| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2001-09-21 | Fix natlook (broke ftp-proxy) and a memory leak. | Daniel Hartmeier | |
| From Ryan McBride. | |||
| 2001-09-19 | Patch from Ryan McBride. Compile without INET6, remove unnecessary | Daniel Hartmeier | |
| rewrite++. | |||
| 2001-09-17 | icmpv6 nat fix, from Ryan McBride | Daniel Hartmeier | |
| 2001-09-15 | The inner protocol of IPv4 ICMP error messages was ignored, leading to | Daniel Hartmeier | |
| 'ICMP error message for bad proto' messages and breaking traceroute etc. Please increase debugging level (pfctl -x m) while testing. | |||
| 2001-09-15 | Don't use m_pkthdr.rcvif in pflog_packet(), it doesn't work for outgoing | Daniel Hartmeier | |
| packets and is obviously invalid (and not NULL) for IPv6 packets (hence crashed). Pass ifp down instead. sizeof(ih) instead of sizeof(&ih) for pf_pull_hdr() from pf_test6(). | |||
| 2001-09-15 | IPv6 support from Ryan McBride (mcbride@countersiege.com) | Mike Frantzen | |
| 2001-09-14 | binat non icmp/udp/tcp protocols as well; ok dhartmei@ | jasoni | |
| 2001-09-11 | Undo BINAT translation when blocking with return-rst/-icmp. | Daniel Hartmeier | |
| Translate at most once. From Ryan McBride. | |||
| 2001-09-06 | 1:1 bidrectional NAT (binat); ok dhartmei@ and frantzen@ | jasoni | |
| 2001-09-05 | Handle uh_sum == 0x0000 correctly. Before, UDP packet checksums were | Daniel Hartmeier | |
| broken by NAT/RDR when unset by the sender. Fixes ntpdate behind NAT. | |||
| 2001-09-05 | s/pf_natlook/pfioc_natlook (ioctl parameter struct) | Daniel Hartmeier | |
| 2001-09-04 | Add skip steps for interface (ifp). | Daniel Hartmeier | |
| 2001-09-04 | #define empty PFLOG_PACKET correctly (no side effects). Closes PR2044. | Daniel Hartmeier | |
| From Claus Assmann. | |||
| 2001-08-31 | Forgot to commit frag expire tuning before | Mike Frantzen | |
| Check for a short ip_hl. Could have caused proto headers to overlap IP header. | |||
| 2001-08-28 | Add new ioctls to securelevel check, from Can Erkin Acar | Daniel Hartmeier | |
| <canacar@eee.metu.edu.tr> | |||
| 2001-08-28 | Bump state timeouts and allow tweaking them from pfctl. | Mike Frantzen | |
| (The state timeouts need some _serious_ tuning) | |||
| 2001-08-26 | 2nd uninitialized variable that bit me today | Niklas Hallqvist | |
| 2001-08-25 | PF ISN randomization. Or in trekkie techno-babble, ISN phase modulation. | Mike Frantzen | |
| 2001-08-22 | Correct the setup of the intial TCP state window and pre-validate th_ack | Mike Frantzen | |
| on an FIN|ACK close if the client has never responded. | |||
| 2001-08-22 | Fix panic in pf (was my fault) caused by a bad key compare optimization | Mike Frantzen | |
| Add debug output to track loose state matches | |||
| 2001-08-21 | KNF | Theo de Raadt | |
| 2001-08-21 | Pass closing TCP connections through looser state machine (handle Solaris' | Mike Frantzen | |
| stupid spurious ACK|FINs after a close) | |||
| 2001-08-19 | Add new ioctls for adding/removing RDR and NAT rules to/from the active | Daniel Hartmeier | |
| rule sets. | |||
| 2001-08-19 | Quick optimization of pf_tree_key_compare (should half the instruction count) | Mike Frantzen | |
| 2001-08-19 | Make more money for mickey (count entire IP packets for statistics, not just | Daniel Hartmeier | |
| inner data). | |||
| 2001-08-19 | Yet another batch of improvements and un-fuckups to the TCP state code. | Mike Frantzen | |
| Improved the state miss debug messages to cover the new checks. | |||
| 2001-08-19 | Add per-rule byte counter, so mickey can do accounting. We're counting the | Daniel Hartmeier | |
| data part (without IP and TCP/UDP/ICMP headers), like the state counter does. | |||
| 2001-08-19 | Add per-rule statistics (number of evaluations and number of packets). | Daniel Hartmeier | |
| Packets passed statefully will be counted using the rule that created the state. | |||
| 2001-08-19 | Unfuck some TCP state stuff that would drop the SYN|ACK. | Mike Frantzen | |
| Enumerated the TCP states. Here's a mapping new->old tcp states if anyone gives a shit: TCPS_CLOSED 0 TCPS_SYN_SENT 1 TCPS_ESTABLISHED 2 TCPS_CLOSING 3 TCPS_FIN_WAIT_2 4 TCPS_TIME_WAIT 5 | |||
| 2001-08-19 | Loosened TCP state code which should allow stupid stacks to shotgun their | Mike Frantzen | |
| SYNs and provide better handling for pre-existing connections. | |||
| 2001-08-18 | Add new ioctl for adding/removing individual rules to/from the active rule set. | Daniel Hartmeier | |
| 2001-08-18 | make pfctl -s state SCREAM; frantzen is now happy | Theo de Raadt | |
| 2001-08-11 | Add support for ICMP errors referring to ICMP queries/replies. Fixes | Daniel Hartmeier | |
| 'ICMP error message for bad proto' messages. Reported by Mark Grimes and Steve Rumble. Add debugging level with ioctl interface and pfctl switch. Default is 'None'. | |||
| 2001-08-01 | stateless tcp normalization along the lines of the normalization paper by | Niels Provos | |
| handley, paxon and kreibich; okay deraadt@ | |||
| 2001-07-30 | never before has a file so often deviated from KNF | Theo de Raadt | |
| 2001-07-29 | Implement rule skipping. This is a transparent evaluation optimization, | Daniel Hartmeier | |
| which reduces evaluation cost for sorted rules of similar parameters. Preparation for rule duplication for parameter lists from pfctl. | |||
| 2001-07-25 | nat proxy port randomization by ben fleis. | Daniel Hartmeier | |
| 2001-07-21 | print additional debugging information for 'insert invalid' messages. occurs ↵ | Daniel Hartmeier | |
| for some people (never for me), and I need more information. will be removed after the issue is resolved. please report these, if you get them. | |||
| 2001-07-19 | Fix/complete the handling of the binary ops >< and <> to behave | Kenneth R Westerback | |
| like the ipf operators. The 'n >< m' construct (Include Range = PF_OP_IRG) should match ports greater than n and less than m, not greater than or equal to n and less than or equal to m. The 'n <> m' construct (Exclude Range = PF_OP_XRG) should match all ports less than n OR greater than m, not be treated as an alias for ><. Thus PF_OP_GL, which was used for both <> and >< is replaced with PF_OP_IRG and PF_OP_XRG with the 'correct' semantics. OK dhartmei@ | |||
| 2001-07-18 | fix pf_get_rdr() for single port (dport2 == 0) rules. found by lebel@. | Daniel Hartmeier | |
| 2001-07-17 | normalize ip_off, make IP_DF stripping optional, return rst is a flag now. | Niels Provos | |
| okay markus@ | |||
| 2001-07-17 | split ip normalization out into a separate file, okay dhartmei@ | Niels Provos | |
| 2001-07-15 | increase src->state to 1 when creating state from intermediate (non-SYN) ↵ | Daniel Hartmeier | |
| packets. this fixes one class of BAD state messages (where seqlo=0, seqhi=1). | |||
| 2001-07-14 | use int instead of signed char. doesn't use more memory (padding occurs) and ↵ | Daniel Hartmeier | |
| is actually faster. | |||
| 2001-07-13 | indent. | Federico G. Schwindt | |
| 2001-07-13 | everytime i clean in here, i get a 250 line diff... | Theo de Raadt | |
| 2001-07-11 | Simplify pf_pull_hdr(), don't use inner IP header's ip_len or ip_off | Daniel Hartmeier | |
| in case of pf_test_state_icmp(). This solves the "ICMP error message too short" problems. Reported by ycchang and heko. | |||
| 2001-07-09 | do compare in host order. found by millert@. | Daniel Hartmeier | |
| 2001-07-09 | Extend nat/rdr syntax. Add source/destination selection. Make | Daniel Hartmeier | |
| interface optional. Suggested by rdump@river.com. nat [on [!] <ifname>] from (any | [!] <addr>[/<mask>]) to (any | [!] <addr>[/<mask>]) -> <addr> [proto (tcp | udp | icmp)] rdr [on [!] <ifname>] from (any | [!] <addr>[/<mask>]) to (any | [!] <addr>[/<mask>]) port <a>[:<b>] -> <addr> port <c>[:*] [proto (tcp | udp | icmp)] | |||
| 2001-07-07 | get rid of compiler warning | Marco S Hyman | |
 |
index : src | |
| OpenBSD base system |
| summaryrefslogtreecommitdiff |