| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2001-12-10 | Add an ioctl to add state entries (DIOCADDSTATE) for proxies. | Daniel Hartmeier | |
| 2001-12-10 | Add stateful filtering for other (non-TCP/UDP/ICMP) protocol, based on | Daniel Hartmeier | |
| source/destination addresses/ports only. Add RDR for ICMP. Add NAT/RDR/BINAT for other protocols. Destination and redirection port(s) are now optional for RDR rules. Not specifying destination port(s) means 'redirect all ports', not specifying redirection port(s) means 'redirect to the original port'. | |||
| 2001-11-26 | add fastroute options similar to what is found in ipf | jasoni | |
| ok dhartmei@, frantzen@ | |||
| 2001-11-06 | Use #defines for skip step values. From dgregor@net.ohio-state.edu. | Daniel Hartmeier | |
| 2001-10-15 | Add 'allow-opts' to rules. Packets with IP options will be blocked by | Daniel Hartmeier | |
| default now, and can be allowed per rule. ok deraadt@ | |||
| 2001-09-27 | The skip steps array was one element short (since adding steps for af). | Daniel Hartmeier | |
| This invoked undefined behaviour under the proper circumstances. | |||
| 2001-09-15 | Don't use m_pkthdr.rcvif in pflog_packet(), it doesn't work for outgoing | Daniel Hartmeier | |
| packets and is obviously invalid (and not NULL) for IPv6 packets (hence crashed). Pass ifp down instead. sizeof(ih) instead of sizeof(&ih) for pf_pull_hdr() from pf_test6(). | |||
| 2001-09-15 | IPv6 support from Ryan McBride (mcbride@countersiege.com) | Mike Frantzen | |
| 2001-09-06 | 1:1 bidrectional NAT (binat); ok dhartmei@ and frantzen@ | jasoni | |
| 2001-09-05 | s/pf_natlook/pfioc_natlook (ioctl parameter struct) | Daniel Hartmeier | |
| 2001-09-04 | Add skip steps for interface (ifp). | Daniel Hartmeier | |
| 2001-08-28 | Bump state timeouts and allow tweaking them from pfctl. | Mike Frantzen | |
| (The state timeouts need some _serious_ tuning) | |||
| 2001-08-25 | PF ISN randomization. Or in trekkie techno-babble, ISN phase modulation. | Mike Frantzen | |
| 2001-08-21 | KNF | Theo de Raadt | |
| 2001-08-19 | Add new ioctls for adding/removing RDR and NAT rules to/from the active | Daniel Hartmeier | |
| rule sets. | |||
| 2001-08-19 | Add per-rule byte counter, so mickey can do accounting. We're counting the | Daniel Hartmeier | |
| data part (without IP and TCP/UDP/ICMP headers), like the state counter does. | |||
| 2001-08-19 | Add per-rule statistics (number of evaluations and number of packets). | Daniel Hartmeier | |
| Packets passed statefully will be counted using the rule that created the state. | |||
| 2001-08-18 | Add new ioctl for adding/removing individual rules to/from the active rule set. | Daniel Hartmeier | |
| 2001-08-18 | make pfctl -s state SCREAM; frantzen is now happy | Theo de Raadt | |
| 2001-08-11 | Add support for ICMP errors referring to ICMP queries/replies. Fixes | Daniel Hartmeier | |
| 'ICMP error message for bad proto' messages. Reported by Mark Grimes and Steve Rumble. Add debugging level with ioctl interface and pfctl switch. Default is 'None'. | |||
| 2001-08-01 | stateless tcp normalization along the lines of the normalization paper by | Niels Provos | |
| handley, paxon and kreibich; okay deraadt@ | |||
| 2001-07-29 | Implement rule skipping. This is a transparent evaluation optimization, | Daniel Hartmeier | |
| which reduces evaluation cost for sorted rules of similar parameters. Preparation for rule duplication for parameter lists from pfctl. | |||
| 2001-07-19 | Fix/complete the handling of the binary ops >< and <> to behave | Kenneth R Westerback | |
| like the ipf operators. The 'n >< m' construct (Include Range = PF_OP_IRG) should match ports greater than n and less than m, not greater than or equal to n and less than or equal to m. The 'n <> m' construct (Exclude Range = PF_OP_XRG) should match all ports less than n OR greater than m, not be treated as an alias for ><. Thus PF_OP_GL, which was used for both <> and >< is replaced with PF_OP_IRG and PF_OP_XRG with the 'correct' semantics. OK dhartmei@ | |||
| 2001-07-17 | support min-ttl, okay dhartmei@ | Niels Provos | |
| 2001-07-17 | normalize ip_off, make IP_DF stripping optional, return rst is a flag now. | Niels Provos | |
| okay markus@ | |||
| 2001-07-17 | split ip normalization out into a separate file, okay dhartmei@ | Niels Provos | |
| 2001-07-09 | Extend nat/rdr syntax. Add source/destination selection. Make | Daniel Hartmeier | |
| interface optional. Suggested by rdump@river.com. nat [on [!] <ifname>] from (any | [!] <addr>[/<mask>]) to (any | [!] <addr>[/<mask>]) -> <addr> [proto (tcp | udp | icmp)] rdr [on [!] <ifname>] from (any | [!] <addr>[/<mask>]) to (any | [!] <addr>[/<mask>]) port <a>[:<b>] -> <addr> port <c>[:*] [proto (tcp | udp | icmp)] | |||
| 2001-07-06 | Allow negative match on interface name for nat and rdr | Chris Cappuccio | |
| ok dhartmei@ | |||
| 2001-07-06 | do not use quad for counters | Theo de Raadt | |
| 2001-07-03 | add DIOCNATLOOK ioctl and pf_natlook structure, this enables a userland | Bob Beck | |
| process recieving rdr'ed connections to look up the original destination of the connection before it was redirected - this enables the writing of transparent proxies. | |||
| 2001-07-01 | tag packets generated by pf (return-rst, return-icmp) so they are not ↵ | Daniel Hartmeier | |
| filtered, use existing icmp_error() and ip_output(). ok dugsong@, frantzen@ | |||
| 2001-07-01 | Add port ranges to the rdr directive. Connections can be redirected | Kjell Wooding | |
| to either a range of the same size, or a single port. Redirects between ranges of different sizes are not supported. Eg: rdr dc0 10.0.0.0/24 port 60000:61000 -> 127.0.0.1 port 65530:* proto udp rdr xl0 0.0.0.0/0 port 6660:6669 -> 127.0.0.1 port 6667 proto tcp This replaces the wildcard port patch (when port = 0), as it should no longer be necessary. ok dhartmei@ | |||
| 2001-06-29 | Fix PF_SCRUB enumerator. | Angelos D. Keromytis | |
| 2001-06-29 | fix counter/reason array usage | Daniel Hartmeier | |
| 2001-06-28 | first stab at packet normalization. includes full ip reassembly. | Niels Provos | |
| okay dhartmei@, dugsong@ | |||
| 2001-06-27 | add -z flag for zeroing statistics. -s status no longer resets anything | Kjell Wooding | |
| 2001-06-27 | state counter changes | Theo de Raadt | |
| 2001-06-26 | name comparison operators | Dug Song | |
| 2001-06-26 | fix PFRES_MAX handling | Theo de Raadt | |
| 2001-06-26 | array of counters indexed by reason codes | Theo de Raadt | |
| 2001-06-26 | add rule nr for Niels | Daniel Hartmeier | |
| 2001-06-26 | add rule pointer and log option to states | Daniel Hartmeier | |
| 2001-06-26 | use reasons in pull_hdr, default log if pull_hdr fails. okay deraadt@ | Niels Provos | |
| 2001-06-26 | no longer pass around **m | Theo de Raadt | |
| 2001-06-26 | add a subreason to the link header to allow us to determine why a packet was | Niels Provos | |
| dropped or passed. from discussion with theo and me. | |||
| 2001-06-26 | Replicated TCP sequence tracking code in PF from Guido's IPF paper. | Mike Frantzen | |
| 2001-06-25 | remaining lists converted to TAILQs | Daniel Hartmeier | |
| 2001-06-25 | use TAILQ instead of homegrown list, other lists will follow | Daniel Hartmeier | |
| 2001-06-25 | revised ioctl interface, first getopt version of pfctl | Daniel Hartmeier | |
| 2001-06-25 | Rename the rest of the structs to be consistent. | Artur Grabowski | |
 |
index : src | |
| OpenBSD base system |
| summaryrefslogtreecommitdiff |