| Age | Commit message (Collapse) | Author |
|---|
|
sets with pfctl and evaluate them from the main rule set using a new type
of rule (which will support conditional evaluation soon). Makes
maintenance of sub-rulesets simpler for pfctl and daemons.
Idea and ok deraadt@
|
|
freeing rules. Fixes a number of potential memory leaks and other bugs.
- Add new pool_ticket to insure that address pools don't get messed
with by someone else while we add rules.
- Add a second address pool buffer, so that DIOCCHANGE* operations which use
pf_compare* will work correctly.
Excellent bug report and anaylsis from DJ Gregor.
ok dhartmei@ henning@
|
|
|
|
- Always fold the key in
Many fixes & suggestions from camield@
ok mickey@ camield@ henning@
|
|
rather than struct pfioc_pooladdr
an obvious fix from dhartmei@
|
|
|
|
and rdr, as well as route-to, dup-to and reply-to.
Addresses can be allocated in a number of ways:
- masking out the network portion of the address and replacing it
- randomly assigning an address in the block
- hashing the source address and a key to determine the redirection address
- iterating through the addresses sequentially (this is the only allocation
scheme which works when a list of addresses is specified)
ok dhartmei@ henning@
|
|
is not set to AF_INET6 or AF_INET
ok dhartmei@ henning@
|
|
to the more correct and descriptive "sa_family_t af"
ok dhartmei@ henning@
|
|
reduces cross-file dependancies.
ok dhartmei@ ish@ henning@
|
|
binat on fxp0 from 192.168.0.32/27 to any -> 10.0.7.128/27
Both the network mask on the source and redirect addresses MUST be the
same, and it works by essentially combining the network section of the
redirect address with the host section of the source address.
from ryan
ok dhartmei@
|
|
|
|
this commit is to allow further development in both userland and kernel.
the goal is to replace altq's classifier by pf(4).
- make pf tag a queue id to mbuf and make altq read the queue id
- merge altq config into pf.conf(5)
ok dhartmei@, henning@
|
|
drop is default, same behaviour as before
support
block drop
to override a return policy
|
|
block return in|out ...
acts like return-rst on tcp, like return-icmp on udp and like an ordinary
block on anything else
ok dhartmei@
|
|
-new field "return_icmp6" in pf_rule
-parser accepts
block return-icmp(ipv4-icmpcode, ipv6-icmpcode)
ok and some input dhartmei@
|
|
instead of just testing return_icmp > 0
ok dhartmei@
|
|
replies (packets that flow in the opposite direction of the packet that
created state), used for symmetric routing enforcement.
Document how route-to and reply-to work in context of stateful filtering.
|
|
|
|
allows to use the same proxy port with different external peers.
From Ryan McBride
|
|
interface except the given one. adjust the pf_test_* functions and
pf_skip_step accordingly.
ok dhartmei@
|
|
'fragment crop' or a new 'fragment drop-ovl' which will drop overlapping
fragments and all corresponding ones
ok kjell@ with feedback from kjell@ and deraadt@. the rest are slacking
|
|
ok dhartmei@, henning@
|
|
without the memory overhead of the conventional defrag in SCRUB
ok dhartmei@, idea by deraadt@
|
|
source ports can mapped to privileged proxy ports, or source port 500
to proxy port 500. ok frantzen@
|
|
move FCNT_NAMES from pfvar.h to pfctl_parser.h, only used by pfctl
some input by nick@
ok frantzen@, dhartmei@
|
|
includes ports and operator.
|
|
frantzen@, dhartmei@ ok, tested kernel & userland.
checked for colliding commits
|
|
|
|
|
|
pass in from any to any port www keep state (tcp.established 60)
ok frantzen@
|
|
okay dhartmei@, frantzen@
|
|
ok dhartmei@, ipv6 part itojun@ ok
|
|
of concurrent connections a rule can create. ok frantzen@
|
|
with suggestions from provos@
ok dhartmei@
|
|
|
|
keywords to 'user' and 'group'.
|
|
by lowering it to the given value.
- ok dhartmei@, provos@
|
|
effective user ID) much like ports. The user of a packet is either the
user that opens an outgoing connection, the one that listens on a socket,
or 'unknown' if the firewall is not a connection endpoint (for forwarded
connections). Socket uid lookup code from jwk@bug.it.
|
|
created the state from DIOCGETSTATE(S), return the integer rule number,
Print rule number (if existant) from pfctl -vss. Suggested by Jeff Nathan.
|
|
using just the interface name instead of an address and reloading the rule
set whenever the interface changes its address, the interface name can be
put in parentheses, and the kernel will keep track of changes and update
rules. There is no additional cost for evaluating rules (per packet),
the cost occurs when an interface changes address (and the rules are
traversed and updated where necessary).
|
|
Document fragment handling in the man page. Short version: if you're
scrubbing everything (as is recommended, in general), nothing changes.
If you want to deal with fragments manually, read the man page.
ok frantzen.
|
|
usage semantics are analogous w/ "any", meaning is
"any ip address for which there is no route in the
current routing table", could be used in both from and to.
typical usage would be (assuming symmetrical routing):
block in from no-route to any
also doc "any" in the pf.conf.5, include in regress, etc.
tested by me on i386 and sparc.
dhartmei@ and frantzen@ ok
|
|
discrimination on src/dst ips and netmask, src/dst port range and protocol.
ok dhartmei@
|
|
until pool exhaustion causes problems no more.
|
|
|
|
(in vs. out). This speeds up rule set evaluation considerably, because
the rules set used to be linearly traversed (even twice) when looking
for scrub rules. Ok frantzen@, deraadt@
|
|
|
|
tags that will be used to tag packets later on). Add pfctl -z to clear
per-rule counters. Add pfctl -s labels to output per-rule counters in
terse format and only for rules that have labels. Suggested by
Henning Brauer.
|
|
If it is a "no" rule, no translation occurs. Useful to exclude certain
packets from translation. Suggested by Henning Brauer.
|
