#
cd2054d4 |
|
24-May-2024 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: add pfctl_get_rule_h() Add a handle variant of pfctl_get_rule(). This converts us from using the nvlist variant to the netlink variant, and also moves us closer to a world where all libpfctl functions take the handle. While here have pfctl use the new function. Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
f1612e70 |
|
09-May-2024 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: fix file descriptor leak pfctl_get_rules_info() opened a netlink socket, but failed to close it again. Fix this by factoring out the netlink-based function into a _h variant that takes struct pfctl_handle, and implement pfctl_get_rules_info() based on that, remembering to close the fd. While here migrate all in-tree consumers to the _h variant. MFC after: 3 days Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
5824df8d |
|
23-Mar-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCGETSTATUS to netlink Introduce pfctl_get_status_h() because we need the pfctl_handle. In this variant use netlink to obtain the information. Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
044243fc |
|
24-Apr-2024 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: allow access to the fd pfctl_open() opens both /dev/pf and a netlink socket. Allow access to the /dev/ pf fd via pfctl_fd(). This means that libpfctl users no longer have to open /dev/pf themselves for any calls that are not yet available in libpfctl. Sponsored by: Rubicon Communications, LLC ("Netgate") MFC after: 2 weeks
|
#
a3f71765 |
|
26-Apr-2024 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: fix incorrect pcounters array size The array is 2 x 2 x 2, not 2 x 2 x 3. Sponsored by: Rubicon Communications, LLC ("Netgate") MFC after: 2 weeks
|
#
470a2b33 |
|
18-Mar-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCSETSTATUSIF to netlink While here also add a basic test case for it. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D44368
|
#
706d465d |
|
26-Feb-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert kill/clear state to use netlink Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D44090
|
#
777a4702 |
|
12-Jan-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: implement addrule via netlink Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
324fd7ec |
|
04-Jan-2024 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: introduce a handle-enabled variant of pfctl_add_rule() Introduce pfctl_add_rule_h(), which takes a pfctl_handle rather than a file descriptor (which it didn't use). This means that library users can open the handle while they're running as root, but later drop privileges and still add rules to pf. Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
66cacc14 |
|
04-Jan-2024 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: introduce pfctl_handle Consumers of libpfctl can (and in future, should) open a handle. This handle is an opaque object which contains the /dev/pf file descriptor and a netlink handle. This means that libpfctl users can open the handle as root, then drop privileges and still access pf. Already add the handle to pfctl_startstop() and pfctl_get_creatorids() as these are new in main, and not present on stable branches. Other calls will have handle-enabled alternatives implemented in subsequent commits. Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
a6173e94 |
|
06-Nov-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: expose more syncookie state information to userspace Allow userspace to retrieve low and high water marks, as well as the current number of half open states. MFC after: 1 week Sponsored by: Modirum MDPay
|
#
87c50323 |
|
30-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: remove unused field from struct pfctl_states We never populate this, or use it, so remove it. MFC after: 3 days Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
1c824f43 |
|
30-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: add missing pfctl_status_lcounter() function We already had accessors for the other types of counters, but not this one. MFC after: 3 days Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
4f337550 |
|
19-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: allow states to be killed by their pre-NAT address If a connection is NAT-ed we could previously only terminate it by its ID or the post-NAT IP address. Allow users to specify they want look for the state by its pre-NAT address. Usage: `pfctl -k nat -k <address>`. See also: https://redmine.pfsense.org/issues/11556 Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D42312
|
#
044eef6a |
|
16-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: support basic filters for state listing Allow users(pace) to specify a protocol, interface, address family and/ or address and mask, allowing the state listing to be pre-filtered in the kernel. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D42280
|
#
81647eb6 |
|
10-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: implement start/stop calls via netlink Implement equivalents to DIOCSTART and DIOCSTOP in netlink. Provide a libpfctl implementation and add a basic test case, mostly to verify that we still return the same errors as before the conversion Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D42145
|
#
a7191e5d |
|
03-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: add a way to list creator ids Allow userspace to retrieve a list of distinct creator ids for the current states. This is used by pfSense, and used to require dumping all states to userspace. It's rather inefficient to export a (potentially extremely large) state table to obtain a handful (typically 2) of 32-bit integers. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D42092
|
#
f218b851 |
|
02-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: introduce state iterator Allow consumers to start processing states as the kernel supplies them, rather than having to build a full list and only then start processing. Especially for very large state tables this can significantly reduce memory use. Without this change when retrieving 1M states time -l reports: real 3.55 user 1.95 sys 1.05 318832 maximum resident set size 194 average shared memory size 15 average unshared data size 127 average unshared stack size 79041 page reclaims 0 page faults 0 swaps 0 block input operations 0 block output operations 15096 messages sent 250001 messages received 0 signals received 22 voluntary context switches 34 involuntary context switches With it it reported: real 3.32 user 1.88 sys 0.86 3220 maximum resident set size 195 average shared memory size 11 average unshared data size 128 average unshared stack size 260 page reclaims 0 page faults 0 swaps 0 block input operations 0 block output operations 15096 messages sent 250001 messages received 0 signals received 21 voluntary context switches 31 involuntary context switches Reviewed by: mjg Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D42091
|
#
e3d3d61a |
|
29-Aug-2023 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: implement status counter accessor functions The new nvlist-based status call allows us to easily add new counters. However, the libpfctl interface defines a TAILQ, so it's not quite trivial to find the counter consumers are interested in. Provide convenience functions to access the counters. MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D41649
|
#
b3e76948 |
|
16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
Remove $FreeBSD$: two-line .h pattern Remove /^\s*\*\n \*\s+\$FreeBSD\$$\n/
|
#
c45d6b0e |
|
29-May-2023 |
Kajetan Staszkiewicz <vegeta@tuxpowered.net> |
pfctl: Add missing state parameters in DIOCGETSTATESV2 Reviewed by: kp Sponsored by: InnoGames GmbH Different Revision: https://reviews.freebsd.org/D40259
|
#
ef661d4a |
|
24-Apr-2023 |
Christian McDonald <cmcdonald@netgate.com> |
pf: introduce ridentifier and labels to ether rules Make Ethernet rules more similar to the usual layer 3 rules by also allowing ridentifier and labels to be set on them. Reviewed by: kp Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
39282ef3 |
|
13-Apr-2023 |
Kajetan Staszkiewicz <vegeta@tuxpowered.net> |
pf: backport OpenBSD syntax of "scrub" option for "match" and "pass" rules Introduce the OpenBSD syntax of "scrub" option for "match" and "pass" rules and the "set reassemble" flag. The patch is backward-compatible, pf.conf can be still written in FreeBSD-style. Obtained from: OpenBSD MFC after: never Sponsored by: InnoGames GmbH Differential Revision: https://reviews.freebsd.org/D38025
|
#
8a8af942 |
|
22-Sep-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: bridge-to Allow pf (l2) to be used to redirect ethernet packets to a different interface. The intended use case is to send 802.1x challenges out to a side interface, to enable AT&T links to function with pfSense as a gateway, rather than the AT&T provided hardware. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D37193
|
#
444a77ca |
|
24-Sep-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: expose syncookie active/inactive status When syncookies are in adaptive mode they may be active or inactive. Expose this status to users. Suggested by: Guido van Rooij Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
1d090028 |
|
29-Sep-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: use time_to for timestamps Use time_t rather than uint32_t to represent the timestamps. That means we have 64 bits rather than 32 on all platforms except i386, avoiding the Y2K38 issues on most platforms. Reviewed by: Zhenlei Huang Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D36837
|
#
1f61367f |
|
31-May-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: support matching on tags for Ethernet rules Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D35362
|
#
0abcc1d2 |
|
22-Apr-2022 |
Reid Linnemann <rlinnemann@netgate.com> |
pf: Add per-rule timestamps for rule and eth_rule Similar to ipfw rule timestamps, these timestamps internally are uint32_t snaps of the system time in seconds. The timestamp is CPU local and updated each time a rule or a state associated with a rule or state is matched. Reviewed by: kp Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D34970
|
#
4823489a |
|
04-Apr-2022 |
Reid Linnemann <rlinnemann@netgate.com> |
libpfctl: relocate implementations of pfr_add/get/set_addrs Reviewed by: kp MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D34740
|
#
9bb06778 |
|
29-Mar-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: support listing ethernet anchors Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
8a42005d |
|
08-Mar-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: support basic L3 filtering in the Ethernet rules Allow filtering based on the source or destination IP/IPv6 address in the Ethernet layer rules. Reviewed by: pauamma_gundo.com (man), debdrup (man) Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D34482
|
#
8c1400b0 |
|
04-Mar-2022 |
Kristof Provost <kp@FreeBSD.org> |
libpfct: factor out pfctl_get_rules_info() Introduce pfctl_get_rules_info(), similar to pfctl_get_eth_rules_info() to retrieve rules information (ticket and total number of rules). Use the new function in pfctl. MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D34443
|
#
f0c334e4 |
|
04-Mar-2022 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: support flushing rules/nat/eth Move the code to flush regular rules, nat rules and Ethernet rules into libpfctl for easier re-use. MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D34442
|
#
b590f17a |
|
20-Jan-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: support masking mac addresses When filtering Ethernet packets allow rules to specify a mac address with a mask. This indicates which bits of the specified address are significant. This allows users to do things like filter based on device manufacturer. Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
c5131afe |
|
01-Oct-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: add anchor support for ether rules Support anchors in ether rules. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D32482
|
#
fb330f39 |
|
27-Sep-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: support dummynet on L2 rules Allow packets to be tagged with dummynet information. Note that we do not apply dummynet shaping on the L2 traffic, but instead mark it for dummynet processing in the L3 code. This is the same approach as we take for ALTQ. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D32222
|
#
c696d5c7 |
|
17-Feb-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Don't print (ether) to / from if they're not set If we're not filtering on a specific MAC address don't print it at all, rather than showing an all-zero address. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D31749
|
#
2b29ceb8 |
|
04-Feb-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Print Ethernet rules Extent pfctl to be able to read configured Ethernet filtering rules from the kernel and print them. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D31738
|
#
7bb3c927 |
|
05-Nov-2021 |
Kristof Provost <kp@FreeBSD.org> |
libpfct: be consistent with u_int vs. uint Always use uint64_t over u_int64_t, for the sake of consistency. No functional change. MFC after: 3 weeks Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
76c5eecc |
|
29-Oct-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Introduce ridentifier Allow users to set a number on rules which will be exposed as part of the pflog header. The intent behind this is to allow users to correlate rules across updates (remember that pf rules continue to exist and match existing states, even if they're removed from the active ruleset) and pflog. Obtained from: pfSense MFC after: 3 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D32750
|
#
5062afff |
|
13-Aug-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: userspace adaptive syncookies configration Hook up the userspace bits to configure syncookies in adaptive mode. MFC after: 1 week Sponsored by: Modirum MDPay Differential Revision: https://reviews.freebsd.org/D32136
|
#
63b3c1c7 |
|
15-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: support dummynet Allow pf to use dummynet pipes and queues. We re-use the currently unused IPFW_IS_DUMMYNET flag to allow dummynet to tell us that a packet is being re-injected after being delayed. This is needed to avoid endlessly looping the packet between pf and dummynet. MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D31904
|
#
46fb68b1 |
|
26-Aug-2021 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: Implement DIOCGETSTATUS wrappers MFC after: 1 week Sponsored by: Modirum MDPay Differential Revision: https://reviews.freebsd.org/D31696
|
#
c69121c4 |
|
26-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: syncookie configuration pfctl and libpfctl code required to enable/disable the syncookie feature. MFC after: 1 week Sponsored by: Modirum MDPay Differential Revision: https://reviews.freebsd.org/D31140
|
#
34285eef |
|
29-Jun-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Reduce the data returned in DIOCGETSTATESNV This call is particularly slow due to the large amount of data it returns. Remove all fields pfctl does not use. There is no functional impact to pfctl, but it somewhat speeds up the call. It might affect other (i.e. non-FreeBSD) code that uses the new interface, but this call is very new, so there's unlikely to be any. No releases contained the previous version, so we choose to live with the ABI modification. Reviewed by: donner MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30944
|
#
d0fdf2b2 |
|
12-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Track the original kif for floating states Track (and display) the interface that created a state, even if it's a floating state (and thus uses virtual interface 'all'). MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30245
|
#
bc941291 |
|
10-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Use DIOCGETSTATESNV Migrate to using the new nvlist-based DIOCGETSTATESNV call to obtain the states list. MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30244
|
#
93abcf17 |
|
03-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Support killing 'matching' states Optionally also kill states that match (i.e. are the NATed state or opposite direction state entry for) the state we're killing. See also https://redmine.pfsense.org/issues/8555 Submitted by: Steven Brown Reviewed by: bcr (man page) Obtained from: https://github.com/pfsense/FreeBSD-src/pull/11/ MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30092
|
#
abbcba9c |
|
30-Apr-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Allow states to by killed per 'gateway' This allows us to kill states created from a rule with route-to/reply-to set. This is particularly useful in multi-wan setups, where one of the WAN links goes down. Submitted by: Steven Brown Obtained from: https://github.com/pfsense/FreeBSD-src/pull/11/ MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30058
|
#
2a00c4db |
|
29-Apr-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Start using DIOCKILLSTATESNV MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30055
|
#
53714a58 |
|
29-Apr-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Start using DIOCCLRSTATESNV MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30053
|
#
6fcc8e04 |
|
20-Apr-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Allow multiple labels to be set on a rule Allow up to 5 labels to be set on each rule. This offers more flexibility in using labels. For example, it replaces the customer 'schedule' keyword used by pfSense to terminate states according to a schedule. Reviewed by: glebius MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D29936
|
#
42ec75f8 |
|
15-Apr-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Optionally attempt to preserve rule counter values across ruleset updates Usually rule counters are reset to zero on every update of the ruleset. With keepcounters set pf will attempt to find matching rules between old and new rulesets and preserve the rule counters. MFC after: 4 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D29780
|
#
4eabfe46 |
|
12-Apr-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Fix clearing rules counters After the migration to libpfctl for rule retrieval we accidentally lost support for clearing the rules counters. Introduce a get_clear variant of pfctl_get_rule() which allows rules counters to be cleared. MFC after: 4 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D29727
|
#
2aa21096 |
|
13-Apr-2021 |
Kurosawa Takahiro <takahiro.kurosawa@gmail.com> |
pf: Implement the NAT source port selection of MAP-E Customer Edge MAP-E (RFC 7597) requires special care for selecting source ports in NAT operation on the Customer Edge because a part of bits of the port numbers are used by the Border Relay to distinguish another side of the IPv4-over-IPv6 tunnel. PR: 254577 Reviewed by: kp Differential Revision: https://reviews.freebsd.org/D29468
|
#
600bd6ce |
|
12-Apr-2021 |
Kurosawa Takahiro <takahiro.kurosawa@gmail.com> |
pfctl, libpfctl: introduce pfctl_pool Introduce pfctl_pool to be able to extend the pool part of the pf rule without breaking the ABI. Reviewed by: kp MFC after: 4 weeks Differential Revision: https://reviews.freebsd.org/D29721
|
#
ab5707a5 |
|
08-Apr-2021 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: Fix u_* counters struct pf_rule had a few counter_u64_t counters. Those couldn't be usefully comminicated with userspace, so the fields were doubled up in uint64_t u_* versions. Now that we use struct pfctl_rule (i.e. a fully userspace version) we can safely change the structure and remove this wart. Reviewed by: glebius MFC after: 4 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D29645
|
#
e9eb0941 |
|
08-Apr-2021 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: Switch to pfctl_rule Stop using the kernel's struct pf_rule, switch to libpfctl's pfctl_rule. Now that we use nvlists to communicate with the kernel these structures can be fully decoupled. Reviewed by: glebius MFC after: 4 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D29644
|
#
0d71f9f3 |
|
26-Mar-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Move ioctl abstraction functions into libpfctl Introduce a library to wrap the pf ioctl interface. MFC after: 4 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D29562
|