Age | Commit message (Collapse) | Author |
|
1) PF should do the right thing when unplugging/replugging or cloning/
destroying NICs.
2) Rules can be loaded in the kernel for not-yet-existing devices
(USB, PCMCIA, Cardbus). For example, it is valid to write:
"pass in on kue0" before kue USB is plugged in.
3) It is possible to write rules that apply to group of interfaces
(drivers), like "pass in on ppp all"
4) There is a new ":peer" modifier that completes the ":broadcast"
and ":network" modifiers.
5) There is a new ":0" modifier that will filter out interface aliases.
Can also be applied to DNS names to restore original PF behaviour.
6) The dynamic interface syntax (foo) has been vastly improved, and
now support multiple addresses, v4 and v6 addresses, and all userland
modifiers, like "pass in from (fxp0:network)"
7) Scrub rules now support the !if syntax.
8) States can be bound to the specific interface that created them or
to a group of interfaces for example:
- pass all keep state (if-bound)
- pass all keep state (group-bound)
- pass all keep state (floating)
9) The default value when only keep state is given can be selected by
using the "set state-policy" statement.
10) "pfctl -ss" will now print the interface scope of the state.
This diff change the pf_state structure slighltly, so you should
recompile your userland tools (pfctl, authpf, pflogd, tcpdump...)
Tested on i386, sparc, sparc64 by Ryan
Tested on macppc, sparc64 by Daniel
ok deraadt@ mcbride@
|
|
|
|
them could be used to panic pf with scrub rules remotely. Found by
Rob Pickering. ok frantzen@, henning
|
|
ok dhartmei@ jmc@
|
|
|
|
Exposes the source IP's operating system to the filter language.
Interesting policy decisions are now enforceable:
. block proto tcp from any os SCO
. block proto tcp from any os Windows to any port smtp
. rdr ... from any os "Windows 98" to port WWW -> 127.0.0.1 port 8001
|
|
|
|
ok itojun@ and dhartmei@. heckling from henning@
|
|
warning. From Pyun YongHyeon. ok itojun@
|
|
don't use m->m_pkthdr.len for checking, as it is not reliable
|
|
|
|
|
|
does the m_adj() only after filtering. reported by marc
|
|
(please test, especially PF portion)
|
|
|
|
|
|
- length, jumbo payload option
- TTL ("hoplimit" in IPv6 terminology) rewrite
|
|
|
|
remote uptime determination
- scrub modifier "reassemble tcp" turns on stateful TCP normalizations
ok henning@ dhartmei@
|
|
With this change, the log header format also changes.
The new log format is extendible and allows logging
of the originating anchor and ruleset information.
ok henning@ dhartmei@ frantzen@
|
|
each side of the TCP connection and prevent it from being reduced
ok pb@ dhartmei@
|
|
field of a new pf_default_rule structure.
ok dhartmei@
|
|
ok dhartmei@
|
|
Change semantics of scrub option 'no-df' slightly: if the option is used,
it now also applies to _fragments_ with IP_DF set, not just to complete
packets. Hence, adding 'no-df' to 'scrub in all fragment reassemble'
allows to clear IP_DF from fragments, so they don't get dropped but
reassembled.
This affects several UDP protocols that used PMTU discovery, mostly
Linux' NFS implementation. In short, if you have 'scrub in all' now,
you probably want to change that to 'scrub in all no-df', unless you
want to drop fragments with IP_DF set (some people have good reasons
to do the latter, hence the non-default option).
ok frantzen@, henning@, cedric@
|
|
for outgoing packets that are not fragmented (after reassembly), to
compensate for predictable IDs generated by some hosts, and defeat
fingerprinting and NAT detection as described in the Bellovin paper
http://www.research.att.com/~smb/papers/fnat.pdf. ok theo@
|
|
overlap calculation got negative. Found by Baruch Even. ok henning@
|
|
|
|
introduce reference counting for tables, they are now automatically
created and deleted through referencing rules. Diff partly from cedric@.
ok mcbride@, henning@, cedric@
|
|
name. ok henning@, mcbride@, cedric@
|
|
ok henning@, mcbride@
|
|
|
|
|
|
stored in a separate list now. Regress tests still pass after
sed "s/ a=end / /g", other skip steps are not affected.
|
|
Precursor to removing rule.action from skip steps.
Also a couple of other small fixes:
- s/PF_RULESET_RULE/PF_RULESET_FILTER/
- replacement of 4 with PF_RULESET_MAX in pfvar.h struct ruleset {
- error handling in ioctl of an invalid value in rule.action
- counting evaluations and matching packets for scrub rules
ok henning@ dhartmei@
|
|
|
|
main purpose is making them regress-testable.
|
|
skip steps on translation rules.
Also:
- Require a ticket for DIOCCHANGERULE operations to prevent races.
- Remove pf_compare_* functions from pf_ioctl.c. DIOCCHANGE* operations
use a rule number, and comparisons happen in userland.
Testing and fixes from dhartmei@ and frantzen@
ok dhartmei@ henning@
|
|
sets with pfctl and evaluate them from the main rule set using a new type
of rule (which will support conditional evaluation soon). Makes
maintenance of sub-rulesets simpler for pfctl and daemons.
Idea and ok deraadt@
|
|
and rdr, as well as route-to, dup-to and reply-to.
Addresses can be allocated in a number of ways:
- masking out the network portion of the address and replacing it
- randomly assigning an address in the block
- hashing the source address and a key to determine the redirection address
- iterating through the addresses sequentially (this is the only allocation
scheme which works when a list of addresses is specified)
ok dhartmei@ henning@
|
|
frantzen@ and dhartmei@
|
|
to the more correct and descriptive "sa_family_t af"
ok dhartmei@ henning@
|
|
|
|
|
|
'fragment crop' or a new 'fragment drop-ovl' which will drop overlapping
fragments and all corresponding ones
ok kjell@ with feedback from kjell@ and deraadt@. the rest are slacking
|
|
|
|
without the memory overhead of the conventional defrag in SCRUB
ok dhartmei@, idea by deraadt@
|
|
|
|
|
|
with suggestions from provos@
ok dhartmei@
|
|
ok dhartmei@
|