summaryrefslogtreecommitdiff
path: root/sbin
AgeCommit message (Collapse)Author
2002-07-15cosmetics/consolidations to manpage in yyerror()sPhilipp Buehler
ok henning@, dhartmei@
2002-07-15o complain about keep state on block rulesHenning Brauer
o complain about return-rst on rules which aren't limited to tcp pointed out by not-slacking-but-testing pb@ ok pb@, dhartmei@
2002-07-13add list expansion for interface and proto in nat rules and for proto in rdrHenning Brauer
rules (interface was already there). since the nat.conf/pf.conf merge the parser accepted these but didn't expand them. ugh. ok dhartmei@
2002-07-12Mention that an interface can be a part of at most one bridge.Jason Wright
2002-07-11malloc() failure tests; rimshot@pandora.beTheo de Raadt
2002-07-09HASH payload validation does not require an exchange.Hakan Olsson
2002-07-09check sin6_scope_id field, just in case we change the routing socket APIJun-ichiro itojun Hagino
for scoped address (unlikely due to the deployed codebase...).
2002-07-09getifaddrs(3) grabs link-local addrs in kernel internal form, convert themJun-ichiro itojun Hagino
into proper sockaddr_in6.
2002-07-09rework the interface-to-IP routines.Henning Brauer
you can use interface names instead of an IP in most places. However, until now, it was only expanded to the interface's first IPv4 address if existant (and address family unset or inet) and the first IPv6 address otherwise. this diff changes that. the interface is proper expanded to all IPs, IPv4 _and_ IPv6, now. it also cleans up the lookup procedures (well, in fact, they are replaced by a new one), there's no need for different procedures for IPv4 and IPv6. we now just have one list of interfaces (AF_LINK) and one list with IPs (AF_INET and AF_INET6) with corresponding lookup functions, ifa_exists and ifa_lookup. nat, rdr & friends now use the new function ifa_pick_ip to get the IP in rules like nat on $interface from $whatever to any -> $interface ifa_pick_ip tries to be smart. if the interface has only one IP address and the nat rule doesn't specify an address family (or it matches with this address), take this one. If the address family is specified in the nat rule and there is only one IP for the given address family, this one is used. if the address family is not specified and there is more than one IP pfctl throws an error. The same applies for multiple IPs per address family. This causes regression tests 18 and 20 to fail because the address family isn't specified there; diff for those coming. also fix some prototypes while I'm here. pb@ found another problem while testing that we must have introduced somewhat after 3.1. $cat t nat on ne3 from any to any -> 213.128.133.5 $pfctl -nvf t nat on ne3 all -> ? it's only a representation bug as far as I've checked, nontheless it should be fixed. as a nat/rdr rule always nats/redirects to one IP only we can just steal its target's IP af and set the rule's af accordingly. then inet_ntop does play nice. binat rules already enforce having an address family set always and thus are not affected. ok dhartmei@, pb@, kjell@ "It looks good" frantzen@
2002-07-08Don't allow 'flags' option in non-TCP rules, found by mpech@Daniel Hartmeier
2002-07-08make failed SIOCG80211NWKEY print alert more clearly; ↵Theo de Raadt
jolan@norm.encryptedemail.net
2002-07-06Remove kernel support for NTP. ok deraadt@ and tholo@Thomas Nordin
2002-07-06Security Mode feature set.Grigoriy Orlov
From Alexander Yurchenko <grange@rt.mipt.ru> Approved by csapuntz@ and me.
2002-07-05unbreak.Henning Brauer
2002-07-05another small bug I found while installing a -current pf firewall.Henning Brauer
we don't support pass/block in on ! <interface> (at least, not yet) let the parser complain instead of ignoring the '!' ok pb@, dhartmei@
2002-07-05allow unsetting the statusinterface viaHenning Brauer
set loginterface none ok dhartmei@
2002-07-05volatile sig_atomic_t, suggested by Theo.Hakan Olsson
2002-07-05gcc 3.1 nits. Pointed out by David Krause.Hakan Olsson
2002-07-04Do not assume we have an active exchange during payload validation.Hakan Olsson
2002-07-04styleHakan Olsson
2002-07-03ansiTheo de Raadt
2002-07-03convert to ansi. suddenly realise that means yet another function is aTheo de Raadt
signal handler in some cases, and make it cope with the termination race.
2002-07-01cut and pasto (fetch maxage correctly); Benny Holmgren <bigfoot@astrakan.hig.se>Jason Wright
2002-07-01do not Xr startkeyTheo de Raadt
2002-07-01streamline parse buffer handling (no need to copy value that is notMarc Espie
going to go away). add explicit pushback buffer, to be able to push IPv6 failed parses back. handle pushback + parse buffer interactions by using negative indices. okay dhartmei@, deraadt@
2002-07-01KNFTheo de Raadt
2002-06-29ansiTheo de Raadt
2002-06-29IPPROTO_ICMP will not change in our life; itojun okTheo de Raadt
2002-06-28Don't check for address family conflicts in nat/rdr before expansion,Daniel Hartmeier
rules will expand to all valid combinations, and there's an error when none is found. Makes "nat on tun0 from 10.0.0.0/8 to any -> (tun0)" work (again).
2002-06-27fix synopsis, closes pr2775Henning Brauer
ok pb@
2002-06-27repair formatting - the new "enabled since" format is longer than the oldHenning Brauer
one and thus the field lengths need to be adjusted. ok dhartmei@, pb@
2002-06-26Missing .Xr's from Margarida Sequeira <niness@devilness.org>.Federico G. Schwindt
Remove unmount(2) per millert suggestion; millert@ ok.
2002-06-26include <bsd.own.mk> before using NOMAN; ok millert@Wilbern Cobb
2002-06-25Minor fixes, including duplicate and missing words; Brian PooleTodd C. Miller
2002-06-25move pfctl options -t, -m, -O and -l to pf.conf. These are set using theHenning Brauer
"set" keyword. example rulefile: set optimization aggressive set timeout { tcp.closing 6, tcp.opening 6 } set limit { states 1000, frags 1000 } set loginterface wi0 pass out all keep state label "$nr:$srcaddr:$srcport:$dstaddr:$dstport" block in all fries@ is working on an updated pf.conf(5) discussed at c2k2 and on icb ok dhartmei@, kjell@
2002-06-24Use interface when specified in scrub rule. No support for ! or {} yet.Daniel Hartmeier
2002-06-23uid_t and gid_t are unsignedTheo de Raadt
2002-06-22document -T option, PR#2766. ok deraadt@Jakob Schlyter
2002-06-20wi_ssid_len is in little-endian as well, so convert it. fixes ssidFederico G. Schwindt
printing on sparc64; millert@ ok.
2002-06-20Copy address family from inet/inet6 keyword, if specified.Daniel Hartmeier
2002-06-20enable wicontrol on sparc64 as well; deraadt ok.Federico G. Schwindt
2002-06-19Since we can no longer count on isprint() to tell us whether or notTodd C. Miller
a character is 7-bit ASCII, check the high bit by hand when deciding whether to print a WEP key as ASCII or hex.
2002-06-19"Enabled for Ss" -> "Enabled for D days HH:MM:SS", ok frantzen@Daniel Hartmeier
2002-06-18propogate a '!' when a host resolves to multiple IP addressesMike Frantzen
ok dhartmei@
2002-06-18don't allow individual keep state rules to specify timeouts for 'interval' andMike Frantzen
'frag' -- they aren't applied anyway ok dhartmei@ and henning@
2002-06-17only make -g available to root, by disabling setgid kmem; bunch of people okTheo de Raadt
2002-06-17A bit better. Remove debug cruft.Hakan Olsson
2002-06-16Rules must in order -> Rules must be in orderAaron Campbell
2002-06-15ecn_* policy attributes --- ok ho@Angelos D. Keromytis
2002-06-15Reset rulestate in parse_rules(), so consecutive calls (like from authpf)Daniel Hartmeier
will not fail. Reported by Chris Kuethe.