src - OpenBSD base system

Age	Commit message (Collapse)	Author
2004-02-20	Print ifname in PFSYNC_ACT_CLR message if present.	Ryan Thomas McBride

2004-02-15	string.h for memset	Jolan Luff

2004-02-14	KNF	Hakan Olsson

2004-02-14	Fix DOI select logic, which was broken for IKE vendors that sends non-zero	Hakan Olsson
	spi_size in their phase 1 proposals, such as some DLink VPN routers. Also replace u_char with u_int8_t. markus@, hshoexer@ ok.
2004-02-13	Print protocol and service numbers correctly when -n switch is specified.	Can Erkin Acar
	reported by mcbride@ ok otto@ mcbride@
2004-02-10	Make pfsync printing consistent with rest of tcpdump regarding newlines,	Ryan Thomas McBride
	pass -vv in to pf_print_state(), and print update count where appropriate.
2004-02-10	Make pfsync work correctly with IP options on 64-bit alignment	Ryan Thomas McBride
	sensitive CPUs. Pointed out by deraadt@.
2004-02-05	Don't print two confusing error messages, print a single clear one.	Otto Moerbeek
	ok deraadt@ hshoexer@ avsm@
2004-02-04	Better error message when bpf device open fails.	Otto Moerbeek
	ok dhartmei@ brad@
2004-02-04	Some more non-alignment problems resolved.	Otto Moerbeek
	ok deraadt@
2004-02-02	Do away with non-aligned memory accesses.	Otto Moerbeek
	ok deraadt@ hshoexer@
2004-01-31	general cleanup and better SIGCHLD handling from millert@	Otto Moerbeek
	ok canacar@
2004-01-28	privilege separated tcpdump, joint work with otto@	Can Erkin Acar
	tested by avsm@ vincent@ dhartmei@ markus@ hshoexer@ and others go for it deraadt@
2004-01-22	802.3X pretty printer (dead simple)	Jason Wright
	jakob@: "seems reasonable"
2004-01-21	Increment the right pointers, so we don't print the same entries repeatedly.	Ryan Thomas McBride

2004-01-21	Clean up pfsync output: print source address by default, pass -vv correctly	Ryan Thomas McBride
	to pf_print_state(), and other minor cleanup.
2004-01-20	If you go through the trouble of caching the name of the last printed	Otto Moerbeek
	rpc num, you might as well use it later too. ok canacar@
2004-01-18	Sync print-domain with tcpdump.org; avoids tcpdump barfing on bogus	Otto Moerbeek
	DNS traffic. ok canacar@ jakob@
2004-01-15	Input should be atleast an isakmp_header long. otto@, markus@ ok.	Hakan Olsson

2004-01-15	print tcpmd5 signature options; with/ok itojun	Markus Friedl

2004-01-10	Avoid duplication of code; handle truncated packets properly; use	Otto Moerbeek
	fn_print to print strings. Joint work with & ok canacar@.
2004-01-09	Avoid messing up the screen by non-printable chars in hostname +	Otto Moerbeek
	sync with tcpdump.org. ok canacar@
2004-01-04	zap unused variable; ok mcbride	Peter Valchev

2003-12-31	Many improvements to the handling of interfaces in PF.	Cedric Berger
	1) PF should do the right thing when unplugging/replugging or cloning/ destroying NICs. 2) Rules can be loaded in the kernel for not-yet-existing devices (USB, PCMCIA, Cardbus). For example, it is valid to write: "pass in on kue0" before kue USB is plugged in. 3) It is possible to write rules that apply to group of interfaces (drivers), like "pass in on ppp all" 4) There is a new ":peer" modifier that completes the ":broadcast" and ":network" modifiers. 5) There is a new ":0" modifier that will filter out interface aliases. Can also be applied to DNS names to restore original PF behaviour. 6) The dynamic interface syntax (foo) has been vastly improved, and now support multiple addresses, v4 and v6 addresses, and all userland modifiers, like "pass in from (fxp0:network)" 7) Scrub rules now support the !if syntax. 8) States can be bound to the specific interface that created them or to a group of interfaces for example: - pass all keep state (if-bound) - pass all keep state (group-bound) - pass all keep state (floating) 9) The default value when only keep state is given can be selected by using the "set state-policy" statement. 10) "pfctl -ss" will now print the interface scope of the state. This diff change the pf_state structure slighltly, so you should recompile your userland tools (pfctl, authpf, pflogd, tcpdump...) Tested on i386, sparc, sparc64 by Ryan Tested on macppc, sparc64 by Daniel ok deraadt@ mcbride@
2003-12-28	Unbreak tree by using correct PFSYNC_ACT_UREQ #define.	Ryan Thomas McBride
	Also remove unused hlen variable.
2003-12-28	Add a new PFSYNC_ACT_UREQ message type.	Ryan Thomas McBride
	A pfsync system which recieves a partial update for a state it cannot find can now request a full version of the update, and insert it. pfsync'd firewalls now converge more gracefully if one is missing some states (due to reset, lost insert packets, etc).
2003-12-27	Zero out the pf_state struct before filling it with data from the	Ryan Thomas McBride
	pfsync_state struct.
2003-12-22	Fix unbounded recursion and an unsigned/signed mixup. Resolves PR 3610.	Otto Moerbeek
	ok deraadt@ millert@
2003-12-19	Argh. Calculate the length really, really correctly.	Ryan Thomas McBride

2003-12-19	Calculate the length of the captured pfsync payload correctly when printing	Ryan Thomas McBride
	pfsync packets recieved on the wire. Prevents printing of giberish states with snaplen smaller than the mtu of syncif on the sender, and probably other ungoodness.
2003-12-18	Recognize NAT-D and NAT-OA payloads. markus@ ok.	Hakan Olsson

2003-12-17	Change pfsync IP protocol and multicast group numbers.	Ryan Thomas McBride
	IPPROTO_PFSYNC -> 240 INADDR_PFSYNC_GROUP -> 224.0.0.240 ok deraadt@
2003-12-15	Add initial support for pf state synchronization over the network.	Ryan Thomas McBride
	Implemented as an in-kernel multicast IP protocol. Turn it on like this: # ifconfig pfsync0 up syncif fxp0 There is not yet any authentication on this protocol, so the syncif must be on a trusted network. ie, a crossover cable between the two firewalls. NOTABLE CHANGES: - A new index based on a unique (creatorid, stateid) tuple has been added to the state tree. - Updates now appear on the pfsync(4) interface; multiple updates may be compressed into a single update. - Applications which use bpf on pfsync(4) will need modification; packets on pfsync no longer contains regular pf_state structs, but pfsync_state structs which contain no pointers. Much more to come. ok deraadt@
2003-11-08	Return proper anchor rule number in correct byte order.	Daniel Hartmeier
	From Pyun YongHyeon. ok henning@, canacar@
2003-11-08	typos from Jonathon Gray;	Jason McIntyre

2003-11-08	Print "\|pfsync" if the packet is truncated, not "\|pflog".	Ryan Thomas McBride

2003-11-05	Make tcpdump -x work with pfsync.	Ryan Thomas McBride
	ok dhartmei@
2003-11-02	- newline before printing first state (so they all line up and the first	Ryan Thomas McBride
	state doesn't wrap) - No need to print the rule number, that's included in the -v output. ok dhartmei@ canacar@
2003-10-12	Default snaplen is 96 not 68, from Pyun YongHyeon, ok deraadt@	Daniel Hartmeier

2003-10-12	Make it compile without INET6, from Max Laier, ok deraadt@	Daniel Hartmeier

2003-09-25	- simplify macros	Jason McIntyre
	- sort options - typos and formatting improvements - sync usage() and SYNOPSIS
2003-09-08	Fix 'tcpdump -v icmp' endianess buglet, print ID in hex.	Cedric Berger
	Found by ho@, help/test pb@, hex suggestion/ok deraadt@
2003-09-04	put escapes in the right place;	Jason McIntyre
	(i.e. stuff I got wrong the first time, or missed) this includes some .Cd's with missing quotes and .Nm abuse in man4;
2003-09-02	escape punctuation; (and a nit in openssl.1)	Jason McIntyre
	ok deraadt@
2003-08-28	tweak;	Jason McIntyre
	ok frantzen@
2003-08-21	print the operating system of TCP SYN packets with the -o option	Mike Frantzen

2003-07-17	add support for ESP decryption; ok deraadt@; feedback mickey@;	Markus Friedl
	many manpage fixes from jmc@
2003-07-14	macro fixes;	Jason McIntyre

2003-07-08	print ip_{src,dst} again; ok henning@	Markus Friedl

2003-06-26	ansi and protos	Theo de Raadt