Age | Commit message (Collapse) | Author |
|
Exposes the source IP's operating system to the filter language.
Interesting policy decisions are now enforceable:
. block proto tcp from any os SCO
. block proto tcp from any os Windows to any port smtp
. rdr ... from any os "Windows 98" to port WWW -> 127.0.0.1 port 8001
|
|
|
|
ok itojun@ and dhartmei@. heckling from henning@
|
|
warning. From Pyun YongHyeon. ok itojun@
|
|
don't use m->m_pkthdr.len for checking, as it is not reliable
|
|
|
|
|
|
does the m_adj() only after filtering. reported by marc
|
|
(please test, especially PF portion)
|
|
|
|
|
|
- length, jumbo payload option
- TTL ("hoplimit" in IPv6 terminology) rewrite
|
|
|
|
remote uptime determination
- scrub modifier "reassemble tcp" turns on stateful TCP normalizations
ok henning@ dhartmei@
|
|
With this change, the log header format also changes.
The new log format is extendible and allows logging
of the originating anchor and ruleset information.
ok henning@ dhartmei@ frantzen@
|
|
each side of the TCP connection and prevent it from being reduced
ok pb@ dhartmei@
|
|
field of a new pf_default_rule structure.
ok dhartmei@
|
|
ok dhartmei@
|
|
Change semantics of scrub option 'no-df' slightly: if the option is used,
it now also applies to _fragments_ with IP_DF set, not just to complete
packets. Hence, adding 'no-df' to 'scrub in all fragment reassemble'
allows to clear IP_DF from fragments, so they don't get dropped but
reassembled.
This affects several UDP protocols that used PMTU discovery, mostly
Linux' NFS implementation. In short, if you have 'scrub in all' now,
you probably want to change that to 'scrub in all no-df', unless you
want to drop fragments with IP_DF set (some people have good reasons
to do the latter, hence the non-default option).
ok frantzen@, henning@, cedric@
|
|
for outgoing packets that are not fragmented (after reassembly), to
compensate for predictable IDs generated by some hosts, and defeat
fingerprinting and NAT detection as described in the Bellovin paper
http://www.research.att.com/~smb/papers/fnat.pdf. ok theo@
|
|
overlap calculation got negative. Found by Baruch Even. ok henning@
|
|
|
|
introduce reference counting for tables, they are now automatically
created and deleted through referencing rules. Diff partly from cedric@.
ok mcbride@, henning@, cedric@
|
|
name. ok henning@, mcbride@, cedric@
|
|
ok henning@, mcbride@
|
|
|
|
|
|
stored in a separate list now. Regress tests still pass after
sed "s/ a=end / /g", other skip steps are not affected.
|
|
Precursor to removing rule.action from skip steps.
Also a couple of other small fixes:
- s/PF_RULESET_RULE/PF_RULESET_FILTER/
- replacement of 4 with PF_RULESET_MAX in pfvar.h struct ruleset {
- error handling in ioctl of an invalid value in rule.action
- counting evaluations and matching packets for scrub rules
ok henning@ dhartmei@
|
|
|
|
main purpose is making them regress-testable.
|
|
skip steps on translation rules.
Also:
- Require a ticket for DIOCCHANGERULE operations to prevent races.
- Remove pf_compare_* functions from pf_ioctl.c. DIOCCHANGE* operations
use a rule number, and comparisons happen in userland.
Testing and fixes from dhartmei@ and frantzen@
ok dhartmei@ henning@
|
|
sets with pfctl and evaluate them from the main rule set using a new type
of rule (which will support conditional evaluation soon). Makes
maintenance of sub-rulesets simpler for pfctl and daemons.
Idea and ok deraadt@
|
|
and rdr, as well as route-to, dup-to and reply-to.
Addresses can be allocated in a number of ways:
- masking out the network portion of the address and replacing it
- randomly assigning an address in the block
- hashing the source address and a key to determine the redirection address
- iterating through the addresses sequentially (this is the only allocation
scheme which works when a list of addresses is specified)
ok dhartmei@ henning@
|
|
frantzen@ and dhartmei@
|
|
to the more correct and descriptive "sa_family_t af"
ok dhartmei@ henning@
|
|
|
|
|
|
'fragment crop' or a new 'fragment drop-ovl' which will drop overlapping
fragments and all corresponding ones
ok kjell@ with feedback from kjell@ and deraadt@. the rest are slacking
|
|
|
|
without the memory overhead of the conventional defrag in SCRUB
ok dhartmei@, idea by deraadt@
|
|
|
|
|
|
with suggestions from provos@
ok dhartmei@
|
|
ok dhartmei@
|
|
|
|
by lowering it to the given value.
- ok dhartmei@, provos@
|
|
|
|
using just the interface name instead of an address and reloading the rule
set whenever the interface changes its address, the interface name can be
put in parentheses, and the kernel will keep track of changes and update
rules. There is no additional cost for evaluating rules (per packet),
the cost occurs when an interface changes address (and the rules are
traversed and updated where necessary).
|
|
|