#
1.27 |
|
15-Jan-2020 |
sashan |
Enable pfctl(8) to recursively flush rules and tables from PF driver. The recursive operation ("pfctl -a '*' ...") works for '-s' option already. This change enables the same thing for '-F' option, so "pfctl -a '*' -Fa" will flush everything from PF driver.
The idea was discussed with many on tech@ in spring 2019.
OK kn@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.26 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.25 |
|
28-May-2017 |
akfaew |
print_ioctl() is unused if not debugging. Found with clang, after marking the function "static". Use OSFP_DEBUG, in a similar fashion to OPT_DEBUG (pfctl_optimize.c).
OK bluhm@
|
#
1.24 |
|
27-May-2017 |
akfaew |
Move includes.
This reduces the diff with usr.sbin/tcpdump/pfctl_osfp.c. The change from tcpdump is newer, so change pfctl. No binary change.
OK deraadt@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE OPENBSD_6_1_BASE
|
#
1.23 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free(). ok tb@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.22 |
|
21-Jan-2015 |
deraadt |
Include <netinet/in.h> before <net/pfvar.h>. In a future change when ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
#
1.21 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.20 |
|
25-Oct-2014 |
lteo |
Remove unnecessary netinet/in_systm.h include.
ok millert@
|
Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
|
#
1.19 |
|
22-Nov-2013 |
deraadt |
Whole bunch of (unsigned char) casts carefully added for ctype calls. Careful second audit by millert
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.18 |
|
18-Oct-2010 |
deraadt |
Revert non-compatible and undocumented bullshit commited by 3 developers who decided to just do it on their own. henning, mcbride, jsing -- shame on you -- if you had shown this diff to just 1 other network developer, the astounding mistake in it would have been noticed. Start practicing inclusionary development instead of going alone. ok claudio
|
#
1.17 |
|
17-Oct-2010 |
jsing |
Add quirks support to operating system fingerprinting. tcpdump part by mcbride@.
ok mcbride@ henning@
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.16 |
|
24-Dec-2009 |
sobrado |
spelling fixes, from Brad Tilley; we will not fix src/sbin/dump/dump.h as neither arrayified not arrayfied exist -- sanctioned dictionaries like Merriam-Webster ones suggest a few alternatives (e.g., arrayed), however these made up words are easy to understand and we are not certain that current ones are not ok.
ok jmc@
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.15 |
|
13-Dec-2006 |
itojun |
IPv6 passive OS fingerprinting. reuses IPv4 signature file (assuming that TCP code is shared among IPv4/v6). mcbride ok.
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.14 |
|
08-Apr-2006 |
ray |
Plug simple memory leak. ``Don't forget to free tcpopts when you are done.''
From NetBSD from Coverity CID 2057.
OK henning@ and jaredy@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.13 |
|
12-Nov-2005 |
deraadt |
return; at end of function is dorky
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.12 |
|
17-Feb-2005 |
aaron |
Fix indentation as to not mislead the code reader. No functional change.
|
#
1.11 |
|
29-Dec-2004 |
mcbride |
Make sure that fingerprint_count gets reset to 0 correctly when we flush our list of fingerprints.
ok dhartmei@ henning@ frantzen@
|
#
1.10 |
|
19-Dec-2004 |
deraadt |
use strchr instead of index
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.9 |
|
09-Apr-2004 |
cedric |
Do not try to load directories. found+ok mpech@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.8 |
|
27-Feb-2004 |
henning |
make pfctl -s all a bit more useful again by not printing a lllooooooottttt of OS fingerprints and a list of interface drivers... cedric deraadt ok
|
#
1.7 |
|
10-Feb-2004 |
dhartmei |
KNF
|
#
1.6 |
|
10-Feb-2004 |
henning |
KNF
|
#
1.5 |
|
29-Jan-2004 |
mcbride |
Clean up 'pfctl -s all' output.
ok deraadt@ henning@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.4 |
|
27-Aug-2003 |
frantzen |
kill dangling 'else'. fixes modulus in W and M TCP options
|
#
1.3 |
|
22-Aug-2003 |
david |
pf spelling police ok dhartmei@ jmc@
|
#
1.2 |
|
22-Aug-2003 |
henning |
KNF
|
#
1.1 |
|
21-Aug-2003 |
frantzen |
Add Michal Zalewski's p0f v2 style passive OS fingerprinting to PF. Exposes the source IP's operating system to the filter language. Interesting policy decisions are now enforceable: . block proto tcp from any os SCO . block proto tcp from any os Windows to any port smtp . rdr ... from any os "Windows 98" to port WWW -> 127.0.0.1 port 8001
|
#
1.26 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.25 |
|
28-May-2017 |
akfaew |
print_ioctl() is unused if not debugging. Found with clang, after marking the function "static". Use OSFP_DEBUG, in a similar fashion to OPT_DEBUG (pfctl_optimize.c).
OK bluhm@
|
#
1.24 |
|
27-May-2017 |
akfaew |
Move includes.
This reduces the diff with usr.sbin/tcpdump/pfctl_osfp.c. The change from tcpdump is newer, so change pfctl. No binary change.
OK deraadt@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE OPENBSD_6_1_BASE
|
#
1.23 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free(). ok tb@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.22 |
|
21-Jan-2015 |
deraadt |
Include <netinet/in.h> before <net/pfvar.h>. In a future change when ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
#
1.21 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.20 |
|
25-Oct-2014 |
lteo |
Remove unnecessary netinet/in_systm.h include.
ok millert@
|
Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
|
#
1.19 |
|
22-Nov-2013 |
deraadt |
Whole bunch of (unsigned char) casts carefully added for ctype calls. Careful second audit by millert
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.18 |
|
18-Oct-2010 |
deraadt |
Revert non-compatible and undocumented bullshit commited by 3 developers who decided to just do it on their own. henning, mcbride, jsing -- shame on you -- if you had shown this diff to just 1 other network developer, the astounding mistake in it would have been noticed. Start practicing inclusionary development instead of going alone. ok claudio
|
#
1.17 |
|
17-Oct-2010 |
jsing |
Add quirks support to operating system fingerprinting. tcpdump part by mcbride@.
ok mcbride@ henning@
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.16 |
|
24-Dec-2009 |
sobrado |
spelling fixes, from Brad Tilley; we will not fix src/sbin/dump/dump.h as neither arrayified not arrayfied exist -- sanctioned dictionaries like Merriam-Webster ones suggest a few alternatives (e.g., arrayed), however these made up words are easy to understand and we are not certain that current ones are not ok.
ok jmc@
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.15 |
|
13-Dec-2006 |
itojun |
IPv6 passive OS fingerprinting. reuses IPv4 signature file (assuming that TCP code is shared among IPv4/v6). mcbride ok.
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.14 |
|
08-Apr-2006 |
ray |
Plug simple memory leak. ``Don't forget to free tcpopts when you are done.''
From NetBSD from Coverity CID 2057.
OK henning@ and jaredy@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.13 |
|
12-Nov-2005 |
deraadt |
return; at end of function is dorky
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.12 |
|
17-Feb-2005 |
aaron |
Fix indentation as to not mislead the code reader. No functional change.
|
#
1.11 |
|
29-Dec-2004 |
mcbride |
Make sure that fingerprint_count gets reset to 0 correctly when we flush our list of fingerprints.
ok dhartmei@ henning@ frantzen@
|
#
1.10 |
|
19-Dec-2004 |
deraadt |
use strchr instead of index
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.9 |
|
09-Apr-2004 |
cedric |
Do not try to load directories. found+ok mpech@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.8 |
|
27-Feb-2004 |
henning |
make pfctl -s all a bit more useful again by not printing a lllooooooottttt of OS fingerprints and a list of interface drivers... cedric deraadt ok
|
#
1.7 |
|
10-Feb-2004 |
dhartmei |
KNF
|
#
1.6 |
|
10-Feb-2004 |
henning |
KNF
|
#
1.5 |
|
29-Jan-2004 |
mcbride |
Clean up 'pfctl -s all' output.
ok deraadt@ henning@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.4 |
|
27-Aug-2003 |
frantzen |
kill dangling 'else'. fixes modulus in W and M TCP options
|
#
1.3 |
|
22-Aug-2003 |
david |
pf spelling police ok dhartmei@ jmc@
|
#
1.2 |
|
22-Aug-2003 |
henning |
KNF
|
#
1.1 |
|
21-Aug-2003 |
frantzen |
Add Michal Zalewski's p0f v2 style passive OS fingerprinting to PF. Exposes the source IP's operating system to the filter language. Interesting policy decisions are now enforceable: . block proto tcp from any os SCO . block proto tcp from any os Windows to any port smtp . rdr ... from any os "Windows 98" to port WWW -> 127.0.0.1 port 8001
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.25 |
|
28-May-2017 |
akfaew |
print_ioctl() is unused if not debugging. Found with clang, after marking the function "static". Use OSFP_DEBUG, in a similar fashion to OPT_DEBUG (pfctl_optimize.c).
OK bluhm@
|
#
1.24 |
|
27-May-2017 |
akfaew |
Move includes.
This reduces the diff with usr.sbin/tcpdump/pfctl_osfp.c. The change from tcpdump is newer, so change pfctl. No binary change.
OK deraadt@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE OPENBSD_6_1_BASE
|
#
1.23 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free(). ok tb@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.22 |
|
21-Jan-2015 |
deraadt |
Include <netinet/in.h> before <net/pfvar.h>. In a future change when ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
#
1.21 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.20 |
|
25-Oct-2014 |
lteo |
Remove unnecessary netinet/in_systm.h include.
ok millert@
|
Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
|
#
1.19 |
|
22-Nov-2013 |
deraadt |
Whole bunch of (unsigned char) casts carefully added for ctype calls. Careful second audit by millert
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.18 |
|
18-Oct-2010 |
deraadt |
Revert non-compatible and undocumented bullshit commited by 3 developers who decided to just do it on their own. henning, mcbride, jsing -- shame on you -- if you had shown this diff to just 1 other network developer, the astounding mistake in it would have been noticed. Start practicing inclusionary development instead of going alone. ok claudio
|
#
1.17 |
|
17-Oct-2010 |
jsing |
Add quirks support to operating system fingerprinting. tcpdump part by mcbride@.
ok mcbride@ henning@
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.16 |
|
24-Dec-2009 |
sobrado |
spelling fixes, from Brad Tilley; we will not fix src/sbin/dump/dump.h as neither arrayified not arrayfied exist -- sanctioned dictionaries like Merriam-Webster ones suggest a few alternatives (e.g., arrayed), however these made up words are easy to understand and we are not certain that current ones are not ok.
ok jmc@
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.15 |
|
13-Dec-2006 |
itojun |
IPv6 passive OS fingerprinting. reuses IPv4 signature file (assuming that TCP code is shared among IPv4/v6). mcbride ok.
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.14 |
|
08-Apr-2006 |
ray |
Plug simple memory leak. ``Don't forget to free tcpopts when you are done.''
From NetBSD from Coverity CID 2057.
OK henning@ and jaredy@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.13 |
|
12-Nov-2005 |
deraadt |
return; at end of function is dorky
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.12 |
|
17-Feb-2005 |
aaron |
Fix indentation as to not mislead the code reader. No functional change.
|
#
1.11 |
|
29-Dec-2004 |
mcbride |
Make sure that fingerprint_count gets reset to 0 correctly when we flush our list of fingerprints.
ok dhartmei@ henning@ frantzen@
|
#
1.10 |
|
19-Dec-2004 |
deraadt |
use strchr instead of index
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.9 |
|
09-Apr-2004 |
cedric |
Do not try to load directories. found+ok mpech@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.8 |
|
27-Feb-2004 |
henning |
make pfctl -s all a bit more useful again by not printing a lllooooooottttt of OS fingerprints and a list of interface drivers... cedric deraadt ok
|
#
1.7 |
|
10-Feb-2004 |
dhartmei |
KNF
|
#
1.6 |
|
10-Feb-2004 |
henning |
KNF
|
#
1.5 |
|
29-Jan-2004 |
mcbride |
Clean up 'pfctl -s all' output.
ok deraadt@ henning@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.4 |
|
27-Aug-2003 |
frantzen |
kill dangling 'else'. fixes modulus in W and M TCP options
|
#
1.3 |
|
22-Aug-2003 |
david |
pf spelling police ok dhartmei@ jmc@
|
#
1.2 |
|
22-Aug-2003 |
henning |
KNF
|
#
1.1 |
|
21-Aug-2003 |
frantzen |
Add Michal Zalewski's p0f v2 style passive OS fingerprinting to PF. Exposes the source IP's operating system to the filter language. Interesting policy decisions are now enforceable: . block proto tcp from any os SCO . block proto tcp from any os Windows to any port smtp . rdr ... from any os "Windows 98" to port WWW -> 127.0.0.1 port 8001
|