Age | Commit message (Collapse) | Author |
|
sets with pfctl and evaluate them from the main rule set using a new type
of rule (which will support conditional evaluation soon). Makes
maintenance of sub-rulesets simpler for pfctl and daemons.
Idea and ok deraadt@
|
|
|
|
freeing rules. Fixes a number of potential memory leaks and other bugs.
- Add new pool_ticket to insure that address pools don't get messed
with by someone else while we add rules.
- Add a second address pool buffer, so that DIOCCHANGE* operations which use
pf_compare* will work correctly.
Excellent bug report and anaylsis from DJ Gregor.
ok dhartmei@ henning@
|
|
ok dhartmei@
|
|
|
|
- Always fold the key in
Many fixes & suggestions from camield@
ok mickey@ camield@ henning@
|
|
unbreaks compiling kernel without IPv6 support.
how embarassing, spotted by Chris Kuethe
|
|
|
|
|
|
and rdr, as well as route-to, dup-to and reply-to.
Addresses can be allocated in a number of ways:
- masking out the network portion of the address and replacing it
- randomly assigning an address in the block
- hashing the source address and a key to determine the redirection address
- iterating through the addresses sequentially (this is the only allocation
scheme which works when a list of addresses is specified)
ok dhartmei@ henning@
|
|
and the returned icmp packets in the return-icmp case
ok dhartmei@
|
|
frantzen@ and dhartmei@
|
|
to the more correct and descriptive "sa_family_t af"
ok dhartmei@ henning@
|
|
reduces cross-file dependancies.
ok dhartmei@ ish@ henning@
|
|
binat on fxp0 from 192.168.0.32/27 to any -> 10.0.7.128/27
Both the network mask on the source and redirect addresses MUST be the
same, and it works by essentially combining the network section of the
redirect address with the host section of the source address.
from ryan
ok dhartmei@
|
|
this commit is to allow further development in both userland and kernel.
the goal is to replace altq's classifier by pf(4).
- make pf tag a queue id to mbuf and make altq read the queue id
- merge altq config into pf.conf(5)
ok dhartmei@, henning@
|
|
|
|
drop is default, same behaviour as before
support
block drop
to override a return policy
|
|
block return in|out ...
acts like return-rst on tcp, like return-icmp on udp and like an ordinary
block on anything else
ok dhartmei@
|
|
-new field "return_icmp6" in pf_rule
-parser accepts
block return-icmp(ipv4-icmpcode, ipv6-icmpcode)
ok and some input dhartmei@
|
|
instead of just testing return_icmp > 0
ok dhartmei@
|
|
replies (packets that flow in the opposite direction of the packet that
created state), used for symmetric routing enforcement.
Document how route-to and reply-to work in context of stateful filtering.
|
|
|
|
To detect routing loops use the actual outgoing interface and not the
interface that the rule is to apply to (as there may not be one).
- noticed by mcbride@countersiege.com
- ok dhartmei@, henning@
|
|
binat.
pointed out by Ryan McBride, mcbride at countersiege dot com, Thanks!
ok frantzen@ pb@ jasoni@ deraadt@
|
|
|
|
NULL to full 64 bits on a 64 bit address system. Soultion is to add a
(void *) cast before NULL. This makes a 64 bit MIPS kernel work and will
probably help future 64 bit ports as well.
OK from art@
|
|
allows to use the same proxy port with different external peers.
From Ryan McBride
|
|
sufficient if TH_SYN is set and TH_ACK is unset, ignore TH_ECN etc.
ok frantzen@
|
|
Only affects pfctl -si output for IPv6. And some whitespace KNF.
|
|
interface except the given one. adjust the pf_test_* functions and
pf_skip_step accordingly.
ok dhartmei@
|
|
ok dhartmei@
|
|
|
|
TODO: sort-of normalization against fragments for inspection
ok dhartmei@
|
|
|
|
ok dhartmei@, henning@
|
|
source ports can mapped to privileged proxy ports, or source port 500
to proxy port 500. ok frantzen@
|
|
duplicate key. Instead, log according to log level and return gracefully.
ok frantzen@
|
|
|
|
proxy port ranges.
|
|
|
|
includes ports and operator.
|
|
both have been lost, due to diff thinking about reversing those
lines after merge
tested
|
|
|
|
frantzen@, dhartmei@ ok, tested kernel & userland.
checked for colliding commits
|
|
|
|
functions moved from pf.c to there
ok dhartmei@, frantzen@
testing myself + henning@, kernel & userland utils fine
|
|
pf_route6().
|
|
fragment, send the proper icmp error.
- ok frantzen@
|
|
pass in from any to any port www keep state (tcp.established 60)
ok frantzen@
|