"state lock" flag (if-bound, gr-bound, floating) at the end of a
NAT rule. The new syntax is backwards-compatbile with the old
syntax.
PF (kernel): change the macro BOUND_IFACE() to the inline function
bound_iface(), and add a new argument, the applicable NAT rule.
Use both the flags on the applicable filter rule and on the applicable
NAT rule to decide whether or not to bind a state to the interface
or the group where it is created.
- The array must be NULL terminated because other code depends on it.
- Use this terminator to check if we're at the end of the array instead
of doing sizeof(pf_timeouts) / sizeof(pf_timeouts[0]).
- add a CAVEATS section to pf(4) and note it
- in the description in pf.conf(5) say it is unsupported
- remove it from the grammar in pf.conf(5).
Approved by Peter Postma.
In this case PFTM_MAX == 20 and sizeof(pf_timeouts) / sizeof(pf_timeouts[0])
== 21, using a loop with the size of the array and checking for reaching the
end of the loop via j == PFTM_MAX does not work. Change the loop to use
PFTM_MAX as the upper bound and add an assertion in the code to make sure
that pf_timeouts is large enough. Finally remove last NULL element of the
array so that the array has 20 elements again.
* #ifdef out some things we don't have or do differently.
* Write struct "pcap_sf_pkthdr" instead of "pcap_pkthdr".
Fixes an LP64 specific problem with reading the pflog with tcpdump(8).
(OpenBSD fixed this by changing the structs to always use 32-bit fields)
Reviewed by yamt@.
headers and LKM.
Add MKPF; if set to no, don't build and install the pf(4) programs,
headers, LKM and spamd.
Both options default to yes, so nothing changed in the default build.
Reviewed by lukem.
> revision 1.2.2.1
> date: 2004/12/17 02:51:35; author: brad; state: Exp; lines: +2 -2
> MFC:
> Fix by frantzen@
>
> &&/|| inversion would try to merge IP addresses with non-addresses into a
> single table causing a ruleset load error and eventually a double-free.
>
> ok deraadt@ mcbride@ henning@ frantzen@ dhartmei@
some files were imported to the different places from the previous version.
v3_5:
etc/pf.conf
etc/pf.os
etc/spamd.conf
share/man/man4/pf.4
share/man/man4/pflog.4
share/man/man5/pf.conf.5
share/man/man5/pf.os.5
share/man/man5/spamd.conf.5
v3_6:
dist/pf/etc/pf.conf
dist/pf/etc/pf.os
dist/pf/etc/spamd.conf
dist/pf/share/man/man4/pf.4
dist/pf/share/man/man4/pflog.4
dist/pf/share/man/man5/pf.conf.5
dist/pf/share/man/man5/pf.os.5
dist/pf/share/man/man5/spamd.conf.5
one command line option to specify which firewall it is meant to interact
with. The implementation here puts the firewall specific code into separate
files with markers for future changes that could enable a fully transparent
mode for non-private network proxying.
pavel