| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
pf(4) returns EINVAL for DIOCGETRULE, DIOCGETRULES and DIOCGETRULESET if
the specified anchor does not exist.
Extend and rename {pfr -> pf}_strerror() to make error message more
consistent.
There are other occasions as well but those need additional tweaks;
that's stuff for another diff.
OK and rename from sashan
|
| |
|
|
|
|
|
|
|
|
|
| |
While code in pf/pfctl confusingly uses either anchor or ruleset
depending on the context, pfctl(8) (both manual and user interface)
should be consistent.
For users there are basically anchors only, so do not imply any
difference between the two terminologies.
OK sashan
|
| |
|
|
|
|
| |
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.
|
| |
|
|
|
| |
manpage wording and reminder about usage() jmc@
ok florian@ henning@
|
| | |
|
| |
|
|
| |
ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
| |
|
|
| |
ok deraadt millert
|
| |
|
|
| |
Careful second audit by millert
|
| |
|
|
|
| |
Diff from zinke@ with a some minor cleanup.
ok henning claudio deraadt
|
| |
|
|
|
|
| |
from tobias@
ok mcbride@ tobias@
|
| |
|
|
|
|
|
|
| |
useless layers of indirection and make the code way cleaner overall.
this is just the start, more to come...
worked very hard on by Ryan and me in Montreal last week, on the airplane to
vancouver and yesterday here in calgary. it hurt.
ok ryan theo
|
| | |
|
| | |
|
| |
|
|
| |
and an off by one
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1) PF should do the right thing when unplugging/replugging or cloning/
destroying NICs.
2) Rules can be loaded in the kernel for not-yet-existing devices
(USB, PCMCIA, Cardbus). For example, it is valid to write:
"pass in on kue0" before kue USB is plugged in.
3) It is possible to write rules that apply to group of interfaces
(drivers), like "pass in on ppp all"
4) There is a new ":peer" modifier that completes the ":broadcast"
and ":network" modifiers.
5) There is a new ":0" modifier that will filter out interface aliases.
Can also be applied to DNS names to restore original PF behaviour.
6) The dynamic interface syntax (foo) has been vastly improved, and
now support multiple addresses, v4 and v6 addresses, and all userland
modifiers, like "pass in from (fxp0:network)"
7) Scrub rules now support the !if syntax.
8) States can be bound to the specific interface that created them or
to a group of interfaces for example:
- pass all keep state (if-bound)
- pass all keep state (group-bound)
- pass all keep state (floating)
9) The default value when only keep state is given can be selected by
using the "set state-policy" statement.
10) "pfctl -ss" will now print the interface scope of the state.
This diff change the pf_state structure slighltly, so you should
recompile your userland tools (pfctl, authpf, pflogd, tcpdump...)
Tested on i386, sparc, sparc64 by Ryan
Tested on macppc, sparc64 by Daniel
ok deraadt@ mcbride@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This brings us close to 100% atomicity for a "pfctl -f pf.conf" command.
(some splxxx work remain in the kernel). Basically, improvements are:
- Anchors/Rulesets cannot disappear unexpectedly anymore.
- No more leftover in the kernel if "pfctl -f" fail.
- Commit is now done in a single atomic IOCTL.
WARNING: The kernel code is fully backward compatible, but the new
pfctl/authpf userland utilities will only run on a new kernel.
The following ioctls are deprecated (i.e. will be deleted sooner or
later, depending on how many 3rd party utilities use them and how soon
they can be upgraded):
- DIOCBEGINRULES
- DIOCCOMMITRULES
- DIOCBEGINALTQS
- DIOCCOMMITALTQS
- DIOCRINABEGIN
- DIOCRINADEFINE
They are replaced by the following ioctls (yes, PF(4) will follow)
which operate on a vector of rulesets:
- DIOCXBEGIN
- DIOCXCOMMIT
- DIOCXROLLBACK
Ok dhartmei@ mcbride@
|
| |
|
|
| |
ok henning@ mcbride@
|
| |
|
|
| |
ok dhartmei@ jmc@
|
| |
|
|
|
| |
Make table tickets u_int32_t for consistency with other parts of PF.
Ok dhartmei@ henning@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
and a couple of parsing functions moved to parse.y or pfctl_parser
where they belong.
I also took the opportunity to replace "void" functions with exit(1)
or err() inside by "int" functions, with the caller checking the
return value for errors (much cleaner and an old request from Theo)
ok dhartmei@ henning@
|
| |
|
|
| |
ok dhartmei@
|
| |
|
|
| |
Thanks to Max Laier.
|
| |
|
|
| |
ok dhartmei@
|
| |
|
|
|
|
|
| |
The following two pfctl functions work with an "-a" option:
- pfctl [-a foo[:bar]] -sT
- pfctl [-a foo[:bar]] -FT
ok dhartmei@
|
| |
|
|
|
|
| |
Prepare for anchors, improve robustness.
WARNING: need to sync kernel/userland.
ok dhartmei@
|
| |
|
|
|
|
|
| |
- get rid of unnecessary header netinet/in.h in pfctl_radix.c and pfctl_table.c
- do fclose(3) only when we use config file, not STDIN
- get rid of unneeded temporatory variables
- minor KNF
|
| |
|
|
| |
KNF + remove/reorg headers.
|
| | |
|
| |
|
|
|
|
|
| |
Add table definition/initialisation construct in pfctl parser.
Add and fix documentation for pf.4 and pf.conf.5.
Tested on i386 and sparc64 by myself, macppc by Daniel.
ok dhartmei@
|
| |
|
|
|
|
| |
introduce reference counting for tables, they are now automatically
created and deleted through referencing rules. Diff partly from cedric@.
ok mcbride@, henning@, cedric@
|
| |
|
|
| |
from, but whoever thought of it is stupid.
|
| | |
|
| | |
|
| | |
|
| | |
|
|
|
ok dhartmei@ mcbride@
|
kn
deraadt
benno
mmcc
tedu
mcbride
chl
henning
cedric
david
dhartmei