summaryrefslogtreecommitdiff
path: root/sbin
AgeCommit message (Collapse)Author
2006-11-13briefly describe phases 1 and 2, and use these terms moreJason McIntyre
consistently in the rest of the page; help/ok hshoexer
2006-11-13previous was not quite right;Jason McIntyre
2006-11-13fix a macro mistake;Jason McIntyre
2006-11-13Handle rules with addresses from mismatched address families correctly.Ryan Thomas McBride
ok msf@
2006-11-11Fix memory leak, from Charles Longeau, many okaysPedro Martelletto
2006-11-11EXAMPLES was getting too lengthy, so trim some of the ones that wereJason McIntyre
either obscure, bordering on the duplicate, or referring to pseudo devices; if you want examples for pseudo devices, put them in their specific man page, please. ok jcs
2006-11-10landisk has no kbd(8)Theo de Raadt
2006-11-10Add -nwid command to allow wireless interfaces to not prefer a specificMichael Knudsen
access point. Does the same as nwid "" but since we have -nwkey for nwkey etc. this is nice for consistency. ok mbalmer reyk man stuff also ok jmc
2006-11-10enable -g againAlexander von Gernler
help from millert@, ok deraadt@ pedro@
2006-11-10check both rule sourace and destination when grouping sa'sMathieu Sauve-Frankel
fixes PR5262 ok hshoexer@
2006-11-10When using -vv, also show grouped SAs.Hans-Joerg Hoexer
2006-11-10Fix grouping for SAs. Now all combinations of SAs are possible,Hans-Joerg Hoexer
not only ESP+AH (ie. ESP inside AH).
2006-11-10Do not count sa, ike and tcpmd5 rules twice. Fixes PR 5263.Hans-Joerg Hoexer
2006-11-10Print the interface that each queue is bound to in the pfctl -sq outputJoel Knight
ok henning@
2006-11-09trim SEE ALSO: there is no need to list every pseudo-deviceJason McIntyre
2006-11-09desireable -> desirable;Jason McIntyre
2006-11-09support public keys w/o SubjectPublicKeyInfo (format: BEGIN RSA PUBLIC KEY)Markus Friedl
ok ho, hshoexer
2006-11-09oopsTheo de Raadt
2006-11-08sh machines also have a /usr/mdec/mbrTheo de Raadt
2006-11-08add a -y flag, for non-interactive useTheo de Raadt
2006-11-07Only try to recursively print rules if they are actually anchors.Ryan Thomas McBride
2006-11-07Unbreak authpf by handling non-inline anchors separately from the { } anchorsRyan Thomas McBride
as pf_find_or_create_ruleset() will mangle relative anchor names and wildcards. Also fixes some nits with nesting and printing inline anchors. ok deraadt@
2006-11-05Don't open a transaction for a ruleset unless it's a brace ruleset thatRyan Thomas McBride
contains rules. Fixes DIOCXCOMMIT: Device busy when multiple anchors with the same name are specified. reported by ckuethe@ and mkb@crypt.org.ru
2006-11-03storing return value of strtol() in int variable was not safe,Alexander von Gernler
also strtol() result was not checked for under/overflow thus, rewrite getopt switch/cases with strtonum() and sensible bounds help from mickey@ millert@, ok millert@, no objections otto@
2006-11-03correctify example;Jason McIntyre
from a mail posted to misc@ from uwe dippel; ok otto
2006-11-02Check for newline before truncating.Ray Lai
OK moritz@.
2006-11-02Error out on empty string passed as device name.Ray Lai
OK moritz@.
2006-11-01sync usage(); ok mcbrideJason McIntyre
2006-11-01tweaks;Jason McIntyre
2006-11-01Don't recures ALL the time.Ryan Thomas McBride
2006-11-01KNF unrelated to previous commit.Ryan Thomas McBride
2006-11-01Add support for aggressive mode (from the k2k6 IPsec hackathon).Ryan Thomas McBride
ok hshoexer
2006-11-01Document recursive printing of anchors via -a '*' or -a 'anchor/*'.Ryan Thomas McBride
2006-10-31Allow a user to recursively print anchors including those withoutRyan Thomas McBride
reserved names, if a trailing * is specified in the anchor name. e.g. recursively print the main ruleset: pfctl -a '*' -sr Recursively print the spam anchor: pfctl -a 'spam*' pfctl -a 'spam/*' Also fix a bug which prevented the contents of inline anchors with explicit names from being loaded into the kernel. ok henning@
2006-10-31Document new behaviour of the -o (ruleset optimization) flag.Ryan Thomas McBride
2006-10-31Allow pfctl ruleset optimizer to be controlled from the ruleset.Ryan Thomas McBride
"set" "ruleset-optimization" [ "none" | "basic" | "profile" ] You can optionally control ruleset optimization with these keywords on the command line with the -o option; the command line setting will override the pf.conf setting. The existing -o/-oo flags continue to work as expected. cleanup and ok henning@
2006-10-31- don't allow anchors with _* names to be cleared or loaded from theRyan Thomas McBride
command line (but they can still be viewed) - don't allow users to specify _* as an anchor name in the ruleset - don't print _* anchor names with pfctl -sA unless -v is specified 'looks sensible' deraadt@
2006-10-29Fix TAILQ usage, preventing crashesPedro Martelletto
Okay henning@ krw@ millert@ hshoexer@
2006-10-28Load all rules into memory before loading into the kernel, and add supportRyan Thomas McBride
for anchors loaded inline in pf.conf, enclosed in a brace-delimited block ("{" "}"). anchor on fxp0 { pass in proto tcp port 22 } The anchor name is optional on inline loaded anchors. testing ckuethe@ ok henning@ dhartmei@
2006-10-28prefer `buses' to `busses' for the noun plural;Jason McIntyre
2006-10-27Sometimes a compromise is needed.Marc Balmer
After a discussion with jmc and ckuethe.
2006-10-27Fix a small typo in the manpage and while here add some space betweenMarc Balmer
functions.
2006-10-26- sort optionsJason McIntyre
- sync usage()
2006-10-25Remove some unneeded externs. OK canacar@Moritz Jodeit
2006-10-25allow pflogd to listen on alternate pflog interfacesHenning Brauer
"Berk D. Demir" <bdd@mindcast.org> sent a diff in private, and then it evolved quite a bit... ok djm canacar berk
2006-10-25make absolutely sure logif is 0 unless set specifically, even if log is 0.Henning Brauer
logif is to be considered invalid unless log is set, but we need this to please the optimizer...
2006-10-25teach the optimizer about logif, with & ok frantzenHenning Brauer
2006-10-25and another nit, $$.log should be set to 0 explicitely on quick without logHenning Brauer
2006-10-25add pflog to list of clonable devices; ok henningJason McIntyre
2006-10-25urgs, $$.quick needs to be set to 0 explicitely on log (without quick)Henning Brauer