summaryrefslogtreecommitdiff
path: root/sbin
AgeCommit message (Collapse)Author
2011-08-30One shot rules can be used in pf.conf by specifying a "once" filter option.Mike Belopuhov
ok henning, mcbride
2011-08-27Under certain circumstances iked can be tricked to bypass a signatureMike Belopuhov
verification caused by the incorrect check of the EVP_VerifyFinal return value. Issue was discovered and reported by Justin Ferguson, justin-dot-ferguson-at-ioactive.com. Thanks! While here, check for HMAC_* return values. ok jsg, markus
2011-08-21Remove old wpapsk entries. Cleanup casts and use timerclear.Christiano F. Haesbaert
ok mcbride
2011-08-19as with other list types, column lists generally do not need a Pp/-compactJason McIntyre
construct; this also sidesteps what seems to be a problem with mandoc, in that "-column -compact" seems to mess up the formatting. thus these pages should now have their lists formatted nicely (i.e. correctly aligned and with indent applied); as a side note, the fact that headers are not properly marked up is another issue which will be addressed separately (a mandoc fix is needed, i think). i have fudged a few of these to mark up properly, since the workaround does make sense for some pages. as another side note, i haven;t fixed man7, as i need to prepare a separate diff for kristaps and ingo.
2011-08-02add refcounting for "Configuration" section for acquire-mode SAsMarkus Friedl
ok mikeb@
2011-08-01Add missing closing braces in usage().Matthieu Herrb
Ok jmc@ (who also pointed me to the 2nd missing one) sobrado@.
2011-07-31missing .Nm macro; ok jmc@Ingo Schwarze
2011-07-29Remove requirement to quote 'debug' loglevel for the 'debug' option.Ryan Thomas McBride
ok henning
2011-07-27Add support for weighted round-robin in load balancing pools and tables.Ryan Thomas McBride
Diff from zinke@ with a some minor cleanup. ok henning claudio deraadt
2011-07-13Force user to specify protocol when filtering on user, gid, and osRyan Thomas McBride
attributes (this is now required by pf_rule_test(). ok sthen henning
2011-07-09Add a missing prototype, fix build with WARNINGS=yes.Nicholas Marriott
2011-07-09tweak previous;Jason McIntyre
2011-07-09rmove rotten netatalk bitsHenning Brauer
2011-07-08allow rules to specify "prio X" or "prio (X, Y)" to assign priority levelsHenning Brauer
for the new priority queueing implementation. valid range is 0 to 7. the old trick for priorizing empty ACKs etc remains thru the latter notation ok ryan mpf sthen plus pea testing and halex and claudio reading
2011-07-08Include PIPEX in kernel by default. And add new sysctl variableYASUOKA Masahiko
`net.pipex.enable' to enable PIPEX. By default, pipex is disabled and it will not process packets from wire. Update man pages and update HOWTO_PIPEX_NPPPD.txt for testers. discussed with dlg@, ok deraadt@ mcbride@ claudio@
2011-07-08Correctly print skip steps in -vv modeRyan Thomas McBride
- Did not include PF_SKIP_RDOM - Changed order of address and ports.
2011-07-08Rename 'rc_scripts' to 'pkg_scripts' to make it clear this variable is forAntoine Jacoutot
packages _only_. One is not supposed to add any base scripts in it. naddy@ doesn't care (I think he does care but he won't admit it) ok robert@ (I'll add something to current.html in a few)
2011-07-08add basic config support for creating aoe disks. ok marcoTed Unangst
2011-07-07remove mvmeppc; it is really rough shape. ok drahn miodTheo de Raadt
2011-07-07We can mention ipcomp, since it worksTheo de Raadt
2011-07-07Don't print 'keep state' anymore unless it's needed for state options, it'sRyan Thomas McBride
been implicit for years now. ok henning@
2011-07-07Fold pf_test_fragment() into pf_test_rule(), reduce code and fixesRyan Thomas McBride
a bunch of bugs with fragment handling not being in sync with the rest of the ruleset. Much feedback from mpf, bluhm & markus Thanks to Tony Sarendal for help with testing ok bluhm; various previous versions ok henning, claudio, mpf, markus
2011-07-06Add sysctl net.inet.tcp.always_keepalive, when this is set the systemStuart Henderson
behaves as if SO_KEEPALIVE was set on all TCP sockets, forcing keepalives to be sent every net.inet.tcp.keepidle half-seconds. In conjunction with a keepidle value greatly reduced from the default, this can be useful for keeping sessions open if you are stuck on a network with short NAT or firewall timeouts. Feedback from various people, ok henning@ claudio@
2011-07-06For non-crypted flows (such as ipcomp and ipip), default theirTheo de Raadt
type (if not specified) to "use" instead of "require". (since they will not get a key...) ok mikeb claudio
2011-07-05Add DIOCGPDINFO to rxioctl(), as a synonym for DIOCGDINFO, the lastKenneth R Westerback
place it was missing. Delete now redundant calls to DIOCGDINFO when getting physical disk info in disklabel(8) and fdisk(8). Reminded by a fdisk discussion with Andres Perera on tech@. ok deraadt@
2011-07-05fix memcpy sizeof. found by jsg. ok deraadt krw mikebTed Unangst
2011-07-05More non-512-byte sector groundwork. Don't let disklabel hint thatKenneth R Westerback
a ffs frag size can be less than the d_secsize of the disk. Make sure amd64 writedisklabel() puts the disklabel where readdoslabel() will read it. Tweak i386/amd64 installboot/biosboot so sectors are indeed used where sectors are claimed. Lets me fdisk, newfs, mount and installboot onto 2048 and 4096 byte sector devices. Other filesystem utilites will still hold surprises. Note that actually booting from such devices will await BIOSen that acknowledge such devices as bootable. ok guenther@
2011-07-05kill a useless Pp;Jason McIntyre
2011-07-05Flip one .Fl interface to .Fl iface since iface is used everywhere elseClaudio Jeker
even though -interface is the same as -iface. OK jmc@
2011-07-05Fix IKEV2_N_NO_ADDITIONAL_SAS notification by including the SPIMike Belopuhov
2011-07-04tsc tsc, no waikiki for me. copyright statement without year. 2003 it was.Henning Brauer
2011-07-04Force the sa_len to sizeof(struct sockaddr_dl) before callingClaudio Jeker
link_addr() since the function looks at sa_len internally. This should solve issues with using -ifp modifier because the aflen was often to small.
2011-07-04No point in documenting "Encryption only works with vnd".Matthew Dempsky
2011-07-04use stronum, removing an atoi from the tree. ok deraadt matthewTed Unangst
2011-07-04bye bye require-order.Henning Brauer
i added that button many many many years ago since the order (options, scrub, nat, filter) was enforced back then, which I hated. now we had that turned off for ages, and with the scrub and nat rulesets being gone, there is very little reason to enforce an order at all. so let's get rid of it. introducing this button was one of my very early commits to openbsd... feels a bit strange to remove it now :) ok ryan dlg theo
2011-07-04rip out more effectively dead code, ryan okHenning Brauer
2011-07-03g/c RIO traces (aka clean up after tedu :))Henning Brauer
2011-07-03*_CLEARDSCP could never possibly have been set, no point in being able toHenning Brauer
print that as flag then
2011-07-03bring in least-states load balancing algorithmJoerg Zinke
ok mcbride@ henning@
2011-07-03iked requires the same dh diff as isakmpd:Mike Belopuhov
When BN_bn2bin converts a bignum to the binary representation it skips leading zeroes if there are any. To accommodate the difference with the protocol we need to prepend those zeroes ourselves.
2011-07-02-interface is an alias of -iface so make sure route(8) accepts bothClaudio Jeker
flags in the monitor case. Brought up on the mailing list some long time ago.
2011-06-27remove some useless casts. ok krwTed Unangst
2011-06-27cleanup this file a little, review by krwTed Unangst
2011-06-27for mount_ntfs, fix an error in previous; for tr, fix an error of theJason McIntyre
same variety...
2011-06-27no need for #if 1 on the readonly here, as noticed by deraadtTed Unangst
2011-06-27cleanup the ntfs man page, and enforce readonly operation.Ted Unangst
ok deraadt jmc krw
2011-06-27vlan parent devices do not have to be physical, and they can beCamiel Dobbelaar
changed on the fly now. ok sthen deraadt
2011-06-24wrap previous onto a second lineStuart Henderson
2011-06-24nat-to rules require a directionStuart Henderson
2011-06-24swapctl -s was showing 1k blocks, regardless of -k. so fix this by showingJasper Lievisse Adriaanse
1k block when we're supposed to. fix from tyr@poczta.fm in pr 6609 ok otto@