| #
adcfd924 |
| 20-Feb-2004 |
mcbride <mcbride@openbsd.org> |
Make pfsync deal with clearing states bound to a group or interface (eg
pfctl -i fxp0 -Fs). Also don't send out individual state deletions if we're
sending a clear message, move pfsync_clear_states()
Make pfsync deal with clearing states bound to a group or interface (eg
pfctl -i fxp0 -Fs). Also don't send out individual state deletions if we're
sending a clear message, move pfsync_clear_states() inside splnet, and fix
if_pfsync.h includes in pf.c and pf_ioctl.c.
ok cedric@ dhartmei@
show more ...
|
| #
8d0733eb |
| 10-Feb-2004 |
mcbride <mcbride@openbsd.org> |
Make pfsync work correctly with IP options on 64-bit alignment
sensitive CPUs. Pointed out by deraadt@.
|
| #
d365404a |
| 22-Jan-2004 |
mcbride <mcbride@openbsd.org> |
- Include the value of pf_state.timeout in pfsync messages
- Fix the expiry time calculations, for real
- Unbreak the collapsing of multiple updates into one
And a little KNF for good measure.
|
| #
94cb5eb8 |
| 18-Jan-2004 |
mcbride <mcbride@openbsd.org> |
Port is already stored in network byte order, no need to convert.
|
| #
ec359bd5 |
| 31-Dec-2003 |
cedric <cedric@openbsd.org> |
Many improvements to the handling of interfaces in PF.
1) PF should do the right thing when unplugging/replugging or cloning/
destroying NICs.
2) Rules can be loaded in the kernel for not-yet-exist
Many improvements to the handling of interfaces in PF.
1) PF should do the right thing when unplugging/replugging or cloning/
destroying NICs.
2) Rules can be loaded in the kernel for not-yet-existing devices
(USB, PCMCIA, Cardbus). For example, it is valid to write:
"pass in on kue0" before kue USB is plugged in.
3) It is possible to write rules that apply to group of interfaces
(drivers), like "pass in on ppp all"
4) There is a new ":peer" modifier that completes the ":broadcast"
and ":network" modifiers.
5) There is a new ":0" modifier that will filter out interface aliases.
Can also be applied to DNS names to restore original PF behaviour.
6) The dynamic interface syntax (foo) has been vastly improved, and
now support multiple addresses, v4 and v6 addresses, and all userland
modifiers, like "pass in from (fxp0:network)"
7) Scrub rules now support the !if syntax.
8) States can be bound to the specific interface that created them or
to a group of interfaces for example:
- pass all keep state (if-bound)
- pass all keep state (group-bound)
- pass all keep state (floating)
9) The default value when only keep state is given can be selected by
using the "set state-policy" statement.
10) "pfctl -ss" will now print the interface scope of the state.
This diff change the pf_state structure slighltly, so you should
recompile your userland tools (pfctl, authpf, pflogd, tcpdump...)
Tested on i386, sparc, sparc64 by Ryan
Tested on macppc, sparc64 by Daniel
ok deraadt@ mcbride@
show more ...
|
| #
aabfb640 |
| 28-Dec-2003 |
mcbride <mcbride@openbsd.org> |
Add a new PFSYNC_ACT_UREQ message type.
A pfsync system which recieves a partial update for a state it cannot
find can now request a full version of the update, and insert it.
pfsync'd firewalls now
Add a new PFSYNC_ACT_UREQ message type.
A pfsync system which recieves a partial update for a state it cannot
find can now request a full version of the update, and insert it.
pfsync'd firewalls now converge more gracefully if one is missing some
states (due to reset, lost insert packets, etc).
show more ...
|
| #
3cc77be7 |
| 15-Dec-2003 |
deraadt <deraadt@openbsd.org> |
sc_sp is a #define on some architectures, use a different name
|
| #
5213b30c |
| 15-Dec-2003 |
mcbride <mcbride@openbsd.org> |
Fix whitespace screwups before henning wakes up.
|
| #
2a409ae3 |
| 15-Dec-2003 |
mcbride <mcbride@openbsd.org> |
Add initial support for pf state synchronization over the network.
Implemented as an in-kernel multicast IP protocol.
Turn it on like this:
# ifconfig pfsync0 up syncif fxp0
There is not yet any a
Add initial support for pf state synchronization over the network.
Implemented as an in-kernel multicast IP protocol.
Turn it on like this:
# ifconfig pfsync0 up syncif fxp0
There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.
NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.
Much more to come.
ok deraadt@
show more ...
|
| #
af80fa86 |
| 08-Nov-2003 |
mcbride <mcbride@openbsd.org> |
Add 'no-sync' state option to prevent state transition messages for states
created by this rule from appearing on the pfsync(4) interface. e.g.
pass in proto tcp to self flags S/SA keep state (no-sy
Add 'no-sync' state option to prevent state transition messages for states
created by this rule from appearing on the pfsync(4) interface. e.g.
pass in proto tcp to self flags S/SA keep state (no-sync)
ok cedric@ henning@ dhartmei@
show more ...
|
| #
861b23d9 |
| 11-Dec-2002 |
mickey <mickey@openbsd.org> |
unpee
|
| #
2e8a0f58 |
| 29-Nov-2002 |
mickey <mickey@openbsd.org> |
expose state table changes
|