| Age | Commit message (Collapse) | Author |
|---|
|
|
|
ok henning@, deraadt@
|
|
that it defauls to 100% of the parent queue. Fix examples to match.
ok dhartmei@
|
|
from dhartmei and henning.
ok dhartmei@ henning@ jmc@ jaredy@
|
|
ok henning@ dhartmei@
|
|
prodded by John Ladwig <jladwig@mango.lioness.net>
ok deraadt jmc
|
|
packet filtering should occur (like loopback, for instance).
Code from Max Laier, with minor improvements based on feedback from
deraadt@. ok mcbride@, henning@
|
|
|
|
on bridges. Spotted by Simon Kirby.
proper caps from jmc@
ok dhartmei@
|
|
ok dhartmei@;
|
|
|
|
"I think you messed something up when you committed this."
and he is right, I lost a word. Dang! And Thanks :)
|
|
|
|
From: Michael Knudsen <e@molioner.dk>
jaredy ok
|
|
|
|
found by mpech@
|
|
|
|
----
Change the default for 'overload <table> flush' to flush only states from the
offending source created by the rule. 'flush global' flushes all states
originating from the offending source. ABI change, requires kernel and pfctl
to be in sync.
ok deraadt@ henning@ dhartmei@
|
|
offending source created by the rule. 'flush global' flushes all states
originating from the offending source. ABI change, requires kernel and pfctl
to be in sync.
ok deraadt@ henning@ dhartmei@
|
|
|
|
|
|
ok henning, markus
|
|
|
|
ok frantzen@
|
|
|
|
First match wins, just like "no {binat,nat,rdr}". henning@, dhartmei@ ok
|
|
mention wildcard (*) anchors,
and mention quotes around anchor names.
ok dhartmei henning jmc
|
|
and fix an mdoc list display (from jmc)
ok dhartmei henning jmc
|
|
problem found by marc@; this diff based on a patch from sven at
sandcat dot nl; ok henning@;
|
|
Christopher Pascoe
|
|
sequence numbers by taking advantage of the maximum 1KHz clock as an upperbound
on the timestamp. Typically gains 10 to 18 bits of additional security against
blind data insertion attacks. More if the TS Echo wasn't optional :-(
Enabled with: scrub on !lo0 all reassemble tcp
ok dhartmei@. documentation help from jmc@
|
|
|
|
- add a .Pp
- kill a stray space
- new sentence, new line
from Joel Knight;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1) PF should do the right thing when unplugging/replugging or cloning/
destroying NICs.
2) Rules can be loaded in the kernel for not-yet-existing devices
(USB, PCMCIA, Cardbus). For example, it is valid to write:
"pass in on kue0" before kue USB is plugged in.
3) It is possible to write rules that apply to group of interfaces
(drivers), like "pass in on ppp all"
4) There is a new ":peer" modifier that completes the ":broadcast"
and ":network" modifiers.
5) There is a new ":0" modifier that will filter out interface aliases.
Can also be applied to DNS names to restore original PF behaviour.
6) The dynamic interface syntax (foo) has been vastly improved, and
now support multiple addresses, v4 and v6 addresses, and all userland
modifiers, like "pass in from (fxp0:network)"
7) Scrub rules now support the !if syntax.
8) States can be bound to the specific interface that created them or
to a group of interfaces for example:
- pass all keep state (if-bound)
- pass all keep state (group-bound)
- pass all keep state (floating)
9) The default value when only keep state is given can be selected by
using the "set state-policy" statement.
10) "pfctl -ss" will now print the interface scope of the state.
This diff change the pf_state structure slighltly, so you should
recompile your userland tools (pfctl, authpf, pflogd, tcpdump...)
Tested on i386, sparc, sparc64 by Ryan
Tested on macppc, sparc64 by Daniel
ok deraadt@ mcbride@
|
|
- new sentence, new line
- kill blank line
- missing .El
- missing escape
- ip -> IP
- greate -> create
|
|
to:
- Ensure that clients get a consistent IP mapping with load-balanced
translation/routing rules
- Limit the number of simultaneous connections a client can make
- Limit the number of clients which can connect through a rule
ok dhartmei@ deraadt@
|
|
excluding boundaries) is legal. already supported by kernel, requires only
removal of three error messages. ok henning@
|
|
from Joel Knight
|
|
the parentheses are required when using two queue arguments, and
optional when using one.
|
|
and not a literal.
|
|
|
|
ok jmc@ cedric@
|
|
created by this rule from appearing on the pfsync(4) interface. e.g.
pass in proto tcp to self flags S/SA keep state (no-sync)
ok cedric@ henning@ dhartmei@
|
|
ok jmc@
|
