| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
| |
Use vis(3) to safely print ifname and stop at IFNAMSIZ bytes.
Found with afl by jsg@. OK jsg@
|
| |
|
|
| |
ok deraadt@
|
| |
|
|
|
|
|
|
|
| |
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)
|
| | |
|
| |
|
|
|
| |
while here, improve the way information is printed out a bit.
with input and ok camield, mpf
|
| | |
|
| |
|
|
|
|
|
| |
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms
|
| |
|
|
|
|
|
|
| |
with deraadt@, mcbride@, and mpf@ it is obvious that a hmac doesnt make
sense for pfsync.
this also firms up some of the input parsing so it handles short frames a
bit better.
|
| |
|
|
|
| |
frame according to the pfsync header. dont try to parse an unsupported
version of the protocol.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC
this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.
huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.
ok beck@ mcbride@ "good." deraadt@
|
| | |
|
| | |
|
| |
|
|
|
|
| |
pfsync_state (as in pfctl, but in network byte order).
ok henning@ toby@ pyr@
|
| |
|
|
|
|
| |
we're breaking pfsync compatibility this cycle anyways.
Requested by djm@, ok henning@, 'wheee!' deraadt@
|
| |
|
|
| |
failover gateways. ok mcbride@, "looks good" hshoexer@
|
| | |
|
| |
|
|
| |
ok deraadt@
|
| | |
|
| |
|
|
| |
pass -vv in to pf_print_state(), and print update count where appropriate.
|
| |
|
|
| |
sensitive CPUs. Pointed out by deraadt@.
|
| | |
|
| |
|
|
| |
to pf_print_state(), and other minor cleanup.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1) PF should do the right thing when unplugging/replugging or cloning/
destroying NICs.
2) Rules can be loaded in the kernel for not-yet-existing devices
(USB, PCMCIA, Cardbus). For example, it is valid to write:
"pass in on kue0" before kue USB is plugged in.
3) It is possible to write rules that apply to group of interfaces
(drivers), like "pass in on ppp all"
4) There is a new ":peer" modifier that completes the ":broadcast"
and ":network" modifiers.
5) There is a new ":0" modifier that will filter out interface aliases.
Can also be applied to DNS names to restore original PF behaviour.
6) The dynamic interface syntax (foo) has been vastly improved, and
now support multiple addresses, v4 and v6 addresses, and all userland
modifiers, like "pass in from (fxp0:network)"
7) Scrub rules now support the !if syntax.
8) States can be bound to the specific interface that created them or
to a group of interfaces for example:
- pass all keep state (if-bound)
- pass all keep state (group-bound)
- pass all keep state (floating)
9) The default value when only keep state is given can be selected by
using the "set state-policy" statement.
10) "pfctl -ss" will now print the interface scope of the state.
This diff change the pf_state structure slighltly, so you should
recompile your userland tools (pfctl, authpf, pflogd, tcpdump...)
Tested on i386, sparc, sparc64 by Ryan
Tested on macppc, sparc64 by Daniel
ok deraadt@ mcbride@
|
| |
|
|
| |
Also remove unused hlen variable.
|
| |
|
|
|
|
|
| |
A pfsync system which recieves a partial update for a state it cannot
find can now request a full version of the update, and insert it.
pfsync'd firewalls now converge more gracefully if one is missing some
states (due to reset, lost insert packets, etc).
|
| |
|
|
| |
pfsync_state struct.
|
| | |
|
| |
|
|
|
|
| |
pfsync packets recieved on the wire. Prevents printing of giberish states
with snaplen smaller than the mtu of syncif on the sender, and probably
other ungoodness.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implemented as an in-kernel multicast IP protocol.
Turn it on like this:
# ifconfig pfsync0 up syncif fxp0
There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.
NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.
Much more to come.
ok deraadt@
|
| |
|
|
| |
From Pyun YongHyeon. ok henning@, canacar@
|
| | |
|
| |
|
|
| |
ok dhartmei@
|
| |
|
|
|
|
|
| |
state doesn't wrap)
- No need to print the rule number, that's included in the -v output.
ok dhartmei@ canacar@
|
| |
|
|
|
|
|
| |
traffic reporting w/ pfsync; ok dhartmei@
Note: ABI change (new fields in struct pf_state), requires a rebuild of
pfctl and tcpdump.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
claudio
millert
mmcc
deraadt
mpi
mikeb
dlg
markus
mcbride
ho
pvalchev
cedric
dhartmei
djm
mickey