everywhere else. this also fixes the "pfctl always has to run as root" issue that cedric did not fix over the last 6 months despite being bugged to regularily. help & ok mcbride@
2004-06-29convert a few memcpy()s to strlcpy() so we don't copy uninitialized junk intoMike Frantzen
a interface name's slack space past the \0. will be needed for the optimizer. ok henning@
2004-06-26add back PF_INOUT, fixes reassemble tcpDavid Krause
ok canacar@ mcbride@
2004-06-25repair tree nanobreak by the nanobumTheo de Raadt
2004-06-21Update manpage to reflect changes in anchor namingMathieu Sauve-Frankel
ok beck@ claudio@
2004-06-14Remove unused functions. ok beck@ henning@Cedric Berger
2004-06-12Fix table add/replace commands with securelevel=2.Cedric Berger
Reported by James J. Lippard. ok otto@
2004-06-10Work around an uncovered gcc problem on m88k until it receives proper cure.Miod Vallat
2004-06-10rename struct pf_rule_addr member 'not' to 'neg', as 'not' is a reservedDaniel Hartmeier
keyword in C++. ok henning@, cedric@
2004-05-30various improvements and fixes from jared yanovich;Jason McIntyre
2004-05-27plug memleak in error pathHenning Brauer
From: Andrey Matveev <andrushock@korovino.net>
2004-05-21Use '/' instead of ':' as separator for anchor path components. Note thatDaniel Hartmeier
the parser now needs quotes around paths containing separators. ok mcbride@
2004-05-20bzero() ifr before use, From: Andrey Matveev <andrushock@korovino.net>Henning Brauer
2004-05-19Allow recursive anchors (anchors within anchors, up to 64Daniel Hartmeier
levels deep). More work required, but this is already functional. authpf users will need to adjust their anchor calls, but this will change again soon. ok beck@, cedric@, henning@, mcbride@
2004-05-07typosHenning Brauer
From: Jared Yanovich <phirerunner@comcast.net>
2004-05-05Use RFC1323 PAWS timestamps as a logical extension to the conventional TCPMike Frantzen
sequence numbers by taking advantage of the maximum 1KHz clock as an upperbound on the timestamp. Typically gains 10 to 18 bits of additional security against blind data insertion attacks. More if the TS Echo wasn't optional :-( Enabled with: scrub on !lo0 all reassemble tcp ok dhartmei@. documentation help from jmc@
2004-04-27make "pfctl -vvsq" to print "No queue in use" and exit when there is noKenjiro Cho
queue to show the state. requested by "Alexey E. Suslikov" <cruel@texnika.com.ua> ok henning@
2004-04-26do more careful altq bandwidth checking.Kenjiro Cho
- fix a bug in HFSC that does not take the newly added queue into account when computing the bandwidth for admission control. - warn when the sum of the child bandwidth exceeds parent's bandwidth for both CBQ and HFSC. - allow to explicitly specify 0bps to bandwidth. HFSC can have only the real-time sc, and it means a blackhole queue for CBQ. problem reports by "Alexey E. Suslikov" <cruel@texnika.com.ua> ok henning@
2004-04-24Add "probability xxx" rule modifier. ok deraadt@Cedric Berger
2004-04-22typo, From: Jared Yanovich <jjy2+@pitt.edu>Henning Brauer
2004-04-14make antispoof work with dynamic addresses. ok dhartmei@ mcbride@Cedric Berger
2004-04-14Better interface filtering. vlan1 should not match vlan19.Cedric Berger
Found by Mike Wolman, ok dhartmei@ mcbride@
2004-04-09Do not try to load directories. found+ok mpech@Cedric Berger
2004-03-20spelling fix; ok dhartmei@ henning@ deraadt@David Krause
2004-03-20make pfctl -s osfp work and remove -o option from manpage; ok deraadt@David Krause
pointed out by David Hill <davidh at wmis dot net>
2004-03-15cast %llu arguments to unsigned long long, from Max Laier,Daniel Hartmeier
ok henning@ cedric@
2004-03-14#include fixes, from Max Laier, ok beck@ henning@Daniel Hartmeier
2004-03-10Actually use SRCS+= so that we don't have a wrapped line.Ryan Thomas McBride
2004-03-10plug 3 memory leaks; 2 from andrushock, 1 by meHenning Brauer
ok pb deraadt
2004-03-08plug 124 memory leaksHenning Brauer
ok mcbride@ pb@ dhartmei@
2004-03-06from bgpd:Henning Brauer
plug a memory leak in the lexer. the issue is this code fragement from yylex(): . token = lookup(buf); . yylval.v.string = strdup(buf); . if (yylval.v.string == NULL) . err(1, "yylex: strdup"); . return (token); lookup() tries to match buf against a list of keywords, and returns the associated token if it has a match, or the token STRING otherwise. STRING is the only token that needs (and free()s) yylval.v.string. however, we assigned memory for it with the strdup in yylex for each and every token. the fix is obviously only setting yylval.v.string when lookup() returns STRING. Patrick Latifi noticed that something was leaking with token handling, analysis and fix by me. ok deraadt@
2004-03-03no newline in errx, bad cedric; spotted by teduTheo de Raadt
2004-03-01support "tagged <name>" on anchor rules, suggested by vd@vmunix.lt,Daniel Hartmeier
ok henning@, cedric@
2004-02-27make pfctl -s all a bit more useful again by not printing a lllooooooottttt ofHenning Brauer
OS fingerprints and a list of interface drivers... cedric deraadt ok
2004-02-26Fix/Simplify printing of titles with "pfctl -s all". ok mcbride@Cedric Berger
2004-02-26Fix pfctl -sa output. Found by David Krause, ok mcbride@Cedric Berger
2004-02-25Don't clear global stuff when an anchor is given in addition to -Fa.Cedric Berger
Ok mcbride@ pb@
2004-02-24'max-src-nodes' requires 'source-track rule'. Set that automatically,Ryan Thomas McBride
unless 'source-track global' is explicit, in which case error out. Lots of help from cedric@. ok cedric@ henning@
2004-02-24fixup.Cedric Berger
2004-02-24Check for 'source-track rule' with 'max-src-nodes'.Ryan Thomas McBride
ok cedric@ henning@
2004-02-19Makes pfctl -ss and pfctl -sq use optional -i argument.Cedric Berger
ok dhartmei@ markus@ mcbride@
2004-02-19Makes pfctl -Fs and pfctl -w works with the optional -i specifier.Cedric Berger
Kernel/Userland Sync needed. ok dhartmei@ jmc@ markus@ mcbride@