| Age | Commit message (Collapse) | Author |
|---|
|
doing a whole bunch of needless screwing around
noticed by Stefan Krah <stefan-usenet@bytereef.org>
|
|
|
|
cleanup:
remove unused arg
no need to clear locals
return -1 to allow pid cleanup to happen if fork fails
|
|
ok millert@
|
|
unused variable and a chance to unlink the pidfile without lock
if we couldn't kill a preexisting authpf process.
spotted by Stefan Krah <sfk1@bigfoot.com>.
|
|
now that it is the default;
ok henning mcbride camield (ftp-proxy bits) deraadt
|
|
|
|
|
|
ok deraadt@
|
|
from michael knudsen
|
|
the child proceess, (as noticed by <evol@online.ptt.ru>)
|
|
from unclean tree.
|
|
|
|
fact unnecessary, my usage of err() here also repeated the formatted
error message twice. - We don't need do_death() here, and fix err
to print the message a bit more sanely.
Noticed by Andrey Matveev <evol@online.ptt.ru> - Thanks
|
|
so the new taint enforcement for /dev/fd/X opens don't kill it
|
|
from johnb (pr #4520);
ok deraadt@ ian@
|
|
|
|
from tamas tevesz;
|
|
|
|
ok henning@
|
|
From: Andrey Matveev <andrushock@korovino.net>
|
|
|
|
from michael knudsen;
|
|
|
|
plus a typo;
from michael knudsen;
ok beck@
|
|
sub rulesets added by authpf. ok dhartmei@, oh yes! henning@
|
|
|
|
|
|
noticed by die tuere;
ok beck@
|
|
the parser now needs quotes around paths containing separators.
ok mcbride@
|
|
levels deep). More work required, but this is already
functional. authpf users will need to adjust their anchor
calls, but this will change again soon. ok beck@, cedric@,
henning@, mcbride@
|
|
overloaded via login.conf. When verifying that the user's login shell is
indeed authpf it is not sufficient to look at (struct passwd)->pw_shell,
we also have to use login_getclass etc to check wether the shell gets
overloaded.
ok millert@ beck@
|
|
|
|
|
|
ok deraadt@ dhartmei@ markus@ mcbride@
|
|
|
|
|
|
ok cedric@
|
|
|
|
|
|
|
|
Implemented as an in-kernel multicast IP protocol.
Turn it on like this:
# ifconfig pfsync0 up syncif fxp0
There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.
NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.
Much more to come.
ok deraadt@
|
|
- add username to added ruleset names when possible
- add much needed example to man page showing how to use NAT with tagging
to track NATed authpfed connections.
ok henning@ dhartmei@, man page cleanup by jmc@
|
|
use more verbose warning options if desired.
ok millert@, henning@, david@
|
|
|
|
This brings us close to 100% atomicity for a "pfctl -f pf.conf" command.
(some splxxx work remain in the kernel). Basically, improvements are:
- Anchors/Rulesets cannot disappear unexpectedly anymore.
- No more leftover in the kernel if "pfctl -f" fail.
- Commit is now done in a single atomic IOCTL.
WARNING: The kernel code is fully backward compatible, but the new
pfctl/authpf userland utilities will only run on a new kernel.
The following ioctls are deprecated (i.e. will be deleted sooner or
later, depending on how many 3rd party utilities use them and how soon
they can be upgraded):
- DIOCBEGINRULES
- DIOCCOMMITRULES
- DIOCBEGINALTQS
- DIOCCOMMITALTQS
- DIOCRINABEGIN
- DIOCRINADEFINE
They are replaced by the following ioctls (yes, PF(4) will follow)
which operate on a vector of rulesets:
- DIOCXBEGIN
- DIOCXCOMMIT
- DIOCXROLLBACK
Ok dhartmei@ mcbride@
|
|
don't reject usernames > 15 chars; username is not used as ruleset name any
more, thus, this restriction is gone.
PR3491, fix from dhartmei
|
|
|
|
|
|
noted by Marc Revial on misc@;
ok markus@
|
