summaryrefslogtreecommitdiff
path: root/sys/net/pf.c
AgeCommit message (Collapse)Author
2002-12-06Introduce anchors and named rule sets, allowing to load additional ruleDaniel Hartmeier
sets with pfctl and evaluate them from the main rule set using a new type of rule (which will support conditional evaluation soon). Makes maintenance of sub-rulesets simpler for pfctl and daemons. Idea and ok deraadt@
2002-12-03no need to mh_align (while it's wrong), cleaner mtu setting; dhartmei@ okMichael Shalayeff
2002-12-01- Clean up pf_ioctl mainly by adding new functions to handle cleaning andRyan Thomas McBride
freeing rules. Fixes a number of potential memory leaks and other bugs. - Add new pool_ticket to insure that address pools don't get messed with by someone else while we add rules. - Add a second address pool buffer, so that DIOCCHANGE* operations which use pf_compare* will work correctly. Excellent bug report and anaylsis from DJ Gregor. ok dhartmei@ henning@
2002-12-01pfsync currently causes kernel faults, so we don't want to call these functionsRyan Thomas McBride
ok dhartmei@
2002-11-29expose state table changesMichael Shalayeff
2002-11-28- MD5 too slow, replace with pf_hash (based on hash from if_bridge.c)Ryan Thomas McBride
- Always fold the key in Many fixes & suggestions from camield@ ok mickey@ camield@ henning@
2002-11-24move } outside #ifdef INET6Ryan Thomas McBride
unbreaks compiling kernel without IPv6 support. how embarassing, spotted by Chris Kuethe
2002-11-23KNFTheo de Raadt
2002-11-23pass a pointer to the hash, not the first chunk of itRyan Thomas McBride
2002-11-23kernel code to allow multiple redirection addresses to be specified for natRyan Thomas McBride
and rdr, as well as route-to, dup-to and reply-to. Addresses can be allocated in a number of ways: - masking out the network portion of the address and replacing it - randomly assigning an address in the block - hashing the source address and a key to determine the redirection address - iterating through the addresses sequentially (this is the only allocation scheme which works when a list of addresses is specified) ok dhartmei@ henning@
2002-11-22on block rules, let queue apply to the RST packets in the return-rst caseHenning Brauer
and the returned icmp packets in the return-icmp case ok dhartmei@
2002-10-29keep all pflog goodies in pflog sources, avoids code duplications; okski ↵Michael Shalayeff
frantzen@ and dhartmei@
2002-10-22Convert "int af" and "u_int8_t af" declarations and function argumentsRyan Thomas McBride
to the more correct and descriptive "sa_family_t af" ok dhartmei@ henning@
2002-10-20Move pf_compare_(rules|nats|binats|rdrs) to pf_ioctl.c. Simplifies andRyan Thomas McBride
reduces cross-file dependancies. ok dhartmei@ ish@ henning@
2002-10-14Allow one to specify a netblock in a binat rule:Henning Brauer
binat on fxp0 from 192.168.0.32/27 to any -> 10.0.7.128/27 Both the network mask on the source and redirect addresses MUST be the same, and it works by essentially combining the network section of the redirect address with the host section of the source address. from ryan ok dhartmei@
2002-10-08the first step of pf/altq merge.Kenjiro Cho
this commit is to allow further development in both userland and kernel. the goal is to replace altq's classifier by pf(4). - make pf tag a queue id to mbuf and make altq read the queue id - merge altq config into pf.conf(5) ok dhartmei@, henning@
2002-10-07-Wsign-compare cleanDaniel Hartmeier
2002-10-07set block-policy [drop|return]Henning Brauer
drop is default, same behaviour as before support block drop to override a return policy
2002-10-07support a generic returnHenning Brauer
block return in|out ... acts like return-rst on tcp, like return-icmp on udp and like an ordinary block on anything else ok dhartmei@
2002-10-07make return-icmp work for rules covering both v4 and v6Henning Brauer
-new field "return_icmp6" in pf_rule -parser accepts block return-icmp(ipv4-icmpcode, ipv6-icmpcode) ok and some input dhartmei@
2002-10-07use a new rule_flag PFRULE_RETURNICMP to decide wether to return-icmp or notHenning Brauer
instead of just testing return_icmp > 0 ok dhartmei@
2002-10-07Add 'reply-to' to filter rules, similar to route-to, but applying toDaniel Hartmeier
replies (packets that flow in the opposite direction of the packet that created state), used for symmetric routing enforcement. Document how route-to and reply-to work in context of stateful filtering.
2002-10-05Allow filtering based on IP header's tos field.Daniel Hartmeier
2002-10-04[to the right branch this time]Jason Ish
To detect routing loops use the actual outgoing interface and not the interface that the rule is to apply to (as there may not be one). - noticed by mcbride@countersiege.com - ok dhartmei@, henning@
2002-09-27daddr was used where saddr was meant while checking incoming packets forHenning Brauer
binat. pointed out by Ryan McBride, mcbride at countersiege dot com, Thanks! ok frantzen@ pb@ jasoni@ deraadt@
2002-09-11KNF - return is not a function.Jun-ichiro itojun Hagino
2002-08-28Fix a problem where passing NULL as a pointer with varargs does not promotePer Fogelstrom
NULL to full 64 bits on a 64 bit address system. Soultion is to add a (void *) cast before NULL. This makes a 64 bit MIPS kernel work and will probably help future 64 bit ports as well. OK from art@
2002-08-12Use state tree instead of separate (flat) list to find NAT proxy ports,Daniel Hartmeier
allows to use the same proxy port with different external peers. From Ryan McBride
2002-08-08th_flags doesn't have to be equal to TH_SYN to generate modulator, it'sDaniel Hartmeier
sufficient if TH_SYN is set and TH_ACK is unset, ignore TH_ECN etc. ok frantzen@
2002-07-24Use host order when adding packet size to interface statistics counter.Daniel Hartmeier
Only affects pfctl -si output for IPv6. And some whitespace KNF.
2002-07-15add u_int8_t ifnot to struct pf_rule to support matching packets on anyHenning Brauer
interface except the given one. adjust the pf_test_* functions and pf_skip_step accordingly. ok dhartmei@
2002-07-15remove duplicated interface check in test_icmpHenning Brauer
ok dhartmei@
2002-07-12Remove duplicate function declarations (they are in pfvar.h).Artur Grabowski
2002-07-10let IPv6 fragment go through based on normal rulesets.Jun-ichiro itojun Hagino
TODO: sort-of normalization against fragments for inspection ok dhartmei@
2002-06-14spelling; from Brian Poole <raj@cerias.purdue.edu>Todd T. Fries
2002-06-11enumerate UDP and OTHER state levels (similar to tcp_fsm.h)Mike Frantzen
ok dhartmei@, henning@
2002-06-11Make NAT proxy port range configurable per rule, for instance privilegedDaniel Hartmeier
source ports can mapped to privileged proxy ports, or source port 500 to proxy port 500. ok frantzen@
2002-06-11Don't panic when pf_insert_state() detects an attempt to insert aDaniel Hartmeier
duplicate key. Instead, log according to log level and return gracefully. ok frantzen@
2002-06-11KNF return x -> return (x), ok frantzen@Daniel Hartmeier
2002-06-10Allow ports to be specified in nat rules, useful later on for individualDaniel Hartmeier
proxy port ranges.
2002-06-10Don't #include <sys/malloc.h>Daniel Hartmeier
2002-06-09Make pf_nat.saddr/daddr a pf_rule_addr instead of pf_addr_wrap, so itDaniel Hartmeier
includes ports and operator.
2002-06-09reapply patch from jasoni@ for ICMP6_PACKET_TOO_BIGPhilipp Buehler
both have been lost, due to diff thinking about reversing those lines after merge tested
2002-06-09reapply patch from jasoni@ for pf_route[6]Philipp Buehler
2002-06-09split ioctl functions out of pf.c into pf_ioctl.cPhilipp Buehler
frantzen@, dhartmei@ ok, tested kernel & userland. checked for colliding commits
2002-06-09uncommit, broken (by corrupt diff)Philipp Buehler
2002-06-09new file sys/net/pf_ioctl.cPhilipp Buehler
functions moved from pf.c to there ok dhartmei@, frantzen@ testing myself + henning@, kernel & userland utils fine
2002-06-09increment ifs6_in_toobig if ipv6 packet too large for interface injasoni
pf_route6().
2002-06-09in pf_route{6}, if too large for outgoing interface and not allowed tojasoni
fragment, send the proper icmp error. - ok frantzen@
2002-06-08Make state timeouts configurable per rule, likeDaniel Hartmeier
pass in from any to any port www keep state (tcp.established 60) ok frantzen@