| Age | Commit message (Collapse) | Author |
|---|
|
|
|
mark up new ioctls a little better;
|
|
1) PF should do the right thing when unplugging/replugging or cloning/
destroying NICs.
2) Rules can be loaded in the kernel for not-yet-existing devices
(USB, PCMCIA, Cardbus). For example, it is valid to write:
"pass in on kue0" before kue USB is plugged in.
3) It is possible to write rules that apply to group of interfaces
(drivers), like "pass in on ppp all"
4) There is a new ":peer" modifier that completes the ":broadcast"
and ":network" modifiers.
5) There is a new ":0" modifier that will filter out interface aliases.
Can also be applied to DNS names to restore original PF behaviour.
6) The dynamic interface syntax (foo) has been vastly improved, and
now support multiple addresses, v4 and v6 addresses, and all userland
modifiers, like "pass in from (fxp0:network)"
7) Scrub rules now support the !if syntax.
8) States can be bound to the specific interface that created them or
to a group of interfaces for example:
- pass all keep state (if-bound)
- pass all keep state (group-bound)
- pass all keep state (floating)
9) The default value when only keep state is given can be selected by
using the "set state-policy" statement.
10) "pfctl -ss" will now print the interface scope of the state.
This diff change the pf_state structure slighltly, so you should
recompile your userland tools (pfctl, authpf, pflogd, tcpdump...)
Tested on i386, sparc, sparc64 by Ryan
Tested on macppc, sparc64 by Daniel
ok deraadt@ mcbride@
|
|
ok tedu@
|
|
ok tedu@
|
|
settings - even though they are the same for all six configurations, they
differ from Interphase's factory settings.
|
|
|
|
|
|
|
|
|
|
|
|
okay drahn@
|
|
|
|
information for the 328S and 376. Also remove the media section for ethernet
drivers, which does not apply.
ok+tweaks paul@ jmc@
|
|
|
|
|
|
Pointed out by Jorge Severino (jorge at netsecure dot cl)
|
|
|
|
|
|
|
|
ok markus@ drahn@
|
|
|
|
but has no effect. Retain description of sticky files, but note that it is
historical.
Add small description of how current system works. Improve description of
sticky directories. Remove references to ld(1).
Remove no longer relevant BUG.
much assistance and ok otto@ and tedu@
|
|
|
|
|
|
|
|
is like SLIST_FOREACH but it saves a pointer to the previous element.
SLIST_REMOVE_NEXT will remove the element *after* the one passed in.
SLIST_FOREACH_PREVPTR is from FreeBSD; SLIST_REMOVE_NEXT was suggested
by canacar@; man page additions by yours truly. OK deraadt@ (grudgingly)
and man page changes OK jmc@.
|
|
- new sentence, new line
- kill whitespace at EOL
- escape a dot at EOL
pflog.4:
- subject verb agreement
|
|
|
|
into it's own section.
|
|
functionality.
ok deraadt@
|
|
- kill whitespace at EOL
|
|
- new sentence, new line
- kill blank line
- missing .El
- missing escape
- ip -> IP
- greate -> create
|
|
to:
- Ensure that clients get a consistent IP mapping with load-balanced
translation/routing rules
- Limit the number of simultaneous connections a client can make
- Limit the number of clients which can connect through a rule
ok dhartmei@ deraadt@
|
|
- kill comma splices
- escape dashes
- s/tunning/tuning
- some wording improvement
|
|
make the order more closely match the header;
escape some dashes;
|
|
|
|
ok deraadt@ itojun@
|
|
|
|
OK henning@ and deraadt@
|
|
POSIX-mandated RLIM_SAVED_MAX and RLIM_SAVED_CUR defines. On OpenBSD
these are identical to RLIM_INFINITY as allowed by POSIX. OK deraadt@
|
|
|
|
|
|
diff from Brian Poole;
|
|
careful crafting and ok mickey@
|
|
|
|
use the the presence of this tag to reverse the match order in
in{6}_pcblookup_listen(). Some daemons (such as portmap) do a double
bind, binding to both * and localhost in order to differentiate local
from non-local connections, and potentially granting more privilege to
local ones. This change ensures that redirected connections to localhost
do not appear local to such a daemon.
Bulk of changes from dhartmei@, some changes markus@
ok dhartmei@ deraadt@
|
|
rc.conf blindly, since install can now create rc.conf.local;
thanks nick@ for pointing this out;
|
|
|
|
|
