| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
|
|
Add table definition/initialisation construct in pfctl parser.
Add and fix documentation for pf.4 and pf.conf.5.
Tested on i386 and sparc64 by myself, macppc by Daniel.
ok dhartmei@
|
|
introduce reference counting for tables, they are now automatically
created and deleted through referencing rules. Diff partly from cedric@.
ok mcbride@, henning@, cedric@
|
|
ok dhartmei@
|
|
name. ok henning@, mcbride@, cedric@
|
|
|
|
2) add new PFR_FLAG_REPLACE for use by pfr_tst_addrs().
3) add new pfrio_nmatch alias to pfioc_table, set by pfr_tst_addrs().
Tested on i386, sparc64
|
|
ok dhartmei@ henning@
|
|
|
|
|
|
Precursor to removing rule.action from skip steps.
Also a couple of other small fixes:
- s/PF_RULESET_RULE/PF_RULESET_FILTER/
- replacement of 4 with PF_RULESET_MAX in pfvar.h struct ruleset {
- error handling in ioctl of an invalid value in rule.action
- counting evaluations and matching packets for scrub rules
ok henning@ dhartmei@
|
|
normal configurations, and sufficient for many. You can always increase
it, if you need more concurrent states and have enough memory (65000 for
64MB RAM, for instance). Suggested earlier by henning@. ok mcbride@
|
|
|
|
ok dhartmei@, mcbride@, henning@
|
|
- set rpool.cur in DIOCCHANGERULE
- check to make sure rpool.list is not empty if we're doing translation
or routing other than fastroute
ok dhartmei@ henning@
|
|
Solves the crashes in pf_route() with -current.
Reports from Michael Lucas and Bjorn Runaker.
|
|
we don't need the second list of addresses for DIOCCHANGE* operations)
Also get rid of a bug where DIOCBEGINADDRS clears pabuf[1] when pabuf[0]
is the one being used.
ok henning@ dhartmei@
|
|
Unlike with filter rules, nat rules inside anchors might be pointed to.
|
|
evaluation, packet, byte and state entry counters similar to -vsr. Helps
verify whether/how often translation rules are evaluated/matched.
ok frantzen@, henning@
|
|
|
|
main purpose is making them regress-testable.
|
|
skip steps on translation rules.
Also:
- Require a ticket for DIOCCHANGERULE operations to prevent races.
- Remove pf_compare_* functions from pf_ioctl.c. DIOCCHANGE* operations
use a rule number, and comparisons happen in userland.
Testing and fixes from dhartmei@ and frantzen@
ok dhartmei@ henning@
|
|
this allows for a second queue on pf_rule.
assign packets with tos 0x10 (lowdelay) to this one.
if the second queue isn't specified set pqid = qid
idea dhartmei@
ok dhartmei@ frantzen@ deraadt@
|
|
|
|
sets with pfctl and evaluate them from the main rule set using a new type
of rule (which will support conditional evaluation soon). Makes
maintenance of sub-rulesets simpler for pfctl and daemons.
Idea and ok deraadt@
|
|
|
|
freeing rules. Fixes a number of potential memory leaks and other bugs.
- Add new pool_ticket to insure that address pools don't get messed
with by someone else while we add rules.
- Add a second address pool buffer, so that DIOCCHANGE* operations which use
pf_compare* will work correctly.
Excellent bug report and anaylsis from DJ Gregor.
ok dhartmei@ henning@
|
|
PF_CHANGE_REMOVE from dereferencing a NULL pointer.
Noticed by dhartmei@
ok dhartmei@
|
|
after altq gets flushed, altq forgot that it was enabled since
altq is actually detached with an empty ruleset.
so, add a variable, pfaltq_running, to remember the running state
and re-enable altq when a new ruleset is loaded.
noticed, tested, and oked by henning@
|
|
|
|
and rdr, as well as route-to, dup-to and reply-to.
Addresses can be allocated in a number of ways:
- masking out the network portion of the address and replacing it
- randomly assigning an address in the block
- hashing the source address and a key to determine the redirection address
- iterating through the addresses sequentially (this is the only allocation
scheme which works when a list of addresses is specified)
ok dhartmei@ henning@
|
|
dhartmei@ ok
|
|
|
|
rather than the ip address if it exists.
ok dhartmei@ henning@
|
|
Found by DJ Gregor.
|
|
(returns ifp, not ifname)
ok dhartmei@ ish@ camield@ henning@
|
|
reduces cross-file dependancies.
ok dhartmei@ ish@ henning@
|
|
this commit is to allow further development in both userland and kernel.
the goal is to replace altq's classifier by pf(4).
- make pf tag a queue id to mbuf and make altq read the queue id
- merge altq config into pf.conf(5)
ok dhartmei@, henning@
|
|
|
|
allows to use the same proxy port with different external peers.
From Ryan McBride
|
|
client some days ago:
if you had a rulefile with "set loginterface <interface>" and loaded through
pfctl -e -f /etc/pf.conf, pfctl -si didn't display the interface stats,
because on DIOCSTART pf_status.ifname was cleared and enableing is done after
loading the ruleset.
similar for DIOCCLRSTATUS, remember pf_status.ifname there as well.
added feature:
On DIOCSETSTATUSIF unset the statusinterface if pi->ifname is empty.
ok dhartmei@
|
|
a non-existent interface is passed to "pfctl -l". Reported by
grange@disorder.ru.
|
|
move FCNT_NAMES from pfvar.h to pfctl_parser.h, only used by pfctl
some input by nick@
ok frantzen@, dhartmei@
|
|
|
|
|
|
includes ports and operator.
|
|
functions moved from pf.c to there
ok dhartmei@, frantzen@
testing myself + henning@, kernel & userland utils fine
|
