| Age | Commit message (Collapse) | Author |
|---|
|
so the new taint enforcement for /dev/fd/X opens don't kill it
|
|
from johnb (pr #4520);
ok deraadt@ ian@
|
|
|
|
from tamas tevesz;
|
|
|
|
ok henning@
|
|
From: Andrey Matveev <andrushock@korovino.net>
|
|
|
|
from michael knudsen;
|
|
|
|
plus a typo;
from michael knudsen;
ok beck@
|
|
sub rulesets added by authpf. ok dhartmei@, oh yes! henning@
|
|
|
|
|
|
noticed by die tuere;
ok beck@
|
|
the parser now needs quotes around paths containing separators.
ok mcbride@
|
|
levels deep). More work required, but this is already
functional. authpf users will need to adjust their anchor
calls, but this will change again soon. ok beck@, cedric@,
henning@, mcbride@
|
|
overloaded via login.conf. When verifying that the user's login shell is
indeed authpf it is not sufficient to look at (struct passwd)->pw_shell,
we also have to use login_getclass etc to check wether the shell gets
overloaded.
ok millert@ beck@
|
|
|
|
|
|
ok deraadt@ dhartmei@ markus@ mcbride@
|
|
|
|
|
|
ok cedric@
|
|
|
|
|
|
|
|
Implemented as an in-kernel multicast IP protocol.
Turn it on like this:
# ifconfig pfsync0 up syncif fxp0
There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.
NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.
Much more to come.
ok deraadt@
|
|
- add username to added ruleset names when possible
- add much needed example to man page showing how to use NAT with tagging
to track NATed authpfed connections.
ok henning@ dhartmei@, man page cleanup by jmc@
|
|
use more verbose warning options if desired.
ok millert@, henning@, david@
|
|
|
|
This brings us close to 100% atomicity for a "pfctl -f pf.conf" command.
(some splxxx work remain in the kernel). Basically, improvements are:
- Anchors/Rulesets cannot disappear unexpectedly anymore.
- No more leftover in the kernel if "pfctl -f" fail.
- Commit is now done in a single atomic IOCTL.
WARNING: The kernel code is fully backward compatible, but the new
pfctl/authpf userland utilities will only run on a new kernel.
The following ioctls are deprecated (i.e. will be deleted sooner or
later, depending on how many 3rd party utilities use them and how soon
they can be upgraded):
- DIOCBEGINRULES
- DIOCCOMMITRULES
- DIOCBEGINALTQS
- DIOCCOMMITALTQS
- DIOCRINABEGIN
- DIOCRINADEFINE
They are replaced by the following ioctls (yes, PF(4) will follow)
which operate on a vector of rulesets:
- DIOCXBEGIN
- DIOCXCOMMIT
- DIOCXROLLBACK
Ok dhartmei@ mcbride@
|
|
don't reject usernames > 15 chars; username is not used as ruleset name any
more, thus, this restriction is gone.
PR3491, fix from dhartmei
|
|
|
|
|
|
noted by Marc Revial on misc@;
ok markus@
|
|
|
|
- remove the tableaddrs and tableaddr yacc production and reuse
host_list instead.
- produce better error messages.
- do not load addresses from external file when it is not
required (like with -R option).
- store initializers in a new node_tinit linked list before
putting them into the address buffer (see next point).
- add a new print_tabledef() function, which makes "pfctl -nvf"
print something useful for table definitions, which in turn
makes it possible to write better regress tests (see first chunk
of the diff) and bring table definition consistant with other
parsed rules.
ok dhartmei@
|
|
user loggged in concurrently. And fix a smaller bug which prevented
complete removal of a user's state entries on logout. Bug report and
testing by Ed Powers.
|
|
The pfctl.c part will probably need some further improvements.
ok henning@
|
|
and a couple of parsing functions moved to parse.y or pfctl_parser
where they belong.
I also took the opportunity to replace "void" functions with exit(1)
or err() inside by "int" functions, with the caller checking the
return value for errors (much cleaner and an old request from Theo)
ok dhartmei@ henning@
|
|
|
|
spotted by Joel Knight again
|
|
|
|
|
|
ok daniel
|
|
- macro fixes
- kill whitespace at EOL
- new sentence, new line
|
|
|
|
someone comes along later, modifies the code, and runs into a problem.
OK beck@
|
|
|
