summaryrefslogtreecommitdiff
path: root/sbin
AgeCommit message (Collapse)Author
2009-11-13fix a few memory leaks found by parfait; ok hshoexerTheo de Raadt
2009-11-13Don't use [] in function arguments when dealing with arraysJonathan Gray
we don't know the size of, otherwise gcc >= 4 will error. ok markus@ deraadt@
2009-11-12free flagsp if flags variable indicates it was not used, found by parfait; ↵Theo de Raadt
ok millert
2009-11-124 memory leaks found by parfait; ok millertTheo de Raadt
2009-11-12reading off the end of table bug, found by parfaitTheo de Raadt
2009-11-12memory leak found by parfait; ok jsgTheo de Raadt
2009-11-12Make sure we have enough space for the trailing \0 on prepend/appendJonathan Gray
of dhcp options. found by parfait. ok krw@
2009-11-09pfsync devices can be dynamically created too; from vladimir kirillovJason McIntyre
ok henning
2009-11-09A few more places to be updated for the route pool change.Jonathan Gray
expanded version of a diff from Vadim Zhukov. ok henning@ claudio@
2009-11-05IPv6 support for divert sockets.Michele Marchetto
tested by phessler@ pyr@ ok claudio@ "go ahead" deraadt@
2009-11-05adding an interface if it already is added should be successful, not give aTodd T. Fries
bogus and misleading error, this permits re-running bridgename.if(5) files etc without confusion prodded/found by deraadt@ ok deraadt@ phessler@ henning@ stsp@
2009-11-04tweak previous;Jason McIntyre
2009-11-04tweak previous;Jason McIntyre
2009-11-03Lies. We no longer support this magic netmask at the end of the lineClaudio Jeker
compatibility.
2009-11-03Get rid of pflogd.pid because the privsep child cannot delete the pidfile;Theo de Raadt
use pkill(1) in /etc/newsyslog.conf instead together with otto and suggestions from tedu
2009-11-03rtables are stacked on rdomains (it is possible to have multiple routingClaudio Jeker
tables on top of a rdomain) but until now our code was a crazy mix so that it was impossible to correctly use rtables in that case. Additionally pf(4) only knows about rtables and not about rdomains. This is especially bad when tracking (possibly conflicting) states in various domains. This diff fixes all or most of these issues. It adds a lookup function to get the rdomain id based on a rtable id. Makes pf understand rdomains and allows pf to move packets between rdomains (it is similar to NAT). Because pf states now track the rdomain id as well it is necessary to modify the pfsync wire format. So old and new systems will not sync up. A lot of help by dlg@, tested by sthen@, jsg@ and probably more OK dlg@, mpf@, deraadt@
2009-11-02s/hz/Hz/ on multiples of the SI unit hertz other than MHz.Igor Sobrado
reminded by STeve Andre.
2009-11-02Print the route metrics in monitor mode if -v is used. This info can beClaudio Jeker
useful from time to time and it is easer then deciphering ktrace output. While there kill the no longer needed msec macro. OK henning
2009-11-02Use strtonum instead of atoi, this allows to do basic range checking.Claudio Jeker
While there remove some very old compat code supporting a syntax that no one still knows or uses. OK henning@, deraadt@
2009-10-31If the nmea(4) or endrun(4) timing disciplines are selected ignore statusChris Kuethe
lines; this prevents poll(2) from saying the fd has data to be read, when it only had a status line change. Prevents ldattach from exiting when relaying data to gpsd while being driven by a gps with 1PPS. ok deraadt
2009-10-30The script that generates keywords.h wasn't updated whenJonathan Gray
mplslabel label was added, fix.
2009-10-28Add a dedicated pf pool for route options as suggested by henning,Jonathan Gray
which unbreaks ie route-to after the recent pf changes. With much help debugging and pointing out of missing bits from claudio@ ok claudio@ "looks good" henning@
2009-10-28route_host initializes the netmask to a /128 no matter what af is used soClaudio Jeker
that the load balancing code does not freak out but because of this check_netmask() is now complaining. So set the addr.type to PF_ADDR_DYNIFTL so check_netmask() is fixing up the netmask for IPv4 and stops complaining. This is a partial fix for the failing regress test 13. found with jsg, looks good henning
2009-10-28Correct function name in err and errx.Claudio Jeker
2009-10-28poll events must be reinitialized after each call to poll. fixesChris Kuethe
ldattach exiting when relaying (nmea to gpsd, for example). ok deraadt@
2009-10-28rcsid[] and sccsid[] and copyright[] are essentially unmaintained (andTheo de Raadt
unmaintainable). these days, people use source. these id's do not provide any benefit, and do hurt the small install media (the 33,000 line diff is essentially mechanical) ok with the idea millert, ok dms
2009-10-25Somehow during my testing I missed a test case where an existing cryptoMarco Peereboom
volume could no longer be brought up. Found by Pedro la Peu <pedro@am-gen.org>, thanks for the report.
2009-10-22tweak previous; ok marcoJason McIntyre
2009-10-22use the UNIX-related macros (.At and .Ux) where appropriate.Igor Sobrado
ok jmc@
2009-10-21Add delete example since it has come up several times.Marco Peereboom
2009-10-21Add passphrase file for crypto volume bring-up. Proded and ok deraadtMarco Peereboom
2009-10-21nat -> match...nat-to in example PF rule. ok mpf@Stuart Henderson
2009-10-11Enable kbd on landisk and socppc. -moj ok miod@Mats O Jansson
2009-10-04Add (again) support for divert sockets. They allow you to:Michele Marchetto
- queue packets from pf(4) to a userspace application - reinject packets from the application into the kernel stack. The divert socket can be bound to a special "divert port" and will receive every packet diverted to that port by pf(4). The pf syntax is pretty simple, e.g.: pass on em0 inet proto tcp from any to any port 80 divert-packet port 1 A lot of discussion have happened since my last commit that resulted in many changes and improvements. I would *really* like to thank everyone who took part in the discussion especially canacar@ who spotted out which are the limitations of this approach. OpenBSD divert(4) is meant to be compatible with software running on top of FreeBSD's divert sockets even though they are pretty different and will become even more with time. discusses with many, but mainly reyk@ canacar@ deraadt@ dlg@ claudio@ beck@ tested by reyk@ and myself ok reyk@ claudio@ beck@ manpage help and ok by jmc@
2009-10-04When IKE is operating in dynamic mode and no srcid is given, the hostnameJoel Sing
is used as the srcid, however the srcid type is not specified. Rectify this by explicitly setting the srcid type to FQDN after successfully retrieving the hostname. This worked prior to the addition of IPV4_ADDR/IPV6_ADDR support since get_id_type() returned ID_FQDN even when presented with a null pointer. Issue reported by Mikolaj Kucharski.
2009-10-01There is no -F flag, it is -f; spotted by tasm.devil@googlemailTheo de Raadt
2009-09-29sort usage();Jason McIntyre
2009-09-28add -S and -L options to store and load the pf state table from a file.David Gwynne
inspired by the short reboot times on an rb600a provided by stephan rickauer. testing and bugfixing by sthen@ ok mcbride@ sthen@
2009-09-27Build on armish. Since wsconscfg is built on palm build wsconsctl too. -mojMats O Jansson
2009-09-27Show fbinfo if it exists. ok mglocker@ -mojMats O Jansson
2009-09-15also ignore boundaries when checking if the disklabel was modified when -eFederico G. Schwindt
is used. discussed and ok krw@
2009-09-14Switch get_linkstate() to use the new LINK_STATE_DESCRIPTIONS insteadClaudio Jeker
of the if_media dance. Simplifies the code nicely. OK henning, sthen, michele, deraadt
2009-09-08I had not enough oks to commit this diff.Michele Marchetto
Sorry.
2009-09-08Add support for divert sockets. They allow you to:Michele Marchetto
- queue packets from pf(4) to a userspace application - reinject packets from the application into the kernel stack. The divert socket can be bound to a special "divert port" and will receive every packet diverted to that port by pf(4). The pf syntax is pretty simple, e.g.: pass on em0 inet proto tcp from any to any port 80 divert-packet port 8000 test, bugfix and ok by reyk@ manpage help and ok by jmc@ no objections from many others.
2009-09-07implement binat-to as a macro-like rule: a rule using the new binat-toReyk Floeter
syntax will be expanded by the parser to a nat-to+rdr-to combination to be loaded into the kernel. this simplifies the migration from old binat rules and is less error-prone. feedback from many, manpage bits from jmc@ ok henning@
2009-09-03remove -N from usage();Jason McIntyre
2009-09-03this time i commit the right diff that wasReyk Floeter
ok henning@ (sorry)
2009-09-03fix two route-to vs. rdr-to conflicts.Reyk Floeter
found by sthen@ ok henning@
2009-09-03remove NAT specific command line optionsPeter Hessler
noticed by Wiktor Izdebski OK henning@
2009-09-02all the new *-to options are part of the "filteropts" section at theReyk Floeter
end of a pf rule (nat-to, divert-to, rdr-to, ...). take the historical chance to upgrade the grammar and move the route options to the filteropts section as well. for example, pass in on em0 route-to (em1 192.168.1.1) from 10.1.1.1 becomes pass in on em0 from 10.1.1.1 route-to (em1 192.168.1.1) many people like this including pyr@ mk@ kettenis@ todd@ and others ok henning@