summaryrefslogtreecommitdiff
path: root/sbin
AgeCommit message (Collapse)Author
2002-10-08 remove <0 checks on unsigned numbers.Vincent Labrecque
ok henning@
2002-10-07-Wsign-compare cleanDaniel Hartmeier
2002-10-07Two cases of const-correctness and make one global local.Daniel Hartmeier
2002-10-07set block-policy [drop|return]Henning Brauer
drop is default, same behaviour as before support block drop to override a return policy
2002-10-07support a generic returnHenning Brauer
block return in|out ... acts like return-rst on tcp, like return-icmp on udp and like an ordinary block on anything else ok dhartmei@
2002-10-07make return-icmp work for rules covering both v4 and v6Henning Brauer
-new field "return_icmp6" in pf_rule -parser accepts block return-icmp(ipv4-icmpcode, ipv6-icmpcode) ok and some input dhartmei@
2002-10-07use a new rule_flag PFRULE_RETURNICMP to decide wether to return-icmp or notHenning Brauer
instead of just testing return_icmp > 0 ok dhartmei@
2002-10-07Add 'reply-to' to filter rules, similar to route-to, but applying toDaniel Hartmeier
replies (packets that flow in the opposite direction of the packet that created state), used for symmetric routing enforcement. Document how route-to and reply-to work in context of stateful filtering.
2002-10-06Move CHECK_ROOT into LOOP_THROUGH, gets rid of one macro and savesDaniel Hartmeier
several lines, no functional difference. From Camiel Dobbelaar.
2002-10-05Expand {} lists from left to right, so 'pass in from { a, b } to any'Daniel Hartmeier
becomes '@0 pass in from a to any @1 pass in from b to any' instead of the other way around. Patch from Camiel Dobbelaar.
2002-10-05Allow filtering based on IP header's tos field.Daniel Hartmeier
2002-09-29much prettier; wgriffin@jtan.comTheo de Raadt
2002-09-22little KNF: return(something) -> return (something)Henning Brauer
2002-09-22fix linenumber counting in findeol, and simplify by ignoring the \ case,Henning Brauer
that's already handled earlier. fast-forward on errnous lines partitially from camield@, parts result of a discussion with Mike ok frantzen@ dhartmei@
2002-09-22antispoof, take 2.Henning Brauer
also block incoming packets with our own IP as src. discussion & help frantzen ok ho@ dhartmei@ frantzen@
2002-09-18fix Xr refs; frisco@blackant.netTheo de Raadt
2002-09-17easier "self" implementation.Henning Brauer
no functional changes ok pb@
2002-09-15set a netmask in the dynaddr caseHenning Brauer
noticed by <han@mijncomputer.nl> ok pb@
2002-09-14oooooooopsieHenning Brauer
2002-09-14bit more clue in rdr/nat rules wrt address family examinationHenning Brauer
don't take the af from host_node structs based on interface lookups, most interfaces will have both IPv4 and IPv6 addresses. Most rdr/nat rules will at least have one IP address specified from whoch we take the af for the whole rule. The rare exceptional cases require the user to specify the af. ok frantzen@
2002-09-14Document -R default (10000); ok deraadtPeter Valchev
2002-09-12check for calloc() failure; ho@Henning Brauer
2002-09-12antispoof [log] [quick] for [interface|interface_list] [af]Henning Brauer
e. g. antispoof log quick for { dc0, dc1 } inet docs & regress coming ok pb@, frantzen@, deraadt@ also looked over kjell@, markus@, itojun@, dhartmei@ IPv6 help itojun@ finally, a long story finds its happy end here.
2002-09-12rework netmask handling:Henning Brauer
-don't set netmask in host token handler -clear netmask in ipmask() proper before setting it -in ifa_load(), also store interface's netmask and broadcast address -allow ifa_lookup() to return either the interface's IP address(es), network(s) or broadcast address(es) - not used anywhere yet. This implies that ifa_lookup() also returns the netmask now. -host() returns netmasks, too ok pb@, frantzen@, deraadt@ also looked over kjell@, markus@, itojun@, dhartmei@
2002-09-11signed vs unsigned from -pedantic.Hakan Olsson
2002-09-11signed vs unsigned, some void * arithmetic, from -pedantic. niklas@ ok.Hakan Olsson
2002-09-10socklen_t; cloderTheo de Raadt
2002-09-08ansi pedantic. sync w/kameJun-ichiro itojun Hagino
2002-09-08be more clueful wrt address family in nat/rdr rules.Henning Brauer
behaviour noticed by Paul de Weerd, thanks! ok dhartmei@
2002-09-08Fix -pedantic errors.Hakan Olsson
2002-09-06remove Xr to photurisTheo de Raadt
2002-09-06socklen_t and various other minor tweaksTheo de Raadt
2002-09-06socklen_tTheo de Raadt
2002-09-06support long names; henning okTheo de Raadt
2002-09-06assume that noone uses photurisd anymore.Theo de Raadt
2002-09-06socklen_tTheo de Raadt
2002-09-06bogus ; outside of functionTheo de Raadt
2002-09-06missing arg in a msglog(); silvio@big.net.auTheo de Raadt
2002-09-05Without IDs wait until next step/retry to handle CERTREQs. This shouldHakan Olsson
make certificate auth work better with some clients, such as SSH Sentinel.
2002-09-05Do not require the presence of subjectAltName in certificates used forHakan Olsson
IKE auth. Should make interoperating with for example FreeS/WAN easier (Pluto).
2002-09-05Do not create SAs for transaction exchanges either. By niklas@Hakan Olsson
2002-09-03add strlcpy/cat for BSD/OSMarkus Friedl
2002-09-03CPI_RESERVED_MIN is not defined on KAME+BSD/OS; ok ho@Markus Friedl
2002-09-03use sig_atomic_t; cloderTheo de Raadt
2002-09-02Fix parsing of port ranges in translation rules (port a:b -> port c:d).Daniel Hartmeier
ok henning@
2002-09-02Make sure the interface specified with route-to/dup-to/fastroute existsDaniel Hartmeier
and null-terminate the interface name. Found by Michael Wallis. ok henning@
2002-08-29need CPI_xx declsJun-ichiro itojun Hagino
2002-08-29size_t has to be casted to u_long on printing.Jun-ichiro itojun Hagino
From: Martti Kuparinen <martti.kuparinen@iki.fi>
2002-08-29Work around arguably correct OpenSSL behaviour and only ask for CRLHakan Olsson
checks when we actually have CRLs to check against. Problem pointed out by <sturm@sec.informatik.tu-darmstadt.de>.
2002-08-23Initial support for MacOS X (v10.2 and later).Hakan Olsson
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-21 20:32:25 +0000