Include <netinet/in.h> before <net/pfvar.h>. In a future change when
ports is ready, <net/pfvar.h> will stop including a pile of balony.

prio 0 is valid, therefore, I chose an "impossible" value for prio meaning
"not set" and used a PF_PRIO_NOTSET define for it. now that means that
everything that creates a struct pf_rule doesn't get

prio 0 is valid, therefore, I chose an "impossible" value for prio meaning
"not set" and used a PF_PRIO_NOTSET define for it. now that means that
everything that creates a struct pf_rule doesn't get away with bzero'ing it,
which turned out to be not so nice. so get rid of PF_PRIO_NOTSET, instead,
make a rule+state flag PFSTATE_SETPRIO which indicates wether the prio
should be set. ok benno claudio mikeb

show more ...

rename prio in struct pf_rule and related structs to set_prio so it is
utterly clear this is not a filter criteria but a packet modification thing.
also preparation for upcoming changes, including on

rename prio in struct pf_rule and related structs to set_prio so it is
utterly clear this is not a filter criteria but a packet modification thing.
also preparation for upcoming changes, including one to unscrew this mess
(I should not have to touch half the tree for this - ifixitlater)
not user visible, ok gcc

show more ...

Check for nat_range_high before creating the PF nat rule.

From Lawrence Teo.

ok camield, myself, mikeb.

catch up with "on rdomain" changes; ok claudio

fix whitespace

switch ftp-proxy over to divert-to instead of rdr-to. this avoids
an expensive state lookup (via natlook ioctl) and shrinks the code.
tested by me and sthen, ok reyk sthen

Use the rdomain information returned by DIOCNATLOOK to install the
nat-to and rdr-to rules with correct rtable rule attributes. This
allows to use ftp-proxy to proxy accross rdomains.
Tested and OK p

Use the rdomain information returned by DIOCNATLOOK to install the
nat-to and rdr-to rules with correct rtable rule attributes. This
allows to use ftp-proxy to proxy accross rdomains.
Tested and OK phessler@, OK henning@

show more ...

pfr.rule.*.addr.type must be initialized to PF_ADDR_NONE for things that
are not used. bzero() of the rule structure is not enough.
Find with dlg@, OK mcbride@

First pass at removing the 'pf_pool' mechanism for translation and routing
actions. Allow interfaces to be specified in special table entries for
the routing actions. Lists of addresses can now only

First pass at removing the 'pf_pool' mechanism for translation and routing
actions. Allow interfaces to be specified in special table entries for
the routing actions. Lists of addresses can now only be done using tables,
which pfctl will generate automatically from the existing syntax.

Functionally, this deprecates the use of multiple tables or dynamic
interfaces in a single nat or rdr rule.

ok henning dlg claudio

show more ...

Move from the PF_RULESET_FILTER world order to PF_TRANS_RULESET
due to the standard henning+oga commit-and-run-for-beer problem.
ok claudio

If tagging is used use match rules instead of pass rules. This is needed
so that later pass rules will not overwrite the nat-to/rdr-to settings.
Because of this there must be an expilicit "pass .. ta

If tagging is used use match rules instead of pass rules. This is needed
so that later pass rules will not overwrite the nat-to/rdr-to settings.
Because of this there must be an expilicit "pass .. tagged proxytag .."
rule after the ftp-proxy anchor. OK henning@

show more ...

Bring ftp-proxy in sync with the massive pf change just commited by Henning.
This changes the way the rdr/nat rules are added to pf. Now only a single
anchor is needed (the other ones do no longer ex

Bring ftp-proxy in sync with the massive pf change just commited by Henning.
This changes the way the rdr/nat rules are added to pf. Now only a single
anchor is needed (the other ones do no longer exist).
To convert your ruleset you need something like this at the start of your
ruleset:
# filter rules and anchors for ftp-proxy(8)
anchor "ftp-proxy/*"
pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021

This was tested by myself, sthen@, dlg@ and I think many more. OK by the same
people plus henning.

show more ...

Better error messages. Include the function causing the problem and do not
include the program name in logmsg() plus exit_daemon() does not return so
make it a void function. OK mpf@

Don't pass quick when tagging, so the tag can be used outside
the ftp-proxy anchor. Exotic setups with route-to etc.
can be implemented this way.
from camield, ok reyk beck canacar and manpage polis

Don't pass quick when tagging, so the tag can be used outside
the ftp-proxy anchor. Exotic setups with route-to etc.
can be implemented this way.
from camield, ok reyk beck canacar and manpage polished by jmc

show more ...

allow ftp-proxy to add tag statements to teh rules it inserts
clever, nice and easy diff from bsd@openbsd.rutgers.edu, ok pyr reyk

forgot to update the comment as well

use flags S/SA for consistency with the rest of pf

add OpenBSD cvs tags, prompted by xsa@

Introduce verbose option to control the logging of the pf rules.

ok beck mpf

Import new FTP proxy. Handles IPv6 and all FTP modes. It was
previously known as pftpx.

Not connected to the builds yet.

ok beck