#
c36c90a2 |
|
01-Jun-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCSETDEBUG to netlink Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
71d3c704 |
|
31-May-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCNATLOOK to netlink Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
9dbbe68b |
|
30-May-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCCLRSTATUS to netlink Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
cd2054d4 |
|
24-May-2024 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: add pfctl_get_rule_h() Add a handle variant of pfctl_get_rule(). This converts us from using the nvlist variant to the netlink variant, and also moves us closer to a world where all libpfctl functions take the handle. While here have pfctl use the new function. Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
f1612e70 |
|
09-May-2024 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: fix file descriptor leak pfctl_get_rules_info() opened a netlink socket, but failed to close it again. Fix this by factoring out the netlink-based function into a _h variant that takes struct pfctl_handle, and implement pfctl_get_rules_info() based on that, remembering to close the fd. While here migrate all in-tree consumers to the _h variant. MFC after: 3 days Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
5824df8d |
|
23-Mar-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCGETSTATUS to netlink Introduce pfctl_get_status_h() because we need the pfctl_handle. In this variant use netlink to obtain the information. Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
044243fc |
|
24-Apr-2024 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: allow access to the fd pfctl_open() opens both /dev/pf and a netlink socket. Allow access to the /dev/ pf fd via pfctl_fd(). This means that libpfctl users no longer have to open /dev/pf themselves for any calls that are not yet available in libpfctl. Sponsored by: Rubicon Communications, LLC ("Netgate") MFC after: 2 weeks
|
#
a3f71765 |
|
26-Apr-2024 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: fix incorrect pcounters array size The array is 2 x 2 x 2, not 2 x 2 x 3. Sponsored by: Rubicon Communications, LLC ("Netgate") MFC after: 2 weeks
|
#
88f557a2 |
|
21-Mar-2024 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: fix incorrect labels copy We copied the entire parsed_labels struct, including the counter to a field that was only big enough for the labels (so not the counter). PR: 277875 MFC after: 1 week
|
#
470a2b33 |
|
18-Mar-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCSETSTATUSIF to netlink While here also add a basic test case for it. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D44368
|
#
706d465d |
|
26-Feb-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert kill/clear state to use netlink Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D44090
|
#
306d3fb2 |
|
01-Feb-2024 |
Kristof Provost <kp@FreeBSD.org> |
libpfct: fix incorrect array check Reported by: Coverity Scan CID: 1523771 Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
777a4702 |
|
12-Jan-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: implement addrule via netlink Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
324fd7ec |
|
04-Jan-2024 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: introduce a handle-enabled variant of pfctl_add_rule() Introduce pfctl_add_rule_h(), which takes a pfctl_handle rather than a file descriptor (which it didn't use). This means that library users can open the handle while they're running as root, but later drop privileges and still add rules to pf. Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
66cacc14 |
|
04-Jan-2024 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: introduce pfctl_handle Consumers of libpfctl can (and in future, should) open a handle. This handle is an opaque object which contains the /dev/pf file descriptor and a netlink handle. This means that libpfctl users can open the handle as root, then drop privileges and still access pf. Already add the handle to pfctl_startstop() and pfctl_get_creatorids() as these are new in main, and not present on stable branches. Other calls will have handle-enabled alternatives implemented in subsequent commits. Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
881bf881 |
|
21-Dec-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: export missing state information We did not export all of the information pfctl expected to print via the new netlink code. This manifested as pfctl printing 'rtableid: 0', even when there is no rtable set. While we're addressing that also export other missing fields such as dummynet, min_ttl, max_mss, .. Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
99bcbef2 |
|
11-Dec-2023 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: remove stray debug printf() Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
44f323ec |
|
24-Nov-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: implement DIOCGETRULES via netlink Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
498934c5 |
|
17-Nov-2023 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: handle pfctl_do_ioctl() failures better Ensure that we free nvlists and other allocations if pfctl_do_ioctl() fails. MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
33d55d0d |
|
17-Nov-2023 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: handle allocation failure While it's unlikely for userspace to fail to allocate memory it is still possible. Handle malloc() returning NULL. Reported by: Bill Meeks <bill@themeeks.net> MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
a6173e94 |
|
06-Nov-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: expose more syncookie state information to userspace Allow userspace to retrieve low and high water marks, as well as the current number of half open states. MFC after: 1 week Sponsored by: Modirum MDPay
|
#
497ccc21 |
|
06-Nov-2023 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: handle the 'pfctl' netlink family not being supported If we fail to find the pfctl family we should not attempt to make the call. That means that either pf is not loaded, or it's a very old (i.e. pre-netlink) version. Reported by: manu Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
2b1eb63f |
|
27-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: be more tolerant of kernel extensions Allow the kernel to supply more array elements than expected, but cut off when we hit what we think the maximum is. This will improve forward compatibility (i.e. old userspace with newer kernel). Reviewed by: zlei MFC after: 1 week Sponsored by: Orange Business Services Differential Revision: https://reviews.freebsd.org/D42392
|
#
1c824f43 |
|
30-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: add missing pfctl_status_lcounter() function We already had accessors for the other types of counters, but not this one. MFC after: 3 days Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
4abc3b48 |
|
23-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: fix Coverity issues - handle snl_finalize_msg() returning NULL - insert the correct data into the states list - add missing nvlist_destroy() - incorrect order for array bounds Coverity: 1522929, 1522925, 1522923, 1522921, 1522780, 1522770, 1522764, 1487785, 1471250 Reviewed by: emaste MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D42330
|
#
2cffb525 |
|
23-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: fix pfctl_do_ioctl() pfctl_do_ioctl() copies the packed request data into the request buffer and then frees it. However, it's possible for the buffer to be too small for the reply, causing us to allocate a new buffer. We then copied from the freed request, and freed it again. Do not free the request buffer until we're all the way done. PR: 274614 Reviewed by: emaste MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D42329
|
#
4f337550 |
|
19-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: allow states to be killed by their pre-NAT address If a connection is NAT-ed we could previously only terminate it by its ID or the post-NAT IP address. Allow users to specify they want look for the state by its pre-NAT address. Usage: `pfctl -k nat -k <address>`. See also: https://redmine.pfsense.org/issues/11556 Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D42312
|
#
044eef6a |
|
16-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: support basic filters for state listing Allow users(pace) to specify a protocol, interface, address family and/ or address and mask, allowing the state listing to be pre-filtered in the kernel. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D42280
|
#
ffbf2595 |
|
14-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert rule addition to netlink The nvlist-based version will be removed in FreeBSD 16. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D42279
|
#
4f8f43b0 |
|
16-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
netlink: cope with growing requests If a request ends up growing beyong the initially allocated space the netlink functions (such as snl_add_msg_attr_u32()) will allocate a new buffer. This invalidates the header pointer we can have received from snl_create_msg_request(). Always use the hdr returned by snl_finalize_msg(). Reviewed by: melifaro MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D42223
|
#
81647eb6 |
|
10-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: implement start/stop calls via netlink Implement equivalents to DIOCSTART and DIOCSTOP in netlink. Provide a libpfctl implementation and add a basic test case, mostly to verify that we still return the same errors as before the conversion Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D42145
|
#
a7191e5d |
|
03-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: add a way to list creator ids Allow userspace to retrieve a list of distinct creator ids for the current states. This is used by pfSense, and used to require dumping all states to userspace. It's rather inefficient to export a (potentially extremely large) state table to obtain a handful (typically 2) of 32-bit integers. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D42092
|
#
f218b851 |
|
02-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: introduce state iterator Allow consumers to start processing states as the kernel supplies them, rather than having to build a full list and only then start processing. Especially for very large state tables this can significantly reduce memory use. Without this change when retrieving 1M states time -l reports: real 3.55 user 1.95 sys 1.05 318832 maximum resident set size 194 average shared memory size 15 average unshared data size 127 average unshared stack size 79041 page reclaims 0 page faults 0 swaps 0 block input operations 0 block output operations 15096 messages sent 250001 messages received 0 signals received 22 voluntary context switches 34 involuntary context switches With it it reported: real 3.32 user 1.88 sys 0.86 3220 maximum resident set size 195 average shared memory size 11 average unshared data size 128 average unshared stack size 260 page reclaims 0 page faults 0 swaps 0 block input operations 0 block output operations 15096 messages sent 250001 messages received 0 signals received 21 voluntary context switches 31 involuntary context switches Reviewed by: mjg Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D42091
|
#
2cef6288 |
|
14-Sep-2023 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
pf: convert state retrieval to netlink Use netlink to export pf's state table. The primary motivation is to improve how we deal with very large state stables. With the previous implementation we had to build the entire list (both in the kernel and in userspace) before we could start processing. With netlink we start to get data in userspace while the kernel is still generating more. This reduces peak memory consumption (which can get to the GB range once we hit millions of states). Netlink also makes future extension easier, in that we can easily add fields to the state export without breaking userspace. In that regard it's similar to an nvlist-based approach, except that it also deals with transport to userspace and that it performs significantly better than nvlists. Testing has failed to measure a performance difference between the previous struct-copy based ioctl and the netlink approach. Differential Revision: https://reviews.freebsd.org/D38888
|
#
e3d3d61a |
|
29-Aug-2023 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: implement status counter accessor functions The new nvlist-based status call allows us to easily add new counters. However, the libpfctl interface defines a TAILQ, so it's not quite trivial to find the counter consumers are interested in. Provide convenience functions to access the counters. MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D41649
|
#
0b01878f |
|
29-Aug-2023 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: allow pfctl_free_status(NULL) Mimic free() and friends, and allow free()ing of NULL. MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D41648
|
#
b3e76948 |
|
16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
Remove $FreeBSD$: two-line .h pattern Remove /^\s*\*\n \*\s+\$FreeBSD\$$\n/
|
#
6422599e |
|
26-Jul-2023 |
Kristof Provost <kp@FreeBSD.org> |
libpfct: ensure the initial allocation is large enough Ensure that we allocate enough memory for the packed nvlist, no matter what size hint was provided. MFC after: 1 week Reported by: R. Christian McDonald <rcm@rcm.sh> Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
c45d6b0e |
|
29-May-2023 |
Kajetan Staszkiewicz <vegeta@tuxpowered.net> |
pfctl: Add missing state parameters in DIOCGETSTATESV2 Reviewed by: kp Sponsored by: InnoGames GmbH Different Revision: https://reviews.freebsd.org/D40259
|
#
ef661d4a |
|
24-Apr-2023 |
Christian McDonald <cmcdonald@netgate.com> |
pf: introduce ridentifier and labels to ether rules Make Ethernet rules more similar to the usual layer 3 rules by also allowing ridentifier and labels to be set on them. Reviewed by: kp Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
39282ef3 |
|
13-Apr-2023 |
Kajetan Staszkiewicz <vegeta@tuxpowered.net> |
pf: backport OpenBSD syntax of "scrub" option for "match" and "pass" rules Introduce the OpenBSD syntax of "scrub" option for "match" and "pass" rules and the "set reassemble" flag. The patch is backward-compatible, pf.conf can be still written in FreeBSD-style. Obtained from: OpenBSD MFC after: never Sponsored by: InnoGames GmbH Differential Revision: https://reviews.freebsd.org/D38025
|
#
48c519be |
|
22-Mar-2023 |
John Baldwin <jhb@FreeBSD.org> |
libpfctl: Don't pass stack garbage to free. GCC 9 on stable/12 reports a -Wmaybe-uninitialized error for the call to free in _pfctl_clear_states. Reviewed by: mjg Differential Revision: https://reviews.freebsd.org/D39198
|
#
8a8af942 |
|
22-Sep-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: bridge-to Allow pf (l2) to be used to redirect ethernet packets to a different interface. The intended use case is to send 802.1x challenges out to a side interface, to enable AT&T links to function with pfSense as a gateway, rather than the AT&T provided hardware. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D37193
|
#
444a77ca |
|
24-Sep-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: expose syncookie active/inactive status When syncookies are in adaptive mode they may be active or inactive. Expose this status to users. Suggested by: Guido van Rooij Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
6049ee60 |
|
08-Sep-2022 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: improve syncookie watermark calculation Ensure that we always pass sane limits for the high and low watermark values. This is especially important if users do something silly, like set the state limit to 1. In that case we wound up calculating 0/0 as a limit, which gets rejected by the kernel. While here also shift the calculation to use uint64_t, so we don't end up with overflows (and subsequently higher low than high values) with very large state limits. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D36497
|
#
1f61367f |
|
31-May-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: support matching on tags for Ethernet rules Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D35362
|
#
0abcc1d2 |
|
22-Apr-2022 |
Reid Linnemann <rlinnemann@netgate.com> |
pf: Add per-rule timestamps for rule and eth_rule Similar to ipfw rule timestamps, these timestamps internally are uint32_t snaps of the system time in seconds. The timestamp is CPU local and updated each time a rule or a state associated with a rule or state is matched. Reviewed by: kp Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D34970
|
#
7ed19f5c |
|
14-Apr-2022 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: grow request buffer on ENOSPC When we issue a request to pf and expect a serialised nvlist as a reply we have to supply a suitable buffer to the kernel. The required size for this buffer is difficult to predict, and may be (slightly) different from request to request. If it's insufficient the kernel will return ENOSPC. Teach libpfctl to catch this and send the request again with a larger buffer. MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D34908
|
#
4823489a |
|
04-Apr-2022 |
Reid Linnemann <rlinnemann@netgate.com> |
libpfctl: relocate implementations of pfr_add/get/set_addrs Reviewed by: kp MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D34740
|
#
c4a08ef2 |
|
01-Apr-2022 |
Mateusz Guzik <mjg@FreeBSD.org> |
pf: handle duplicate rules gracefully Reviewed by: kp Reported by: dch PR: 262971 Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
514039bb |
|
29-Mar-2022 |
Kristof Provost <kp@FreeBSD.org> |
libpfct: Return errno from pfctl_add_eth_rule() If the pfctl_add_eth_rule() ioctl fails return the errno, not the error returned by ioctl(). That will give us slightly more insight into what went wrong, because ioctl() would always return -1. Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
9bb06778 |
|
29-Mar-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: support listing ethernet anchors Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
8a42005d |
|
08-Mar-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: support basic L3 filtering in the Ethernet rules Allow filtering based on the source or destination IP/IPv6 address in the Ethernet layer rules. Reviewed by: pauamma_gundo.com (man), debdrup (man) Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D34482
|
#
8c1400b0 |
|
04-Mar-2022 |
Kristof Provost <kp@FreeBSD.org> |
libpfct: factor out pfctl_get_rules_info() Introduce pfctl_get_rules_info(), similar to pfctl_get_eth_rules_info() to retrieve rules information (ticket and total number of rules). Use the new function in pfctl. MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D34443
|
#
f0c334e4 |
|
04-Mar-2022 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: support flushing rules/nat/eth Move the code to flush regular rules, nat rules and Ethernet rules into libpfctl for easier re-use. MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D34442
|
#
b590f17a |
|
20-Jan-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: support masking mac addresses When filtering Ethernet packets allow rules to specify a mac address with a mask. This indicates which bits of the specified address are significant. This allows users to do things like filter based on device manufacturer. Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
c5131afe |
|
01-Oct-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: add anchor support for ether rules Support anchors in ether rules. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D32482
|
#
fb330f39 |
|
27-Sep-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: support dummynet on L2 rules Allow packets to be tagged with dummynet information. Note that we do not apply dummynet shaping on the L2 traffic, but instead mark it for dummynet processing in the L3 code. This is the same approach as we take for ALTQ. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D32222
|
#
c696d5c7 |
|
17-Feb-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Don't print (ether) to / from if they're not set If we're not filtering on a specific MAC address don't print it at all, rather than showing an all-zero address. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D31749
|
#
2b29ceb8 |
|
04-Feb-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Print Ethernet rules Extent pfctl to be able to read configured Ethernet filtering rules from the kernel and print them. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D31738
|
#
6f47a72d |
|
31-Jan-2022 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: fix pfctl_kill_states() 735748f30a changed the output of the states so that the creator id endianness would be consistent. This means that we need to convert the host endianness creatorid back to big-endian before we give it to the kernel. MFC after: 3 weeks Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
735748f3 |
|
21-Jan-2022 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: fix creatorid endianness We provide the hostid (which is the state creatorid) to the kernel as a big endian number (see pfctl/pfctl.c pfctl_set_hostid()), so convert it back to system endianness when we get it from the kernel. This avoids a confusing mismatch between the value the user configures and the value displayed in the state. MFC after: 3 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D33989
|
#
2de49dee |
|
08-Nov-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf tests: Test PR259689 We didn't populate dyncnt/tblcnt, so `pfctl -sr -vv` might not have the table element count. PR: 259689 MFC after: 3 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D32893
|
#
218a8a49 |
|
08-Nov-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: ensure we populate dyncnt/tblcnt in struct pf_addr_wrap PR: 259689 MFC after: 3 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D32892
|
#
7bb3c927 |
|
05-Nov-2021 |
Kristof Provost <kp@FreeBSD.org> |
libpfct: be consistent with u_int vs. uint Always use uint64_t over u_int64_t, for the sake of consistency. No functional change. MFC after: 3 weeks Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
76c5eecc |
|
29-Oct-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Introduce ridentifier Allow users to set a number on rules which will be exposed as part of the pflog header. The intent behind this is to allow users to correlate rules across updates (remember that pf rules continue to exist and match existing states, even if they're removed from the active ruleset) and pflog. Obtained from: pfSense MFC after: 3 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D32750
|
#
5062afff |
|
13-Aug-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: userspace adaptive syncookies configration Hook up the userspace bits to configure syncookies in adaptive mode. MFC after: 1 week Sponsored by: Modirum MDPay Differential Revision: https://reviews.freebsd.org/D32136
|
#
63b3c1c7 |
|
15-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: support dummynet Allow pf to use dummynet pipes and queues. We re-use the currently unused IPFW_IS_DUMMYNET flag to allow dummynet to tell us that a packet is being re-injected after being delayed. This is needed to avoid endlessly looping the packet between pf and dummynet. MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D31904
|
#
46fb68b1 |
|
26-Aug-2021 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: Implement DIOCGETSTATUS wrappers MFC after: 1 week Sponsored by: Modirum MDPay Differential Revision: https://reviews.freebsd.org/D31696
|
#
b0ccc2e2 |
|
22-Aug-2021 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: fix double free Reviewed by: donner MFC after: 1 week Sponsored by: Modirum MDPay Differential Revision: https://reviews.freebsd.org/D31695
|
#
719b5397 |
|
20-Aug-2021 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: Fix endianness issues Several fields are supplied in big-endian format, so we need to convert them before we display them. MFC after: 3 days Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
c69121c4 |
|
26-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: syncookie configuration pfctl and libpfctl code required to enable/disable the syncookie feature. MFC after: 1 week Sponsored by: Modirum MDPay Differential Revision: https://reviews.freebsd.org/D31140
|
#
be70c7a5 |
|
06-Jul-2021 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: migrate to DIOCGETSTATESV2 Stop using the *NV version to retrieve states, as its performance is unacceptably bad. For 1,000,000 states the nvlist version needed ~100 seconds to retrieve the states, the new version needs ~3 seconds. Reviewed by: mjg MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D31098
|
#
0e9f1892 |
|
30-Jun-2021 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: memory leak fix We must remember to free the nvlist we create from the kernel's response to DIOCGETSTATESNV, on every iteration. Reviewed by: donner MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30957
|
#
34285eef |
|
29-Jun-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Reduce the data returned in DIOCGETSTATESNV This call is particularly slow due to the large amount of data it returns. Remove all fields pfctl does not use. There is no functional impact to pfctl, but it somewhat speeds up the call. It might affect other (i.e. non-FreeBSD) code that uses the new interface, but this call is very new, so there's unlikely to be any. No releases contained the previous version, so we choose to live with the ABI modification. Reviewed by: donner MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30944
|
#
27c77f42 |
|
27-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: Improve error handling in pfctl_get_states() Ensure that we always free nvlists and other allocated memory. Reviewed by: scottl MFC after: 3 days Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30493
|
#
6dbb729d |
|
27-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: fix memory leak When we create an nvlist and insert it into another nvlist we must remember to destroy it. The nvlist_add_nvlist() function makes a copy, just like nvlist_add_string() makes a copy of the string. See also 4483fb47735c29408c72045469c9c4b3e549668b Reviewed by: scottl MFC after: 3 days Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30492
|
#
d0fdf2b2 |
|
12-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Track the original kif for floating states Track (and display) the interface that created a state, even if it's a floating state (and thus uses virtual interface 'all'). MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30245
|
#
bc941291 |
|
10-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Use DIOCGETSTATESNV Migrate to using the new nvlist-based DIOCGETSTATESNV call to obtain the states list. MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30244
|
#
93abcf17 |
|
03-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Support killing 'matching' states Optionally also kill states that match (i.e. are the NATed state or opposite direction state entry for) the state we're killing. See also https://redmine.pfsense.org/issues/8555 Submitted by: Steven Brown Reviewed by: bcr (man page) Obtained from: https://github.com/pfsense/FreeBSD-src/pull/11/ MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30092
|
#
abbcba9c |
|
30-Apr-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Allow states to by killed per 'gateway' This allows us to kill states created from a rule with route-to/reply-to set. This is particularly useful in multi-wan setups, where one of the WAN links goes down. Submitted by: Steven Brown Obtained from: https://github.com/pfsense/FreeBSD-src/pull/11/ MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30058
|
#
2a00c4db |
|
29-Apr-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Start using DIOCKILLSTATESNV MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30055
|
#
53714a58 |
|
29-Apr-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Start using DIOCCLRSTATESNV MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30053
|
#
402dfb0a |
|
24-Apr-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Fix parsing of long table names When parsing the nvlist for a struct pf_addr_wrap we unconditionally tried to parse "ifname". This broke for PF_ADDR_TABLE when the table name was longer than IFNAMSIZ. PF_TABLE_NAME_SIZE is longer than IFNAMSIZ, so this is a valid configuration. Only parse (or return) ifname or tblname for the corresponding pf_addr_wrap type. This manifested as a failure to set rules such as these, where the pfctl optimiser generated an automatic table: pass in proto tcp to 192.168.0.1 port ssh pass in proto tcp to 192.168.0.2 port ssh pass in proto tcp to 192.168.0.3 port ssh pass in proto tcp to 192.168.0.4 port ssh pass in proto tcp to 192.168.0.5 port ssh pass in proto tcp to 192.168.0.6 port ssh pass in proto tcp to 192.168.0.7 port ssh Reported by: Florian Smeets Tested by: Florian Smeets Reviewed by: donner X-MFC-With: 5c11c5a3655842a176124ef2334fcdf830422c8a MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D29962
|
#
6fcc8e04 |
|
20-Apr-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Allow multiple labels to be set on a rule Allow up to 5 labels to be set on each rule. This offers more flexibility in using labels. For example, it replaces the customer 'schedule' keyword used by pfSense to terminate states according to a schedule. Reviewed by: glebius MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D29936
|
#
42ec75f8 |
|
15-Apr-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Optionally attempt to preserve rule counter values across ruleset updates Usually rule counters are reset to zero on every update of the ruleset. With keepcounters set pf will attempt to find matching rules between old and new rulesets and preserve the rule counters. MFC after: 4 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D29780
|
#
4eabfe46 |
|
12-Apr-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Fix clearing rules counters After the migration to libpfctl for rule retrieval we accidentally lost support for clearing the rules counters. Introduce a get_clear variant of pfctl_get_rule() which allows rules counters to be cleared. MFC after: 4 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D29727
|
#
2aa21096 |
|
13-Apr-2021 |
Kurosawa Takahiro <takahiro.kurosawa@gmail.com> |
pf: Implement the NAT source port selection of MAP-E Customer Edge MAP-E (RFC 7597) requires special care for selecting source ports in NAT operation on the Customer Edge because a part of bits of the port numbers are used by the Border Relay to distinguish another side of the IPv4-over-IPv6 tunnel. PR: 254577 Reviewed by: kp Differential Revision: https://reviews.freebsd.org/D29468
|
#
600bd6ce |
|
12-Apr-2021 |
Kurosawa Takahiro <takahiro.kurosawa@gmail.com> |
pfctl, libpfctl: introduce pfctl_pool Introduce pfctl_pool to be able to extend the pool part of the pf rule without breaking the ABI. Reviewed by: kp MFC after: 4 weeks Differential Revision: https://reviews.freebsd.org/D29721
|
#
ab5707a5 |
|
08-Apr-2021 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: Fix u_* counters struct pf_rule had a few counter_u64_t counters. Those couldn't be usefully comminicated with userspace, so the fields were doubled up in uint64_t u_* versions. Now that we use struct pfctl_rule (i.e. a fully userspace version) we can safely change the structure and remove this wart. Reviewed by: glebius MFC after: 4 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D29645
|
#
e9eb0941 |
|
08-Apr-2021 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: Switch to pfctl_rule Stop using the kernel's struct pf_rule, switch to libpfctl's pfctl_rule. Now that we use nvlists to communicate with the kernel these structures can be fully decoupled. Reviewed by: glebius MFC after: 4 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D29644
|
#
0d71f9f3 |
|
26-Mar-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Move ioctl abstraction functions into libpfctl Introduce a library to wrap the pf ioctl interface. MFC after: 4 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D29562
|