summaryrefslogtreecommitdiff
path: root/sys/net/pfvar.h
AgeCommit message (Expand)Author
2002-06-08Make state timeouts configurable per rule, likeDaniel Hartmeier
2002-06-07increase rule label length from 32 to 64 charsHenning Brauer
2002-06-07add the possibility to configure a TTL while return-rstPhilipp Buehler
2002-06-07Add "(max <number>)" option for "keep/modulate state" to limit the numberDaniel Hartmeier
2002-06-07switch from AVL tree's to herr Provos' red-black treesMike Frantzen
2002-05-19KNF againTheo de Raadt
2002-05-12Add gid based filtering, reduce to one (effective) uid, rename parserDaniel Hartmeier
2002-05-09Add a max-mss option to the scrub rule which will enforce a maximum mssjasoni
2002-05-09Introduce user based filtering. Rules can specify ruid and euid (real andDaniel Hartmeier
2002-05-05Instead of returning a useless kernel space pointer for the rule thatDaniel Hartmeier
2002-04-24Add dynamic (in-kernel) interface name -> address translation. Instead ofDaniel Hartmeier
2002-04-23Allow explicit filtering of fragments when they are not reassembled.Daniel Hartmeier
2002-03-27implement a "no-route" keyword.Michael Shalayeff
2002-03-25add ioctl DIOCKILLSTATES to shootdown a subset of the state table. allowsMike Frantzen
2002-02-26Add optional pool memory hard limits, mainly as temporary solutionDaniel Hartmeier
2002-02-14Reorder struct pf_pdesc members, saves 8 bytes.Daniel Hartmeier
2002-02-14Add skip steps for rule action (pass/block vs. scrub) and directionDaniel Hartmeier
2002-01-11pad the pf_state_{host,peer} to a 32bit quantity; dhartmei@ frantzen@ okMichael Shalayeff
2002-01-09Add labels to rules. These are arbitrary names (not to be confused withDaniel Hartmeier
2002-01-08Add "no nat/rdr/binat" to nat.conf. The first matching rule applies.Daniel Hartmeier
2001-12-10Add an ioctl to add state entries (DIOCADDSTATE) for proxies.Daniel Hartmeier
2001-12-10Add stateful filtering for other (non-TCP/UDP/ICMP) protocol, based onDaniel Hartmeier
2001-11-26add fastroute options similar to what is found in ipfjasoni
2001-11-06Use #defines for skip step values. From dgregor@net.ohio-state.edu.Daniel Hartmeier
2001-10-15Add 'allow-opts' to rules. Packets with IP options will be blocked byDaniel Hartmeier
2001-09-27The skip steps array was one element short (since adding steps for af).Daniel Hartmeier
2001-09-15Don't use m_pkthdr.rcvif in pflog_packet(), it doesn't work for outgoingDaniel Hartmeier
2001-09-15IPv6 support from Ryan McBride (mcbride@countersiege.com)Mike Frantzen
2001-09-061:1 bidrectional NAT (binat); ok dhartmei@ and frantzen@jasoni
2001-09-05s/pf_natlook/pfioc_natlook (ioctl parameter struct)Daniel Hartmeier
2001-09-04Add skip steps for interface (ifp).Daniel Hartmeier
2001-08-28Bump state timeouts and allow tweaking them from pfctl.Mike Frantzen
2001-08-25PF ISN randomization. Or in trekkie techno-babble, ISN phase modulation.Mike Frantzen
2001-08-21KNFTheo de Raadt
2001-08-19Add new ioctls for adding/removing RDR and NAT rules to/from the activeDaniel Hartmeier
2001-08-19Add per-rule byte counter, so mickey can do accounting. We're counting theDaniel Hartmeier
2001-08-19Add per-rule statistics (number of evaluations and number of packets).Daniel Hartmeier
2001-08-18Add new ioctl for adding/removing individual rules to/from the active rule set.Daniel Hartmeier
2001-08-18make pfctl -s state SCREAM; frantzen is now happyTheo de Raadt
2001-08-11Add support for ICMP errors referring to ICMP queries/replies. FixesDaniel Hartmeier
2001-08-01stateless tcp normalization along the lines of the normalization paper byNiels Provos
2001-07-29Implement rule skipping. This is a transparent evaluation optimization,Daniel Hartmeier
2001-07-19Fix/complete the handling of the binary ops >< and <> to behaveKenneth R Westerback
2001-07-17support min-ttl, okay dhartmei@Niels Provos
2001-07-17normalize ip_off, make IP_DF stripping optional, return rst is a flag now.Niels Provos
2001-07-17split ip normalization out into a separate file, okay dhartmei@Niels Provos
2001-07-09Extend nat/rdr syntax. Add source/destination selection. MakeDaniel Hartmeier
2001-07-06Allow negative match on interface name for nat and rdrChris Cappuccio
2001-07-06do not use quad for countersTheo de Raadt
2001-07-03add DIOCNATLOOK ioctl and pf_natlook structure, this enables a userlandBob Beck