summaryrefslogtreecommitdiff
path: root/sys/net/pfvar.h
AgeCommit message (Collapse)Author
2001-09-15Don't use m_pkthdr.rcvif in pflog_packet(), it doesn't work for outgoingDaniel Hartmeier
packets and is obviously invalid (and not NULL) for IPv6 packets (hence crashed). Pass ifp down instead. sizeof(ih) instead of sizeof(&ih) for pf_pull_hdr() from pf_test6().
2001-09-15IPv6 support from Ryan McBride (mcbride@countersiege.com)Mike Frantzen
2001-09-061:1 bidrectional NAT (binat); ok dhartmei@ and frantzen@jasoni
2001-09-05s/pf_natlook/pfioc_natlook (ioctl parameter struct)Daniel Hartmeier
2001-09-04Add skip steps for interface (ifp).Daniel Hartmeier
2001-08-28Bump state timeouts and allow tweaking them from pfctl.Mike Frantzen
(The state timeouts need some _serious_ tuning)
2001-08-25PF ISN randomization. Or in trekkie techno-babble, ISN phase modulation.Mike Frantzen
2001-08-21KNFTheo de Raadt
2001-08-19Add new ioctls for adding/removing RDR and NAT rules to/from the activeDaniel Hartmeier
rule sets.
2001-08-19Add per-rule byte counter, so mickey can do accounting. We're counting theDaniel Hartmeier
data part (without IP and TCP/UDP/ICMP headers), like the state counter does.
2001-08-19Add per-rule statistics (number of evaluations and number of packets).Daniel Hartmeier
Packets passed statefully will be counted using the rule that created the state.
2001-08-18Add new ioctl for adding/removing individual rules to/from the active rule set.Daniel Hartmeier
2001-08-18make pfctl -s state SCREAM; frantzen is now happyTheo de Raadt
2001-08-11Add support for ICMP errors referring to ICMP queries/replies. FixesDaniel Hartmeier
'ICMP error message for bad proto' messages. Reported by Mark Grimes and Steve Rumble. Add debugging level with ioctl interface and pfctl switch. Default is 'None'.
2001-08-01stateless tcp normalization along the lines of the normalization paper byNiels Provos
handley, paxon and kreibich; okay deraadt@
2001-07-29Implement rule skipping. This is a transparent evaluation optimization,Daniel Hartmeier
which reduces evaluation cost for sorted rules of similar parameters. Preparation for rule duplication for parameter lists from pfctl.
2001-07-19Fix/complete the handling of the binary ops >< and <> to behaveKenneth R Westerback
like the ipf operators. The 'n >< m' construct (Include Range = PF_OP_IRG) should match ports greater than n and less than m, not greater than or equal to n and less than or equal to m. The 'n <> m' construct (Exclude Range = PF_OP_XRG) should match all ports less than n OR greater than m, not be treated as an alias for ><. Thus PF_OP_GL, which was used for both <> and >< is replaced with PF_OP_IRG and PF_OP_XRG with the 'correct' semantics. OK dhartmei@
2001-07-17support min-ttl, okay dhartmei@Niels Provos
2001-07-17normalize ip_off, make IP_DF stripping optional, return rst is a flag now.Niels Provos
okay markus@
2001-07-17split ip normalization out into a separate file, okay dhartmei@Niels Provos
2001-07-09Extend nat/rdr syntax. Add source/destination selection. MakeDaniel Hartmeier
interface optional. Suggested by rdump@river.com. nat [on [!] <ifname>] from (any | [!] <addr>[/<mask>]) to (any | [!] <addr>[/<mask>]) -> <addr> [proto (tcp | udp | icmp)] rdr [on [!] <ifname>] from (any | [!] <addr>[/<mask>]) to (any | [!] <addr>[/<mask>]) port <a>[:<b>] -> <addr> port <c>[:*] [proto (tcp | udp | icmp)]
2001-07-06Allow negative match on interface name for nat and rdrChris Cappuccio
ok dhartmei@
2001-07-06do not use quad for countersTheo de Raadt
2001-07-03add DIOCNATLOOK ioctl and pf_natlook structure, this enables a userlandBob Beck
process recieving rdr'ed connections to look up the original destination of the connection before it was redirected - this enables the writing of transparent proxies.
2001-07-01tag packets generated by pf (return-rst, return-icmp) so they are not ↵Daniel Hartmeier
filtered, use existing icmp_error() and ip_output(). ok dugsong@, frantzen@
2001-07-01Add port ranges to the rdr directive. Connections can be redirectedKjell Wooding
to either a range of the same size, or a single port. Redirects between ranges of different sizes are not supported. Eg: rdr dc0 10.0.0.0/24 port 60000:61000 -> 127.0.0.1 port 65530:* proto udp rdr xl0 0.0.0.0/0 port 6660:6669 -> 127.0.0.1 port 6667 proto tcp This replaces the wildcard port patch (when port = 0), as it should no longer be necessary. ok dhartmei@
2001-06-29Fix PF_SCRUB enumerator.Angelos D. Keromytis
2001-06-29fix counter/reason array usageDaniel Hartmeier
2001-06-28first stab at packet normalization. includes full ip reassembly.Niels Provos
okay dhartmei@, dugsong@
2001-06-27add -z flag for zeroing statistics. -s status no longer resets anythingKjell Wooding
2001-06-27state counter changesTheo de Raadt
2001-06-26name comparison operatorsDug Song
2001-06-26fix PFRES_MAX handlingTheo de Raadt
2001-06-26array of counters indexed by reason codesTheo de Raadt
2001-06-26add rule nr for NielsDaniel Hartmeier
2001-06-26add rule pointer and log option to statesDaniel Hartmeier
2001-06-26use reasons in pull_hdr, default log if pull_hdr fails. okay deraadt@Niels Provos
2001-06-26no longer pass around **mTheo de Raadt
2001-06-26add a subreason to the link header to allow us to determine why a packet wasNiels Provos
dropped or passed. from discussion with theo and me.
2001-06-26Replicated TCP sequence tracking code in PF from Guido's IPF paper.Mike Frantzen
2001-06-25remaining lists converted to TAILQsDaniel Hartmeier
2001-06-25use TAILQ instead of homegrown list, other lists will followDaniel Hartmeier
2001-06-25revised ioctl interface, first getopt version of pfctlDaniel Hartmeier
2001-06-25Rename the rest of the structs to be consistent.Artur Grabowski
2001-06-25More renaming.Artur Grabowski
2001-06-25Avoid common names. Needs more work.Artur Grabowski
2001-06-25use only ioctl return values found in errno.hDaniel Hartmeier
2001-06-24rename ioctlbuffer to pfioc.Artur Grabowski
2001-06-24pack structures better; dhartmei okTheo de Raadt
2001-06-24REGENTS? ;)Daniel Hartmeier