summaryrefslogtreecommitdiff
path: root/sbin
AgeCommit message (Collapse)Author
2003-12-16Document new pfsync options (syncif, -syncif and maxupd).Ryan Thomas McBride
ok deraadt@
2003-12-16Check that max-src-states and max-src-nodes are not being set to 0.Ryan Thomas McBride
2003-12-16hostid is stored in network byte order, print in host byte order.Ryan Thomas McBride
2003-12-15Support for groups modp2048, modp3072, modp4096, modp6144 and modp8192 (IDs 14Hans-Joerg Hoexer
to 18). ok ho@
2003-12-15KNF here tooHenning Brauer
2003-12-15Whitespace.Ryan Thomas McBride
2003-12-15Add initial support for pf state synchronization over the network.Ryan Thomas McBride
Implemented as an in-kernel multicast IP protocol. Turn it on like this: # ifconfig pfsync0 up syncif fxp0 There is not yet any authentication on this protocol, so the syncif must be on a trusted network. ie, a crossover cable between the two firewalls. NOTABLE CHANGES: - A new index based on a unique (creatorid, stateid) tuple has been added to the state tree. - Updates now appear on the pfsync(4) interface; multiple updates may be compressed into a single update. - Applications which use bpf on pfsync(4) will need modification; packets on pfsync no longer contains regular pf_state structs, but pfsync_state structs which contain no pointers. Much more to come. ok deraadt@
2003-12-15Add support to track stateful connections by source ip. This allows usRyan Thomas McBride
to: - Ensure that clients get a consistent IP mapping with load-balanced translation/routing rules - Limit the number of simultaneous connections a client can make - Limit the number of clients which can connect through a rule ok dhartmei@ deraadt@
2003-12-14Log the actual port for src and dst, don't assume it's always 500.Hakan Olsson
2003-12-14Make isakmpd work on big endian linux machines. From Sebastian Klemke.Hakan Olsson
Also, a few style nits and a better error message text.
2003-12-08make man page more closely match what's in /proc;Jason McIntyre
partly from PR 2101 (still open, since code needs fixed); ok tedu@
2003-12-08add IOCIFGCLONERS; ifconfig -C; from netbsd; ok henning, deraadtMarkus Friedl
2003-12-07ANSIMarkus Friedl
2003-12-07typo; lists-openbsd@2ls4agd.netTheo de Raadt
2003-12-06bit more flesh to the create and destroy; thanks jmcTheo de Raadt
2003-12-05Style nitsHakan Olsson
2003-12-05madvise() the mfs storage area as randomly accessed as mfs does it's own ↵Michael Shalayeff
clustering; tedu@ ok
2003-12-04Validate SPIs presented in DELETE messages of the informational exchange.Hans-Joerg Hoexer
ok markus@
2003-12-04TyposMiod Vallat
2003-12-04no, you cannot form a raid from wd0h and wd0h.Henning Brauer
found by Joel Knight
2003-12-03add support for ifconfig clone; from netbsd; ok deraadt, henningMarkus Friedl
2003-12-02UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)Markus Friedl
ok deraadt@
2003-11-29allow ':' (range including boundaries) to be used whereever '><' (rangeDaniel Hartmeier
excluding boundaries) is legal. already supported by kernel, requires only removal of three error messages. ok henning@
2003-11-25- document interaction with SIGINFO, as observed by Franciszek Holop on misc@Jason McIntyre
- add some .Pp - typo
2003-11-22daniel stumbled over a broken regress test, and it turned out that I forgotHenning Brauer
to commit a diff from 11/6... do not insert the "block in on ! interface" rule for antispoof statements when the interface in question does not have any IP address, because that then expands to block in on ! interface all which is obviously bad. niklas@ found it, dhartmei@ ok, and I think some more ppl ok I don't remember
2003-11-21- standard SYNOPSISJason McIntyre
- sort OPTIONS - s/Dq/Sq when quoting single characters - sync usage() - simplify macros
2003-11-20remove -Werror from userland builds, to give us a chance toAnil Madhavapeddy
use more verbose warning options if desired. ok millert@, henning@, david@
2003-11-20use .Dv for AF_INET and AF_INET6 (kills ugly line break);Jason McIntyre
spotted by Alexey E. Suslikov; also kill some .Pp's before displays/lists for better PostScript output;
2003-11-16__attribute__((__packed__)) -> __packedAnil Madhavapeddy
2003-11-15fix savecore on big endian 64 bit arches. OK millert@Marco S Hyman
2003-11-15no dup header sys/types.h. from Andrey MatveevTed Unangst
2003-11-14in print_status:Henning Brauer
-print debuglevel "Loud", this was omitted before (catched by mpech@) -use the fine PF_DEBUG_* defines instead of magic numbers ok markus
2003-11-14allow the debuglevel to be set from pf.conf (set debug)Henning Brauer
ok cedric@
2003-11-09Unbreak printing of vlan interface information, commented out accidentallyRyan Thomas McBride
in CARP import.
2003-11-08typos from Jonathon Gray;Jason McIntyre
2003-11-08Add 'no-sync' state option to prevent state transition messages for statesRyan Thomas McBride
created by this rule from appearing on the pfsync(4) interface. e.g. pass in proto tcp to self flags S/SA keep state (no-sync) ok cedric@ henning@ dhartmei@
2003-11-07adress -> address, and a few more; all from Jonathon Gray;Jason McIntyre
(mvme68k/mvme88k) vs.c and (vax) if_le.c ok miod@ isakmpd ones ok ho@
2003-11-07- document /etc/kbdtypeJason McIntyre
- sort options list and FILES - put example descriptions before examples and indent them ok mickey@
2003-11-06Style nits.Hakan Olsson
2003-11-06Require encrypted messages are soon as we have the keystate for it.Hakan Olsson
Require DELETE payloads to be accompanied by HASHes, and add validation for HASH payloads without active exchanges. From Hans-Joerg Hoexer with various modifications and suggestions from me and markus@. Ok markus@.
2003-11-06spis[] type tweak. From Hans-Joerg Hoexer.Hakan Olsson
2003-11-06two more KNF violations I missed earlier. who introduces those all the time?Henning Brauer
2003-11-06and fix two err() that should be errx() while beeing hereHenning Brauer
2003-11-06need calloc hereHenning Brauer
2003-11-06KNFHenning Brauer
2003-11-06allow the label macros to be used in tags as well.Henning Brauer
the idea is not mine and I'dlove to get credit, but I cannot find the mail any more :-(( ok canacar@ dhartmei@
2003-11-06don't write magic until the file system is really done. preventsTed Unangst
fsck/mount unhappiness. hint from freebsd-arch ml. ok deraadt@
2003-11-05PFS: Perfect Forward Secrecy (RFC 2409);Jason McIntyre
from misc@ and ok markus@
2003-11-05updated URL from Jared Yanovich;Jason McIntyre
2003-11-05updated URL from Jared Yanovich;Jason McIntyre