#
adcfd924 |
| 20-Feb-2004 |
mcbride <mcbride@openbsd.org> |
Make pfsync deal with clearing states bound to a group or interface (eg pfctl -i fxp0 -Fs). Also don't send out individual state deletions if we're sending a clear message, move pfsync_clear_states()
Make pfsync deal with clearing states bound to a group or interface (eg pfctl -i fxp0 -Fs). Also don't send out individual state deletions if we're sending a clear message, move pfsync_clear_states() inside splnet, and fix if_pfsync.h includes in pf.c and pf_ioctl.c.
ok cedric@ dhartmei@
show more ...
|
#
8d0733eb |
| 10-Feb-2004 |
mcbride <mcbride@openbsd.org> |
Make pfsync work correctly with IP options on 64-bit alignment sensitive CPUs. Pointed out by deraadt@.
|
#
d365404a |
| 22-Jan-2004 |
mcbride <mcbride@openbsd.org> |
- Include the value of pf_state.timeout in pfsync messages - Fix the expiry time calculations, for real - Unbreak the collapsing of multiple updates into one And a little KNF for good measure.
|
#
94cb5eb8 |
| 18-Jan-2004 |
mcbride <mcbride@openbsd.org> |
Port is already stored in network byte order, no need to convert.
|
#
ec359bd5 |
| 31-Dec-2003 |
cedric <cedric@openbsd.org> |
Many improvements to the handling of interfaces in PF.
1) PF should do the right thing when unplugging/replugging or cloning/ destroying NICs.
2) Rules can be loaded in the kernel for not-yet-exist
Many improvements to the handling of interfaces in PF.
1) PF should do the right thing when unplugging/replugging or cloning/ destroying NICs.
2) Rules can be loaded in the kernel for not-yet-existing devices (USB, PCMCIA, Cardbus). For example, it is valid to write: "pass in on kue0" before kue USB is plugged in.
3) It is possible to write rules that apply to group of interfaces (drivers), like "pass in on ppp all"
4) There is a new ":peer" modifier that completes the ":broadcast" and ":network" modifiers.
5) There is a new ":0" modifier that will filter out interface aliases. Can also be applied to DNS names to restore original PF behaviour.
6) The dynamic interface syntax (foo) has been vastly improved, and now support multiple addresses, v4 and v6 addresses, and all userland modifiers, like "pass in from (fxp0:network)"
7) Scrub rules now support the !if syntax.
8) States can be bound to the specific interface that created them or to a group of interfaces for example:
- pass all keep state (if-bound) - pass all keep state (group-bound) - pass all keep state (floating)
9) The default value when only keep state is given can be selected by using the "set state-policy" statement.
10) "pfctl -ss" will now print the interface scope of the state.
This diff change the pf_state structure slighltly, so you should recompile your userland tools (pfctl, authpf, pflogd, tcpdump...)
Tested on i386, sparc, sparc64 by Ryan Tested on macppc, sparc64 by Daniel
ok deraadt@ mcbride@
show more ...
|
#
aabfb640 |
| 28-Dec-2003 |
mcbride <mcbride@openbsd.org> |
Add a new PFSYNC_ACT_UREQ message type.
A pfsync system which recieves a partial update for a state it cannot find can now request a full version of the update, and insert it. pfsync'd firewalls now
Add a new PFSYNC_ACT_UREQ message type.
A pfsync system which recieves a partial update for a state it cannot find can now request a full version of the update, and insert it. pfsync'd firewalls now converge more gracefully if one is missing some states (due to reset, lost insert packets, etc).
show more ...
|
#
3cc77be7 |
| 15-Dec-2003 |
deraadt <deraadt@openbsd.org> |
sc_sp is a #define on some architectures, use a different name
|
#
5213b30c |
| 15-Dec-2003 |
mcbride <mcbride@openbsd.org> |
Fix whitespace screwups before henning wakes up.
|
#
2a409ae3 |
| 15-Dec-2003 |
mcbride <mcbride@openbsd.org> |
Add initial support for pf state synchronization over the network. Implemented as an in-kernel multicast IP protocol.
Turn it on like this:
# ifconfig pfsync0 up syncif fxp0
There is not yet any a
Add initial support for pf state synchronization over the network. Implemented as an in-kernel multicast IP protocol.
Turn it on like this:
# ifconfig pfsync0 up syncif fxp0
There is not yet any authentication on this protocol, so the syncif must be on a trusted network. ie, a crossover cable between the two firewalls.
NOTABLE CHANGES: - A new index based on a unique (creatorid, stateid) tuple has been added to the state tree. - Updates now appear on the pfsync(4) interface; multiple updates may be compressed into a single update. - Applications which use bpf on pfsync(4) will need modification; packets on pfsync no longer contains regular pf_state structs, but pfsync_state structs which contain no pointers.
Much more to come.
ok deraadt@
show more ...
|
#
af80fa86 |
| 08-Nov-2003 |
mcbride <mcbride@openbsd.org> |
Add 'no-sync' state option to prevent state transition messages for states created by this rule from appearing on the pfsync(4) interface. e.g.
pass in proto tcp to self flags S/SA keep state (no-sy
Add 'no-sync' state option to prevent state transition messages for states created by this rule from appearing on the pfsync(4) interface. e.g.
pass in proto tcp to self flags S/SA keep state (no-sync)
ok cedric@ henning@ dhartmei@
show more ...
|
#
861b23d9 |
| 11-Dec-2002 |
mickey <mickey@openbsd.org> |
unpee
|
#
2e8a0f58 |
| 29-Nov-2002 |
mickey <mickey@openbsd.org> |
expose state table changes
|