- Updated to OpenBSD 7.4
- Switching to Python 3 on the main branch
- Tested on OpenBSD 7.0
- Tested on OpenBSD 6.5
- Updated to OpenBSD 6.4
- Updated to OpenBSD 6.3 (many thanks to Jasper Lievisse Adriaanse for his contribution)
- Support for syncookies was added to the
PacketFilterclass through 3 new methods:PacketFilter.get_synflood_watermarks()PacketFilter.set_synflood_watermarks()PacketFilter.set_syncookies()
- Added a new
PFThresholdclass formax-pkt-ratethresholds - Added a new
PFDivertclass to represent divert sockets
- Updated to OpenBSD 6.2 (many thanks to Nathan Wheeler for his contribution)
- Some little changes were made to the queueing part to integrate flows:
- a new
FlowQueueobject was created PFQueueobjects have a newflowqueueattribute
- a new
- HFSC_* constants have been replaced with PFQS_* constants
PFStatus.sincenow contains the number of seconds after machine uptime that Packet Filter was last started or stopped (not anymore since the epoch).
- Updated to OpenBSD 6.0
- Updated to OpenBSD 5.9
- Updated to OpenBSD 5.8
- Updated to OpenBSD 5.7
- Removed
pf._struct.BufferStructurethat was originally meant to overcome the 1024 bytes limit infcntl.ioctl()and is no longer needed.
- Updated to OpenBSD 5.6
- Removed the last traces of ALTQ
- Fixed a little bug in
PFState._to_string()
- Updated to OpenBSD 5.5
- OpenBSD 5.5 has a new queueing system; thus all the queue classes
(
PFAltqCBQ,PFAltqHFSCandPFAltqPriQ) and the corresponding stats classes (CBQStats,HFSCStatsandPriQStats) have been replaced by thePFQueueandPFQueueStatsclasses respectively. - Methods for retrieving and adding queues in the
PacketFilterclass (i.e.get_altqs()andadd_altqs()) have been replaced (byget_queues()andload_queues()respectively). Queues are now cleared along with rules, so theclear_altqs()method has been removed.
- Updated to OpenBSD 5.4
- Updated to OpenBSD 5.3
- Updated to OpenBSD 5.2
- Printing a
PFIfaceobject now returns a string similar to the output of the commandpfctl -sI -vv - Fixed a bug in
PFRulethat preventedrdr-torules from being correctly converted to strings - Fixed a couple of bugs in the string representation of
PFStateobjects - Added filtering capabilities to
PacketFilter.get_ruleset(): now it's possible to retrieve only rules with specific attribute values (e.g.filter.get_ruleset(ifname="em0")) - Added the
set_optimization()andget_optimization()methods toPacketFilter(thanks Colin!) - Fixed a bug in
PFAddr._from_str()which didn't allow interface groups as addresses (thanks Colin!) - Added the
pf.libmodule containing some higher-level classes that make loading PF rules much easier
- Updated to OpenBSD 5.1
- Module renamed to pf for better compliance with PEP8
- Fixed a ZeroDivisionError in PFStatus._to_string() when runtime == 0
- Added support for ALTQ statistics; three new classes have been created (CBQStats, HFSCStats and PriQStats), corresponding to the schedulers supported by OpenBSD.
- Fixed a few calls to ctonm() in PFRule.py that didn't pass the af argument
- Added probability and options to the string representation of PFRule objects
- Fixed a regexp error in PFRule.py that prevented the correct parsing of some port operands
- Fixed bug in PFUtils.rate2str which prevented correct handling of floating point numbers
- Test suite completely re-written and run with
python setup.py test
- Updated to OpenBSD 5.0; the C structures have undergone some minor changes.
- Added support for
divert-*options in PF rules. - Added a new
PacketFilter.get_ifaces()method to retrieve the list of interfaces and interface drivers known to pf(4). - Created a new
PFIfaceclass representing a network interface and returned by thePacketFilter.get_ifaces()method; this class also allows the retrieval of per-interface statistics. - Renamed the
PacketFilter.set_ifflag()method toPacketFilter.set_ifflags()for consistency withPacketFilter.get_ifflags().
- Added support for packet queueing with ALTQ; three new classes have been
created (
PFAltqCBQ,PFAltqHFSCandPFAltqPriQ), corresponding to the schedulers supported by OpenBSD.
- Updated to OpenBSD 4.8; the PF stack has undergone some major changes, such
as removing the different rule types (nat, rdr, binat ... rules do not exist
anymore) and introducing 'match' rules.
This has greatly simplified the
PFRulesetclass and thePacketFiltermethods that load/retrieve rules. - Various bugs have been corrected
- All the code has been reviewed and is now Py3k-ready.
- Updated to OpenBSD-current; modifications include the removal of 'scrub' rules and making some ioctl() transactional (set loginterface, set hostid, set reassemble and set debug).
- Added addresses to
PFTableobjects; this should make managing tables much more user-friendly. - Added the
PF_RULESET_TABLEruleset toPFRuleset; this allows loading tables along with the other rules and doesn't require that the 'persist' flag be set if the table is not yet referenced by any rule. - Added the
PacketFilter.set_reassembly()method. - Added support for table statistics, by adding the
PFTStatsobject and thePacketFilter.get_tstats()andPacketFilter.clear_tstats()methods.
- Added the
PFAddrandPFPortclasses, representing addresses and ports respectively. ThePFRuleAddrclass is now a simple container for aPFAddr/PFPortpair. - Added table support trough the
PFTableandPFTableAddrclasses; the apropriate methods for managing tables have been added to thePacketFilterclass. - The
PFPoolAddrclass has been removed: now addresses inPFPoolsarePFAddrinstances. - Re-written the
PFStateclass and created thePFStateKeyclass in accordance with the changes to PF's state handling. - Added the
PFUidandPFGidclasses, representing user and group IDs.
- Added support for loading rulesets, by means of the
PacketFilter.load_ruleset()method - Added the possibility to selectively kill states, based on address family,
transport layer protocol, source and destination addresses and interface
name, thanks to the
PacketFilter.kill_states()method - Added the
PacketFilter.set_hostid()method, which allows you to set the hostid, a numeric value used by pfsync(4) to identify which host created state table entries
- Initial release