| Age | Commit message (Collapse) | Author |
|---|
|
|
|
1) PF should do the right thing when unplugging/replugging or cloning/
destroying NICs.
2) Rules can be loaded in the kernel for not-yet-existing devices
(USB, PCMCIA, Cardbus). For example, it is valid to write:
"pass in on kue0" before kue USB is plugged in.
3) It is possible to write rules that apply to group of interfaces
(drivers), like "pass in on ppp all"
4) There is a new ":peer" modifier that completes the ":broadcast"
and ":network" modifiers.
5) There is a new ":0" modifier that will filter out interface aliases.
Can also be applied to DNS names to restore original PF behaviour.
6) The dynamic interface syntax (foo) has been vastly improved, and
now support multiple addresses, v4 and v6 addresses, and all userland
modifiers, like "pass in from (fxp0:network)"
7) Scrub rules now support the !if syntax.
8) States can be bound to the specific interface that created them or
to a group of interfaces for example:
- pass all keep state (if-bound)
- pass all keep state (group-bound)
- pass all keep state (floating)
9) The default value when only keep state is given can be selected by
using the "set state-policy" statement.
10) "pfctl -ss" will now print the interface scope of the state.
This diff change the pf_state structure slighltly, so you should
recompile your userland tools (pfctl, authpf, pflogd, tcpdump...)
Tested on i386, sparc, sparc64 by Ryan
Tested on macppc, sparc64 by Daniel
ok deraadt@ mcbride@
|
|
Also remove unused hlen variable.
|
|
A pfsync system which recieves a partial update for a state it cannot
find can now request a full version of the update, and insert it.
pfsync'd firewalls now converge more gracefully if one is missing some
states (due to reset, lost insert packets, etc).
|
|
pfsync_state struct.
|
|
ok deraadt@ millert@
|
|
|
|
pfsync packets recieved on the wire. Prevents printing of giberish states
with snaplen smaller than the mtu of syncif on the sender, and probably
other ungoodness.
|
|
|
|
IPPROTO_PFSYNC -> 240
INADDR_PFSYNC_GROUP -> 224.0.0.240
ok deraadt@
|
|
Implemented as an in-kernel multicast IP protocol.
Turn it on like this:
# ifconfig pfsync0 up syncif fxp0
There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.
NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.
Much more to come.
ok deraadt@
|
|
From Pyun YongHyeon. ok henning@, canacar@
|
|
|
|
|
|
ok dhartmei@
|
|
state doesn't wrap)
- No need to print the rule number, that's included in the -v output.
ok dhartmei@ canacar@
|
|
|
|
|
|
- sort options
- typos and formatting improvements
- sync usage() and SYNOPSIS
|
|
Found by ho@, help/test pb@, hex suggestion/ok deraadt@
|
|
(i.e. stuff I got wrong the first time, or missed)
this includes some .Cd's with missing quotes and .Nm abuse in man4;
|
|
ok deraadt@
|
|
ok frantzen@
|
|
|
|
many manpage fixes from jmc@
|
|
|
|
|
|
|
|
|
|
traffic reporting w/ pfsync; ok dhartmei@
Note: ABI change (new fields in struct pf_state), requires a rebuild of
pfctl and tcpdump.
|
|
- macro fixes
- kill whitespace at EOL
- new sentence, new line
|
|
|
|
|
|
rescinded 22 July 1999. Proofed by myself and Theo.
|
|
|
|
|
|
old datalink type is still recognized.
ok henning@ dhartmei@ frantzen@
|
|
|
|
caused words to disappear from the output
ok jmc@ a while ago
|
|
keeping and could result in very large memory chunks.
|
|
o use strlcpy()
deraadt@ OK
|
|
check the length of the data
|
|
ok henric@
|
|
debugging session with and ok'd by dhartmei@
|
|
hbhopt_print() and dstopt_print() can return 0 if
the option is located just one byte short of snapend
this would cause an infinite loop in ip6_print().
|
|
|
|
|
|
dropped, others may as well in the future).
ok dhartmei@ henning@
|
|
|
|
|
