Age | Commit message (Collapse) | Author |
|
the O versions since these are debugging only and should not affect normal functionality; deraadt@ ok
|
|
|
|
filtered); Darren Reed <avalon@coombs.anu.edu.au>
|
|
|
|
port/path to root bridge among several LANs. unlike ifpriority, which
allows you to select designated port if serveral interfaces belong
to the same LAN; ok jason@
|
|
Approved by original author. Julian.Onions@nexor.co.uk
|
|
sets with pfctl and evaluate them from the main rule set using a new type
of rule (which will support conditional evaluation soon). Makes
maintenance of sub-rulesets simpler for pfctl and daemons.
Idea and ok deraadt@
|
|
blocking or disabled state. send packets only if interface is the
forwarding state; comment from netbsd; with and ok jason@
|
|
|
|
|
|
freeing rules. Fixes a number of potential memory leaks and other bugs.
- Add new pool_ticket to insure that address pools don't get messed
with by someone else while we add rules.
- Add a second address pool buffer, so that DIOCCHANGE* operations which use
pf_compare* will work correctly.
Excellent bug report and anaylsis from DJ Gregor.
ok dhartmei@ henning@
|
|
ok dhartmei@
|
|
|
|
|
|
PF_CHANGE_REMOVE from dereferencing a NULL pointer.
Noticed by dhartmei@
ok dhartmei@
|
|
- Always fold the key in
Many fixes & suggestions from camield@
ok mickey@ camield@ henning@
|
|
|
|
rather than struct pfioc_pooladdr
an obvious fix from dhartmei@
|
|
- More technically correct
- Matches FreeBSD and NetBSD
- Preserved #define for 1000baseTX for backwards compatibility
ok jason@
|
|
after altq gets flushed, altq forgot that it was enabled since
altq is actually detached with an empty ruleset.
so, add a variable, pfaltq_running, to remember the running state
and re-enable altq when a new ruleset is loaded.
noticed, tested, and oked by henning@
|
|
unbreaks compiling kernel without IPv6 support.
how embarassing, spotted by Chris Kuethe
|
|
|
|
|
|
and rdr, as well as route-to, dup-to and reply-to.
Addresses can be allocated in a number of ways:
- masking out the network portion of the address and replacing it
- randomly assigning an address in the block
- hashing the source address and a key to determine the redirection address
- iterating through the addresses sequentially (this is the only allocation
scheme which works when a list of addresses is specified)
ok dhartmei@ henning@
|
|
and the returned icmp packets in the return-icmp case
ok dhartmei@
|
|
|
|
dhartmei@ ok
|
|
|
|
rather than the ip address if it exists.
ok dhartmei@ henning@
|
|
is not set to AF_INET6 or AF_INET
ok dhartmei@ henning@
|
|
frantzen@ and dhartmei@
|
|
Found by DJ Gregor.
|
|
to the more correct and descriptive "sa_family_t af"
ok dhartmei@ henning@
|
|
(returns ifp, not ifname)
ok dhartmei@ ish@ camield@ henning@
|
|
reduces cross-file dependancies.
ok dhartmei@ ish@ henning@
|
|
binat on fxp0 from 192.168.0.32/27 to any -> 10.0.7.128/27
Both the network mask on the source and redirect addresses MUST be the
same, and it works by essentially combining the network section of the
redirect address with the host section of the source address.
from ryan
ok dhartmei@
|
|
panic: m_copym0: m == 0 and not COPYALL
and/or
panic: m_copydata: null muf
on bridges running pf with scrubbing enabled.
Bug report, test vector and confirmation by Jon Morby.
ok jason@, jasoni@
|
|
|
|
this commit is to allow further development in both userland and kernel.
the goal is to replace altq's classifier by pf(4).
- make pf tag a queue id to mbuf and make altq read the queue id
- merge altq config into pf.conf(5)
ok dhartmei@, henning@
|
|
|
|
drop is default, same behaviour as before
support
block drop
to override a return policy
|
|
block return in|out ...
acts like return-rst on tcp, like return-icmp on udp and like an ordinary
block on anything else
ok dhartmei@
|
|
-new field "return_icmp6" in pf_rule
-parser accepts
block return-icmp(ipv4-icmpcode, ipv6-icmpcode)
ok and some input dhartmei@
|
|
instead of just testing return_icmp > 0
ok dhartmei@
|
|
replies (packets that flow in the opposite direction of the packet that
created state), used for symmetric routing enforcement.
Document how route-to and reply-to work in context of stateful filtering.
|
|
|
|
To detect routing loops use the actual outgoing interface and not the
interface that the rule is to apply to (as there may not be one).
- noticed by mcbride@countersiege.com
- ok dhartmei@, henning@
|
|
binat.
pointed out by Ryan McBride, mcbride at countersiege dot com, Thanks!
ok frantzen@ pb@ jasoni@ deraadt@
|
|
|
|
|