Age | Commit message (Collapse) | Author | |
---|---|---|---|
2002-07-15 | cosmetics/consolidations to manpage in yyerror()s | Philipp Buehler | |
ok henning@, dhartmei@ | |||
2002-07-15 | o complain about keep state on block rules | Henning Brauer | |
o complain about return-rst on rules which aren't limited to tcp pointed out by not-slacking-but-testing pb@ ok pb@, dhartmei@ | |||
2002-07-13 | add list expansion for interface and proto in nat rules and for proto in rdr | Henning Brauer | |
rules (interface was already there). since the nat.conf/pf.conf merge the parser accepted these but didn't expand them. ugh. ok dhartmei@ | |||
2002-07-12 | Mention that an interface can be a part of at most one bridge. | Jason Wright | |
2002-07-11 | malloc() failure tests; rimshot@pandora.be | Theo de Raadt | |
2002-07-09 | HASH payload validation does not require an exchange. | Hakan Olsson | |
2002-07-09 | check sin6_scope_id field, just in case we change the routing socket API | Jun-ichiro itojun Hagino | |
for scoped address (unlikely due to the deployed codebase...). | |||
2002-07-09 | getifaddrs(3) grabs link-local addrs in kernel internal form, convert them | Jun-ichiro itojun Hagino | |
into proper sockaddr_in6. | |||
2002-07-09 | rework the interface-to-IP routines. | Henning Brauer | |
you can use interface names instead of an IP in most places. However, until now, it was only expanded to the interface's first IPv4 address if existant (and address family unset or inet) and the first IPv6 address otherwise. this diff changes that. the interface is proper expanded to all IPs, IPv4 _and_ IPv6, now. it also cleans up the lookup procedures (well, in fact, they are replaced by a new one), there's no need for different procedures for IPv4 and IPv6. we now just have one list of interfaces (AF_LINK) and one list with IPs (AF_INET and AF_INET6) with corresponding lookup functions, ifa_exists and ifa_lookup. nat, rdr & friends now use the new function ifa_pick_ip to get the IP in rules like nat on $interface from $whatever to any -> $interface ifa_pick_ip tries to be smart. if the interface has only one IP address and the nat rule doesn't specify an address family (or it matches with this address), take this one. If the address family is specified in the nat rule and there is only one IP for the given address family, this one is used. if the address family is not specified and there is more than one IP pfctl throws an error. The same applies for multiple IPs per address family. This causes regression tests 18 and 20 to fail because the address family isn't specified there; diff for those coming. also fix some prototypes while I'm here. pb@ found another problem while testing that we must have introduced somewhat after 3.1. $cat t nat on ne3 from any to any -> 213.128.133.5 $pfctl -nvf t nat on ne3 all -> ? it's only a representation bug as far as I've checked, nontheless it should be fixed. as a nat/rdr rule always nats/redirects to one IP only we can just steal its target's IP af and set the rule's af accordingly. then inet_ntop does play nice. binat rules already enforce having an address family set always and thus are not affected. ok dhartmei@, pb@, kjell@ "It looks good" frantzen@ | |||
2002-07-08 | Don't allow 'flags' option in non-TCP rules, found by mpech@ | Daniel Hartmeier | |
2002-07-08 | make failed SIOCG80211NWKEY print alert more clearly; ↵ | Theo de Raadt | |
jolan@norm.encryptedemail.net | |||
2002-07-06 | Remove kernel support for NTP. ok deraadt@ and tholo@ | Thomas Nordin | |
2002-07-06 | Security Mode feature set. | Grigoriy Orlov | |
From Alexander Yurchenko <grange@rt.mipt.ru> Approved by csapuntz@ and me. | |||
2002-07-05 | unbreak. | Henning Brauer | |
2002-07-05 | another small bug I found while installing a -current pf firewall. | Henning Brauer | |
we don't support pass/block in on ! <interface> (at least, not yet) let the parser complain instead of ignoring the '!' ok pb@, dhartmei@ | |||
2002-07-05 | allow unsetting the statusinterface via | Henning Brauer | |
set loginterface none ok dhartmei@ | |||
2002-07-05 | volatile sig_atomic_t, suggested by Theo. | Hakan Olsson | |
2002-07-05 | gcc 3.1 nits. Pointed out by David Krause. | Hakan Olsson | |
2002-07-04 | Do not assume we have an active exchange during payload validation. | Hakan Olsson | |
2002-07-04 | style | Hakan Olsson | |
2002-07-03 | ansi | Theo de Raadt | |
2002-07-03 | convert to ansi. suddenly realise that means yet another function is a | Theo de Raadt | |
signal handler in some cases, and make it cope with the termination race. | |||
2002-07-01 | cut and pasto (fetch maxage correctly); Benny Holmgren <bigfoot@astrakan.hig.se> | Jason Wright | |
2002-07-01 | do not Xr startkey | Theo de Raadt | |
2002-07-01 | streamline parse buffer handling (no need to copy value that is not | Marc Espie | |
going to go away). add explicit pushback buffer, to be able to push IPv6 failed parses back. handle pushback + parse buffer interactions by using negative indices. okay dhartmei@, deraadt@ | |||
2002-07-01 | KNF | Theo de Raadt | |
2002-06-29 | ansi | Theo de Raadt | |
2002-06-29 | IPPROTO_ICMP will not change in our life; itojun ok | Theo de Raadt | |
2002-06-28 | Don't check for address family conflicts in nat/rdr before expansion, | Daniel Hartmeier | |
rules will expand to all valid combinations, and there's an error when none is found. Makes "nat on tun0 from 10.0.0.0/8 to any -> (tun0)" work (again). | |||
2002-06-27 | fix synopsis, closes pr2775 | Henning Brauer | |
ok pb@ | |||
2002-06-27 | repair formatting - the new "enabled since" format is longer than the old | Henning Brauer | |
one and thus the field lengths need to be adjusted. ok dhartmei@, pb@ | |||
2002-06-26 | Missing .Xr's from Margarida Sequeira <niness@devilness.org>. | Federico G. Schwindt | |
Remove unmount(2) per millert suggestion; millert@ ok. | |||
2002-06-26 | include <bsd.own.mk> before using NOMAN; ok millert@ | Wilbern Cobb | |
2002-06-25 | Minor fixes, including duplicate and missing words; Brian Poole | Todd C. Miller | |
2002-06-25 | move pfctl options -t, -m, -O and -l to pf.conf. These are set using the | Henning Brauer | |
"set" keyword. example rulefile: set optimization aggressive set timeout { tcp.closing 6, tcp.opening 6 } set limit { states 1000, frags 1000 } set loginterface wi0 pass out all keep state label "$nr:$srcaddr:$srcport:$dstaddr:$dstport" block in all fries@ is working on an updated pf.conf(5) discussed at c2k2 and on icb ok dhartmei@, kjell@ | |||
2002-06-24 | Use interface when specified in scrub rule. No support for ! or {} yet. | Daniel Hartmeier | |
2002-06-23 | uid_t and gid_t are unsigned | Theo de Raadt | |
2002-06-22 | document -T option, PR#2766. ok deraadt@ | Jakob Schlyter | |
2002-06-20 | wi_ssid_len is in little-endian as well, so convert it. fixes ssid | Federico G. Schwindt | |
printing on sparc64; millert@ ok. | |||
2002-06-20 | Copy address family from inet/inet6 keyword, if specified. | Daniel Hartmeier | |
2002-06-20 | enable wicontrol on sparc64 as well; deraadt ok. | Federico G. Schwindt | |
2002-06-19 | Since we can no longer count on isprint() to tell us whether or not | Todd C. Miller | |
a character is 7-bit ASCII, check the high bit by hand when deciding whether to print a WEP key as ASCII or hex. | |||
2002-06-19 | "Enabled for Ss" -> "Enabled for D days HH:MM:SS", ok frantzen@ | Daniel Hartmeier | |
2002-06-18 | propogate a '!' when a host resolves to multiple IP addresses | Mike Frantzen | |
ok dhartmei@ | |||
2002-06-18 | don't allow individual keep state rules to specify timeouts for 'interval' and | Mike Frantzen | |
'frag' -- they aren't applied anyway ok dhartmei@ and henning@ | |||
2002-06-17 | only make -g available to root, by disabling setgid kmem; bunch of people ok | Theo de Raadt | |
2002-06-17 | A bit better. Remove debug cruft. | Hakan Olsson | |
2002-06-16 | Rules must in order -> Rules must be in order | Aaron Campbell | |
2002-06-15 | ecn_* policy attributes --- ok ho@ | Angelos D. Keromytis | |
2002-06-15 | Reset rulestate in parse_rules(), so consecutive calls (like from authpf) | Daniel Hartmeier | |
will not fail. Reported by Chris Kuethe. |