Update to 7.2

Doxyfile

@@ -1,15 +1,16 @@
-# Doxyfile 1.9.3
+# Doxyfile 1.9.5
 
 #---------------------------------------------------------------------------
 # Project related configuration options
 #---------------------------------------------------------------------------
 DOXYFILE_ENCODING      = UTF-8
 PROJECT_NAME           = "PF Rule Editor"
-PROJECT_NUMBER         = 7.1
+PROJECT_NUMBER         = 7.2
 PROJECT_BRIEF          =
 PROJECT_LOGO           =
 OUTPUT_DIRECTORY       = ./docs
 CREATE_SUBDIRS         = NO
+CREATE_SUBDIRS_LEVEL   = 8
 ALLOW_UNICODE_NAMES    = NO
 OUTPUT_LANGUAGE        = English
 BRIEF_MEMBER_DESC      = YES
@@ -115,12 +116,14 @@ WARN_IF_INCOMPLETE_DOC = YES
 WARN_NO_PARAMDOC       = NO
 WARN_AS_ERROR          = NO
 WARN_FORMAT            = "$file:$line: $text"
+WARN_LINE_FORMAT       = "at line $line of file $file"
 WARN_LOGFILE           =
 #---------------------------------------------------------------------------
 # Configuration options related to the input files
 #---------------------------------------------------------------------------
 INPUT                  = ./
 INPUT_ENCODING         = UTF-8
+INPUT_FILE_ENCODING    =
 FILE_PATTERNS          = *.php \
                          *.css
 RECURSIVE              = YES
@@ -140,6 +143,7 @@ FILTER_PATTERNS        =
 FILTER_SOURCE_FILES    = NO
 FILTER_SOURCE_PATTERNS =
 USE_MDFILE_AS_MAINPAGE =
+FORTRAN_COMMENT_AFTER  = 72
 #---------------------------------------------------------------------------
 # Configuration options related to source browsing
 #---------------------------------------------------------------------------
@@ -168,6 +172,7 @@ HTML_FOOTER            =
 HTML_STYLESHEET        =
 HTML_EXTRA_STYLESHEET  =
 HTML_EXTRA_FILES       =
+HTML_COLORSTYLE        = AUTO_LIGHT
 HTML_COLORSTYLE_HUE    = 220
 HTML_COLORSTYLE_SAT    = 100
 HTML_COLORSTYLE_GAMMA  = 80
@@ -207,7 +212,6 @@ EXT_LINKS_IN_WINDOW    = NO
 OBFUSCATE_EMAILS       = YES
 HTML_FORMULA_FORMAT    = png
 FORMULA_FONTSIZE       = 10
-FORMULA_TRANSPARENT    = YES
 FORMULA_MACROFILE      =
 USE_MATHJAX            = NO
 MATHJAX_VERSION        = MathJax_2
@@ -311,8 +315,9 @@ DIA_PATH               =
 HIDE_UNDOC_RELATIONS   = NO
 HAVE_DOT               = YES
 DOT_NUM_THREADS        = 0
-DOT_FONTNAME           = Helvetica
-DOT_FONTSIZE           = 10
+DOT_COMMON_ATTR        = "fontname=Helvetica,fontsize=10"
+DOT_EDGE_ATTR          = "labelfontname=Helvetica,labelfontsize=10"
+DOT_NODE_ATTR          = "shape=box,height=0.2,width=0.4"
 DOT_FONTPATH           =
 CLASS_GRAPH            = YES
 COLLABORATION_GRAPH    = YES
@@ -340,7 +345,6 @@ PLANTUML_CFG_FILE      =
 PLANTUML_INCLUDE_PATH  =
 DOT_GRAPH_MAX_NODES    = 50
 MAX_DOT_GRAPH_DEPTH    = 0
-DOT_TRANSPARENT        = NO
 DOT_MULTI_TARGETS      = NO
 GENERATE_LEGEND        = YES
 DOT_CLEANUP            = YES

README.md

@@ -58,8 +58,8 @@ You can find a couple of screenshots on the [wiki](https://github.com/sonertari/
 
 Here are the basic steps to obtain a working PFRE installation:
 
-- Install OpenBSD 7.1, perhaps on a VM.
-- Install PHP 8.1.4, php-pcntl, and php-cgi.
+- Install OpenBSD 7.2, perhaps on a VM.
+- Install PHP 8.1.10, php-pcntl, and php-cgi.
 - Copy the files in PFRE src folder to /var/www/htdocs/pfre/.
 - Configure httpd.conf for PFRE.
 - Create admin and user users, and set their passwords.
@@ -74,7 +74,7 @@ The OpenBSD installation guide is at [faq4](http://www.openbsd.org/faq/faq4.html
 
 Here are a couple of guidelines:
 
-- You can download install71.iso available at OpenBSD mirrors.
+- You can download install72.iso available at OpenBSD mirrors.
 - It may be easier to install a PFRE test system on a VM of your choice, e.g. VMware or VirtualBox, rather than bare hardware.
 - 256MB RAM and 8GB HD should be enough.
 - If you want to obtain a packet filtering firewall, make sure the VM has at least 2 ethernet interfaces:
@@ -104,15 +104,15 @@ Download the required packages from an OpenBSD mirror and copy them to $PKG\_PAT
 	femail-1.0p1.tgz
 	femail-chroot-1.0p3.tgz
 	gettext-runtime-0.21p1.tgz
-	libiconv-1.16p0.tgz
+	libiconv-1.17.tgz
 	libsodium-1.0.18p1.tgz
-	libxml-2.9.13.tgz
-	oniguruma-6.9.7.1.tgz
+	libxml-2.10.2.tgz
+	oniguruma-6.9.8.tgz
 	pcre2-10.37.tgz
-	php-8.1.4p1.tgz
-	php-cgi-8.1.4.tgz
-	php-pcntl-8.1.4.tgz
-	xz-5.2.5p0.tgz
+	php-8.1.10p0.tgz
+	php-cgi-8.1.10.tgz
+	php-pcntl-8.1.10.tgz
+	xz-5.2.5p2.tgz
 
 Install PHP, php-pcntl, and php-cgi by running the following commands, which should install their dependencies as well:
 
@@ -132,15 +132,15 @@ Here is the expected output of that command:
 	femail-1.0p1        simple SMTP client
 	femail-chroot-1.0p3 simple SMTP client for chrooted web servers
 	gettext-runtime-0.21p1 GNU gettext runtime libraries and programs
-	libiconv-1.16p0     character set conversion library
+	libiconv-1.17       character set conversion library
 	libsodium-1.0.18p1  library for network communications and cryptography
-	libxml-2.9.13       XML parsing library
-	oniguruma-6.9.7.1   regular expressions library
+	libxml-2.10.2       XML parsing library
+	oniguruma-6.9.8     regular expressions library
 	pcre2-10.37         perl-compatible regular expression library, version 2
-	php-8.1.4p1         server-side HTML-embedded scripting language
-	php-cgi-8.1.4       php CGI binary
-	php-pcntl-8.1.4     PCNTL extensions for php
-	xz-5.2.5p0          LZMA compression and decompression tools
+	php-8.1.10p0        server-side HTML-embedded scripting language
+	php-cgi-8.1.10      php CGI binary
+	php-pcntl-8.1.10    PCNTL extensions for php
+	xz-5.2.5p2          LZMA compression and decompression tools
 
 ### Install PFRE
 

src/View/locale/tr_TR/LC_MESSAGES/pfre.po

@@ -4,7 +4,7 @@
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: PFRE 7.1\n"
+"Project-Id-Version: PFRE 7.2\n"
 "Last-Translator: Soner Tari <sonertari@gmail.com>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"

src/View/locale/tr_TR/LC_MESSAGES/pfre_CONTROL.po

@@ -4,7 +4,7 @@
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: PFRE 7.1\n"
+"Project-Id-Version: PFRE 7.2\n"
 "Last-Translator: Soner Tari <sonertari@gmail.com>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"

src/View/locale/tr_TR/LC_MESSAGES/pfre_HELPBOX.po

@@ -4,7 +4,7 @@
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: PFRE 7.1\n"
+"Project-Id-Version: PFRE 7.2\n"
 "Last-Translator: Soner Tari <sonertari@gmail.com>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"

src/View/locale/tr_TR/LC_MESSAGES/pfre_MENU.po

@@ -4,7 +4,7 @@
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: PFRE 7.1\n"
+"Project-Id-Version: PFRE 7.2\n"
 "Last-Translator: Soner Tari <sonertari@gmail.com>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"

src/View/locale/tr_TR/LC_MESSAGES/pfre_NOTICE.po

@@ -4,7 +4,7 @@
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: PFRE 7.1\n"
+"Project-Id-Version: PFRE 7.2\n"
 "Last-Translator: Soner Tari <sonertari@gmail.com>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"

src/View/locale/tr_TR/LC_MESSAGES/pfre_TITLE.po

@@ -4,7 +4,7 @@
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: PFRE 7.1\n"
+"Project-Id-Version: PFRE 7.2\n"
 "Last-Translator: Soner Tari <sonertari@gmail.com>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"

src/View/locale/tr_TR/LC_MESSAGES/pfre__.po

@@ -4,7 +4,7 @@
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: PFRE 7.1\n"
+"Project-Id-Version: PFRE 7.2\n"
 "Last-Translator: Soner Tari <sonertari@gmail.com>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"

src/View/pf/pf.conf.html

@@ -405,6 +405,10 @@
              listed in icmp(4) and icmp6(4).  The protocol and the ICMP type
              indicator (<span class="bold">icmp-type</span> or <span class="bold">icmp6-type</span>) must match.
 
+             ICMP responses are not permitted unless they either match an
+             existing request, or unless <span class="bold">no</span> <span class="bold">state</span> or <span class="bold">keep</span> <span class="bold">state</span> <span class="bold">(sloppy)</span> is
+             specified.
+
 <a name="label"></a>
      <span class="bold">label</span> <span class="underline">string</span>
              Adds a label to the rule, which can be used to identify the rule.
@@ -881,57 +885,50 @@
              Sets hard limits on the memory pools used by the packet filter.
              See pool(9) for an explanation of memory pools.
 
-<a name="states"></a>
-             For example, to set the maximum number of entries in the memory
-             pool used by state table entries (generated by <span class="bold">pass</span> rules which
-             do not specify <span class="bold">no</span> <span class="bold">state</span>) to 20000:
-
-                   set limit states 20000
-
-<a name="frags"></a>
-             To set the maximum number of entries in the memory pool used for
-             fragment reassembly to 2000:
-
-                   set limit frags 2000
+             Limits can be set on the following:
 
-             This maximum may not exceed, and should be well below, the
-             maximum number of mbuf clusters (sysctl kern.maxclusters) in the
-             system.
+<a name="states"></a>
+             <span class="bold">states</span>         Set the maximum number of entries in the memory
+                            pool used by state table entries (those generated
+                            by <span class="bold">pass</span> rules which do not specify <span class="bold">no</span> <span class="bold">state</span>).  The
+                            default is 100000.
 
 <a name="src-nodes"></a>
-             To set the maximum number of entries in the memory pool used for
-             tracking source IP addresses (generated by the <span class="bold">sticky-address</span> and
-             <span class="bold">src.track</span> options) to 2000:
+             <span class="bold">src-nodes</span>      Set the maximum number of entries in the memory
+                            pool used for tracking source IP addresses
+                            (generated by the <span class="bold">sticky-address</span> and <span class="bold">src.track</span>
+                            options).  The default is 10000.
 
-                   set limit src-nodes 2000
+<a name="frags"></a>
+             <span class="bold">frags</span>          Set the maximum number of entries in the memory
+                            pool used for fragment reassembly.  The maximum
+                            may not exceed, and should be well below, the
+                            maximum number of mbuf clusters (sysctl
+                            kern.maxclusters) in the system.  The default is
+                            NMBCLUSTERS/32.  NMBCLUSTERS defines the total
+                            number of packets which can exist in-system at any
+                            one time.  Refer to &lt;<span class="underline">machine/param.h</span>&gt; for the
+                            platform-specific value.
 
 <a name="tables"></a>
+             <span class="bold">tables</span>         Set the number of tables that can exist.  The
+                            default is 1000.
+
 <a name="table-entries"></a>
-             To set limits on the memory pools used by tables:
+             <span class="bold">table-entries</span>  Set the number of addresses that can be stored in
+                            tables.  The default is 200000, or 100000 on
+                            machines with less than 100MB of physical memory.
 
-                   set limit tables 1000
-                   set limit table-entries 100000
+             <span class="bold">pktdelay_pkts</span>  Set the maximum number of packets that can be held
+                            in the delay queue.  The default is 10000.
 
-             The first limits the number of tables that can exist to 1000.
-             The second limits the overall number of addresses that can be
-             stored in tables to 100000.
+             <span class="bold">anchors</span>        Set the number of anchors that can exist.  The
+                            default is 512.
 
-             Various limits can be combined on a single line:
+             Multiple limits can be combined on a single line:
 
                    set limit { states 20000, frags 2000, src-nodes 2000 }
 
-             pf(4) has the following defaults:
-
-             states           PFSTATE_HIWAT             (100000)
-             tables           PFR_KTABLE_HIWAT          (1000)
-             table-entries    PFR_KENTRY_HIWAT          (200000)
-             table-entries    PFR_KENTRY_HIWAT_SMALL    (100000)
-             frags            NMBCLUSTERS/32            (platform dependent)
-
-             NMBCLUSTERS defines the total number of packets which can exist
-             in-system at any one time.  Refer to &lt;<span class="underline">machine/param.h</span>&gt; for the
-             platform-specific value.
-
 <a name="loginterface"></a>
      <span class="bold">set</span> <span class="bold">loginterface</span> <span class="underline">interface</span> | <span class="bold">none</span>
              Enable collection of packet and byte count statistics for the
@@ -1626,12 +1623,13 @@
            States created by this rule are exported on the pflow(4) interface.
 <a name="sloppy"></a>
      <span class="bold">sloppy</span>
-           Uses a sloppy TCP connection tracker that does not check sequence
-           numbers at all, which makes insertion and ICMP teardown attacks way
-           easier.  This is intended to be used in situations where one does
-           not see all packets of a connection, e.g. in asymmetric routing
-           situations.  It cannot be used with <span class="bold">modulate</span> <span class="bold">state</span> or <span class="bold">synproxy</span>
-           <span class="bold">state</span>.
+           For TCP, uses a sloppy connection tracker that does not check
+           sequence numbers at all, which makes insertion and ICMP teardown
+           attacks way easier.  This is intended to be used in situations
+           where one does not see all packets of a connection, e.g. in
+           asymmetric routing situations.  It cannot be used with <span class="bold">modulate</span>
+           <span class="bold">state</span> or <span class="bold">synproxy</span> <span class="bold">state</span>.  For ICMP, this option allows states to be
+           created from replies, not just requests.
      <span class="underline">timeout</span> <span class="underline">seconds</span>
            Changes the <span class="underline">timeout</span> values used for states created by this rule.
            For a list of all valid <span class="underline">timeout</span> names, see <span class="underline">OPTIONS</span> above.
@@ -1726,7 +1724,13 @@
 
 <a name="max-mss"></a>
      <span class="bold">max-mss</span> <span class="underline">number</span>
-           Enforces a maximum segment size (MSS) for matching TCP packets.
+           Reduces the maximum segment size (MSS) on TCP SYN packets to be no
+           greater than <span class="underline">number</span>.  This is sometimes required in scenarios where
+           the two endpoints of a TCP connection are not able to carry similar
+           sized packets and the resulting mismatch can lead to packet
+           fragmentation or loss.  Note that setting the MSS this way can have
+           undesirable effects, such as interfering with the OS detection
+           features of pf(4).
 
 <a name="min-ttl"></a>
      <span class="bold">min-ttl</span> <span class="underline">number</span>
@@ -2286,7 +2290,7 @@
 <span class="bold">HISTORY</span>
      The <span class="bold">pf.conf</span> file format first appeared in OpenBSD 3.0.
 
-OpenBSD 7.1                     March 31, 2022                     OpenBSD 7.1
+OpenBSD 7.2                      July 24, 2022                     OpenBSD 7.2
 </pre>
 </body>
 </html>

src/create_po.sh

@@ -81,7 +81,7 @@ if ! xgettext -L "PHP" -s \
 		--copyright-holder="Soner Tari, The PFRE project" \
 		--msgid-bugs-address="sonertari@gmail.com" \
 		--package-name="PFRE" \
-		--package-version="7.1" \
+		--package-version="7.2" \
 		-j -o $LOCALE_FILE \
 		-f files.txt; then
 	echo "FAILED generating $LOCALE_FILE"

src/lib/defs.php

@@ -23,7 +23,7 @@
  */
 
 /// Project version.
-define('VERSION', '7.1');
+define('VERSION', '7.2');
 
 $ROOT= dirname(dirname(dirname(__FILE__)));
 $SRC_ROOT= dirname(dirname(__FILE__));