| Age | Commit message (Collapse) | Author |
|---|
|
|
|
spi_size in their phase 1 proposals, such as some DLink VPN routers.
Also replace u_char with u_int8_t. markus@, hshoexer@ ok.
|
|
reported by mcbride@
ok otto@ mcbride@
|
|
pass -vv in to pf_print_state(), and print update count where appropriate.
|
|
sensitive CPUs. Pointed out by deraadt@.
|
|
ok deraadt@ hshoexer@ avsm@
|
|
ok dhartmei@ brad@
|
|
ok deraadt@
|
|
ok deraadt@ hshoexer@
|
|
ok canacar@
|
|
tested by avsm@ vincent@ dhartmei@ markus@ hshoexer@ and others
go for it deraadt@
|
|
jakob@: "seems reasonable"
|
|
|
|
to pf_print_state(), and other minor cleanup.
|
|
rpc num, you might as well use it later too. ok canacar@
|
|
DNS traffic.
ok canacar@ jakob@
|
|
|
|
|
|
fn_print to print strings. Joint work with & ok canacar@.
|
|
sync with tcpdump.org. ok canacar@
|
|
|
|
1) PF should do the right thing when unplugging/replugging or cloning/
destroying NICs.
2) Rules can be loaded in the kernel for not-yet-existing devices
(USB, PCMCIA, Cardbus). For example, it is valid to write:
"pass in on kue0" before kue USB is plugged in.
3) It is possible to write rules that apply to group of interfaces
(drivers), like "pass in on ppp all"
4) There is a new ":peer" modifier that completes the ":broadcast"
and ":network" modifiers.
5) There is a new ":0" modifier that will filter out interface aliases.
Can also be applied to DNS names to restore original PF behaviour.
6) The dynamic interface syntax (foo) has been vastly improved, and
now support multiple addresses, v4 and v6 addresses, and all userland
modifiers, like "pass in from (fxp0:network)"
7) Scrub rules now support the !if syntax.
8) States can be bound to the specific interface that created them or
to a group of interfaces for example:
- pass all keep state (if-bound)
- pass all keep state (group-bound)
- pass all keep state (floating)
9) The default value when only keep state is given can be selected by
using the "set state-policy" statement.
10) "pfctl -ss" will now print the interface scope of the state.
This diff change the pf_state structure slighltly, so you should
recompile your userland tools (pfctl, authpf, pflogd, tcpdump...)
Tested on i386, sparc, sparc64 by Ryan
Tested on macppc, sparc64 by Daniel
ok deraadt@ mcbride@
|
|
Also remove unused hlen variable.
|
|
A pfsync system which recieves a partial update for a state it cannot
find can now request a full version of the update, and insert it.
pfsync'd firewalls now converge more gracefully if one is missing some
states (due to reset, lost insert packets, etc).
|
|
pfsync_state struct.
|
|
ok deraadt@ millert@
|
|
|
|
pfsync packets recieved on the wire. Prevents printing of giberish states
with snaplen smaller than the mtu of syncif on the sender, and probably
other ungoodness.
|
|
|
|
IPPROTO_PFSYNC -> 240
INADDR_PFSYNC_GROUP -> 224.0.0.240
ok deraadt@
|
|
Implemented as an in-kernel multicast IP protocol.
Turn it on like this:
# ifconfig pfsync0 up syncif fxp0
There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.
NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.
Much more to come.
ok deraadt@
|
|
From Pyun YongHyeon. ok henning@, canacar@
|
|
|
|
|
|
ok dhartmei@
|
|
state doesn't wrap)
- No need to print the rule number, that's included in the -v output.
ok dhartmei@ canacar@
|
|
|
|
|
|
- sort options
- typos and formatting improvements
- sync usage() and SYNOPSIS
|
|
Found by ho@, help/test pb@, hex suggestion/ok deraadt@
|
|
(i.e. stuff I got wrong the first time, or missed)
this includes some .Cd's with missing quotes and .Nm abuse in man4;
|
|
ok deraadt@
|
|
ok frantzen@
|
|
|
|
many manpage fixes from jmc@
|
|
|
|
|
|
|
|
|
|
traffic reporting w/ pfsync; ok dhartmei@
Note: ABI change (new fields in struct pf_state), requires a rebuild of
pfctl and tcpdump.
|
