#
c36c90a2 |
|
01-Jun-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCSETDEBUG to netlink Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
9dbbe68b |
|
30-May-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCCLRSTATUS to netlink Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
8ddd0359 |
|
28-May-2024 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: fix recursive printing of nat anchors Similar to the preceding fix for rules, ensure that we recursively list wildcard anchors for nat rules. MFC after: 3 weeks Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
cd2054d4 |
|
24-May-2024 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: add pfctl_get_rule_h() Add a handle variant of pfctl_get_rule(). This converts us from using the nvlist variant to the netlink variant, and also moves us closer to a world where all libpfctl functions take the handle. While here have pfctl use the new function. Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
76bc4a77 |
|
26-May-2024 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: use pfctl_add_rule_h() rather than pfctl_add_rule() This ensures we use the handle opened with pfctl_open(), and also brings us closer to the ideal state where everything uses the handle rather than a file descriptor.
|
#
f1612e70 |
|
09-May-2024 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: fix file descriptor leak pfctl_get_rules_info() opened a netlink socket, but failed to close it again. Fix this by factoring out the netlink-based function into a _h variant that takes struct pfctl_handle, and implement pfctl_get_rules_info() based on that, remembering to close the fd. While here migrate all in-tree consumers to the _h variant. MFC after: 3 days Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
5824df8d |
|
23-Mar-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCGETSTATUS to netlink Introduce pfctl_get_status_h() because we need the pfctl_handle. In this variant use netlink to obtain the information. Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
470a2b33 |
|
18-Mar-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCSETSTATUSIF to netlink While here also add a basic test case for it. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D44368
|
#
706d465d |
|
26-Feb-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert kill/clear state to use netlink Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D44090
|
#
777a4702 |
|
12-Jan-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: implement addrule via netlink Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
66cacc14 |
|
04-Jan-2024 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: introduce pfctl_handle Consumers of libpfctl can (and in future, should) open a handle. This handle is an opaque object which contains the /dev/pf file descriptor and a netlink handle. This means that libpfctl users can open the handle as root, then drop privileges and still access pf. Already add the handle to pfctl_startstop() and pfctl_get_creatorids() as these are new in main, and not present on stable branches. Other calls will have handle-enabled alternatives implemented in subsequent commits. Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
0187875a |
|
27-Nov-2023 |
Luiz Amaral <email@luiz.eng.br> |
pfctl: Fix recursive printing of anchor labels We recently noticed that the recursive printing of labels wasn't working like the recursive printing of rules. When running pfctl -sr -a* we get a listing of all rules, including the ones inside anchors. On the other hand, when running pfctl -sl -a*, it would only print the labels in the root level, just like without the -a* argument. As in our use-case we are interested on labels only and our labels are unique even between anchors, we didn't add indentation or hierarchy to the printing. Sponsored by: InnoGames GmbH Differential Revision: https://reviews.freebsd.org/D42728
|
#
ca9dbde8 |
|
27-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: support SCTP-specific timeouts Allow SCTP state timeouts to be configured independently from TCP state timeouts. Reviewed by: tuexen MFC after: 1 week Sponsored by: Orange Business Services Differential Revision: https://reviews.freebsd.org/D42393
|
#
4f337550 |
|
19-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: allow states to be killed by their pre-NAT address If a connection is NAT-ed we could previously only terminate it by its ID or the post-NAT IP address. Allow users to specify they want look for the state by its pre-NAT address. Usage: `pfctl -k nat -k <address>`. See also: https://redmine.pfsense.org/issues/11556 Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D42312
|
#
044eef6a |
|
16-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: support basic filters for state listing Allow users(pace) to specify a protocol, interface, address family and/ or address and mask, allowing the state listing to be pre-filtered in the kernel. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D42280
|
#
81647eb6 |
|
10-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: implement start/stop calls via netlink Implement equivalents to DIOCSTART and DIOCSTOP in netlink. Provide a libpfctl implementation and add a basic test case, mostly to verify that we still return the same errors as before the conversion Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D42145
|
#
a7191e5d |
|
03-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: add a way to list creator ids Allow userspace to retrieve a list of distinct creator ids for the current states. This is used by pfSense, and used to require dumping all states to userspace. It's rather inefficient to export a (potentially extremely large) state table to obtain a handful (typically 2) of 32-bit integers. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D42092
|
#
f218b851 |
|
02-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: introduce state iterator Allow consumers to start processing states as the kernel supplies them, rather than having to build a full list and only then start processing. Especially for very large state tables this can significantly reduce memory use. Without this change when retrieving 1M states time -l reports: real 3.55 user 1.95 sys 1.05 318832 maximum resident set size 194 average shared memory size 15 average unshared data size 127 average unshared stack size 79041 page reclaims 0 page faults 0 swaps 0 block input operations 0 block output operations 15096 messages sent 250001 messages received 0 signals received 22 voluntary context switches 34 involuntary context switches With it it reported: real 3.32 user 1.88 sys 0.86 3220 maximum resident set size 195 average shared memory size 11 average unshared data size 128 average unshared stack size 260 page reclaims 0 page faults 0 swaps 0 block input operations 0 block output operations 15096 messages sent 250001 messages received 0 signals received 21 voluntary context switches 31 involuntary context switches Reviewed by: mjg Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D42091
|
#
1d386b48 |
|
16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
Remove $FreeBSD$: one-line .c pattern Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
|
#
f8b4f9aa |
|
07-Aug-2023 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: optionally clarify which anchors are layer 3 and which are Ethernet When listing anchors pfctl lists both 'regular' layer 3 anchors and Ethernet anchors. It's possible to have the same anchor name in both, which can be confusing. Mitigate this a little by explicitly marking where the Ethernet anchors start. Avoid breaking scripts by only doing this at the second level of verbosity. Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
5e3bb051 |
|
21-Apr-2023 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: remove unneeded includes We don't use nvlists (directly) or sysctls, so there's no need to include the headers. Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
39282ef3 |
|
13-Apr-2023 |
Kajetan Staszkiewicz <vegeta@tuxpowered.net> |
pf: backport OpenBSD syntax of "scrub" option for "match" and "pass" rules Introduce the OpenBSD syntax of "scrub" option for "match" and "pass" rules and the "set reassemble" flag. The patch is backward-compatible, pf.conf can be still written in FreeBSD-style. Obtained from: OpenBSD MFC after: never Sponsored by: InnoGames GmbH Differential Revision: https://reviews.freebsd.org/D38025
|
#
cd80c52c |
|
23-Jan-2023 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: rule.label is a two-dimensional array Fix checking for a non-empty first string. PR: 269075 MFC after: 1 week Reported by: nreilly@blackberry.com
|
#
1d090028 |
|
29-Sep-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: use time_to for timestamps Use time_t rather than uint32_t to represent the timestamps. That means we have 64 bits rather than 32 on all platforms except i386, avoiding the Y2K38 issues on most platforms. Reviewed by: Zhenlei Huang Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D36837
|
#
cfa1a130 |
|
01-Sep-2022 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: fix recrusive printing of ethernet anchors Similar to the preceding fix for layer three rules, ensure that we recursively list wildcard anchors for ethernet rules. MFC after: 3 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D36417
|
#
585a5ed0 |
|
01-Sep-2022 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: fix recrusive printing of anchors Fix a couple of problems with printing of anchors, in particular recursive printing, both of inline anchors and when requested explicitly with a '*' in the anchor. - Correct recursive printing of wildcard anchors (recurse into child anchors rather than rules, which don't exist) - Print multi-part anchor paths correctly (pr6065) - Fix comments and prevent users from specifying multi-component names for inline anchors. tested by phessler ok henning Also fix the relevant pfctl test case to reflect the new (and now correct) behaviour). MFC after: 3 weeks Obtained from: OpenBSD (mcbride, f9a568a27c740528301ca3419316c85a9fc7f1de) Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D36416
|
#
ed5eb77e |
|
30-Aug-2022 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: fix printing anchors Ensure that we pass the (base) anchorname to the kernel, not the '/*' suffix. MFC after: 3 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D36415
|
#
29866385 |
|
22-May-2022 |
Jessica Clarke <jrtc27@FreeBSD.org> |
pfctl: fix out-of-bounds access If pfctl is called with "pfctl -a ''" we read outside of the anchoropt buffer. Check that the buffer is sufficiently long to avoid that. Maintain the existing (and desired, because it's used as such in /etc/periodic/security/520.pfdenied) behaviour of treating "-a ''" as a request for the root anchor (or no anchor specified). PR: 264128 Reviewed by: kp
|
#
0abcc1d2 |
|
22-Apr-2022 |
Reid Linnemann <rlinnemann@netgate.com> |
pf: Add per-rule timestamps for rule and eth_rule Similar to ipfw rule timestamps, these timestamps internally are uint32_t snaps of the system time in seconds. The timestamp is CPU local and updated each time a rule or a state associated with a rule or state is matched. Reviewed by: kp Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D34970
|
#
d86cf443 |
|
13-Apr-2022 |
Matteo Riondato <matteo@FreeBSD.org> |
pfctl: fix recursive printing of rules When asked to print rules recursively, correctly recurse for anchors included in pf.conf with "anchorname/*". PR: 262590 Reviewed by: kp MFC after: 3 weeks
|
#
c4a08ef2 |
|
01-Apr-2022 |
Mateusz Guzik <mjg@FreeBSD.org> |
pf: handle duplicate rules gracefully Reviewed by: kp Reported by: dch PR: 262971 Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
9bb06778 |
|
29-Mar-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: support listing ethernet anchors Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
a632d9e3 |
|
17-Mar-2022 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: fix retrieving nested nat-anchors When retrieving nat rules in anchors we need to set the path just like we do for regular rules. MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
cd8438e5 |
|
17-Mar-2022 |
Matteo Riondato <matteo@FreeBSD.org> |
pfctl: fix retrieving nested anchors PR: 262622 MFC after: 1 week Reviewed by: kp
|
#
8c1400b0 |
|
04-Mar-2022 |
Kristof Provost <kp@FreeBSD.org> |
libpfct: factor out pfctl_get_rules_info() Introduce pfctl_get_rules_info(), similar to pfctl_get_eth_rules_info() to retrieve rules information (ticket and total number of rules). Use the new function in pfctl. MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D34443
|
#
f0c334e4 |
|
04-Mar-2022 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: support flushing rules/nat/eth Move the code to flush regular rules, nat rules and Ethernet rules into libpfctl for easier re-use. MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D34442
|
#
a20773c8 |
|
05-Mar-2022 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: support recursive printing of nat rules PR: 252617 MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D34455
|
#
c32cd180 |
|
21-Jan-2022 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: print ethernet rules when called with '-n' Just as pfctl already does for other rules we print the ethernet rules we would have loaded if '-n' is specified. Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
6ea1c3cf |
|
17-Jan-2022 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: support flushing ethernet rules Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
c5131afe |
|
01-Oct-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: add anchor support for ether rules Support anchors in ether rules. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D32482
|
#
30087aa2 |
|
17-Feb-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Support clearing ether counters Allow the evaluations/packets/bytes counters on Ethernet rules to be cleared. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D31748
|
#
2b29ceb8 |
|
04-Feb-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Print Ethernet rules Extent pfctl to be able to read configured Ethernet filtering rules from the kernel and print them. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D31738
|
#
09c7f238 |
|
13-Oct-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: delay label macro expansion until after rule optimisation We used to expand the $nr macro in labels into the rule number prior to the optimisation step. This would occasionally produce incorrect rule numbers in the labels. Delay all macro expansion until after the optimisation step to ensure that we expand the correct values. MFC after: 1 week Reported by: Özkan KIRIK <ozkan.kirik@gmail.com> Differential Revision: https://reviews.freebsd.org/D32488
|
#
5062afff |
|
13-Aug-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: userspace adaptive syncookies configration Hook up the userspace bits to configure syncookies in adaptive mode. MFC after: 1 week Sponsored by: Modirum MDPay Differential Revision: https://reviews.freebsd.org/D32136
|
#
80078d9d |
|
26-Aug-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: use libpfctl to retrieve pf status Rather than call DIOCGETSTATUS ourselves use the new libpfctl functions. MFC after: 1 week Sponsored by: Modirum MDPay Differential Revision: https://reviews.freebsd.org/D31697
|
#
9ce32082 |
|
24-Aug-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: build fix Fix the build issue introduced in e59eff9ad328 (pfctl: fix killing states by ID) MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
e59eff9a |
|
23-Aug-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: fix killing states by ID Since the conversion to the new DIOCKILLSTATESNV the kernel no longer exists the id and creatorid to be big-endian. As a result killing states by id (i.e. `pfctl -k id -k 12345`) no longer worked. Reported by: Özkan KIRIK MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
c69121c4 |
|
26-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: syncookie configuration pfctl and libpfctl code required to enable/disable the syncookie feature. MFC after: 1 week Sponsored by: Modirum MDPay Differential Revision: https://reviews.freebsd.org/D31140
|
#
858937be |
|
01-Jul-2021 |
Mateusz Guzik <mjg@FreeBSD.org> |
pfctl: cache getprotobynumber results As for example pfctl -ss keeps calling it, it saves a lot of overhead from elided parsing of /etc/nsswitch.conf and /etc/protocols. Sample result when running a pre-nvlist binary with nfs root and dumping 7 mln states: before: 24.817u 62.993s 1:28.52 99.1% after: 8.064u 1.117s 0:18.87 48.5% Idea by Jim Thompson Reviewed by: kp Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
bc941291 |
|
10-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Use DIOCGETSTATESNV Migrate to using the new nvlist-based DIOCGETSTATESNV call to obtain the states list. MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30244
|
#
93abcf17 |
|
03-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Support killing 'matching' states Optionally also kill states that match (i.e. are the NATed state or opposite direction state entry for) the state we're killing. See also https://redmine.pfsense.org/issues/8555 Submitted by: Steven Brown Reviewed by: bcr (man page) Obtained from: https://github.com/pfsense/FreeBSD-src/pull/11/ MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30092
|
#
abbcba9c |
|
30-Apr-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Allow states to by killed per 'gateway' This allows us to kill states created from a rule with route-to/reply-to set. This is particularly useful in multi-wan setups, where one of the WAN links goes down. Submitted by: Steven Brown Obtained from: https://github.com/pfsense/FreeBSD-src/pull/11/ MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30058
|
#
2a00c4db |
|
29-Apr-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Start using DIOCKILLSTATESNV MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30055
|
#
53714a58 |
|
29-Apr-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Start using DIOCCLRSTATESNV MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30053
|
#
6fcc8e04 |
|
20-Apr-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Allow multiple labels to be set on a rule Allow up to 5 labels to be set on each rule. This offers more flexibility in using labels. For example, it replaces the customer 'schedule' keyword used by pfSense to terminate states according to a schedule. Reviewed by: glebius MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D29936
|
#
42ec75f8 |
|
15-Apr-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Optionally attempt to preserve rule counter values across ruleset updates Usually rule counters are reset to zero on every update of the ruleset. With keepcounters set pf will attempt to find matching rules between old and new rulesets and preserve the rule counters. MFC after: 4 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D29780
|
#
4eabfe46 |
|
12-Apr-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Fix clearing rules counters After the migration to libpfctl for rule retrieval we accidentally lost support for clearing the rules counters. Introduce a get_clear variant of pfctl_get_rule() which allows rules counters to be cleared. MFC after: 4 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D29727
|
#
600bd6ce |
|
12-Apr-2021 |
Kurosawa Takahiro <takahiro.kurosawa@gmail.com> |
pfctl, libpfctl: introduce pfctl_pool Introduce pfctl_pool to be able to extend the pool part of the pf rule without breaking the ABI. Reviewed by: kp MFC after: 4 weeks Differential Revision: https://reviews.freebsd.org/D29721
|
#
ab5707a5 |
|
08-Apr-2021 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: Fix u_* counters struct pf_rule had a few counter_u64_t counters. Those couldn't be usefully comminicated with userspace, so the fields were doubled up in uint64_t u_* versions. Now that we use struct pfctl_rule (i.e. a fully userspace version) we can safely change the structure and remove this wart. Reviewed by: glebius MFC after: 4 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D29645
|
#
e9eb0941 |
|
08-Apr-2021 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: Switch to pfctl_rule Stop using the kernel's struct pf_rule, switch to libpfctl's pfctl_rule. Now that we use nvlists to communicate with the kernel these structures can be fully decoupled. Reviewed by: glebius MFC after: 4 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D29644
|
#
0d71f9f3 |
|
26-Mar-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Move ioctl abstraction functions into libpfctl Introduce a library to wrap the pf ioctl interface. MFC after: 4 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D29562
|
#
0d6c8174 |
|
26-Mar-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Use the new DIOCGETRULENV ioctl Create wrapper functions to handle the parsing of the nvlist and move that code into pfctl_ioctl.c. At some point this should be moved into a libpfctl. MFC after: 4 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D29560
|
#
5c11c5a3 |
|
12-Mar-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Move to DIOCADDRULENV Start using the new nvlist based ioctl to add rules. MFC after: 4 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D29558
|
#
b1f3ab00 |
|
12-Jan-2019 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Fix 'set skip' handling for groups When we skip on a group the kernel will automatically skip on the member interfaces. We still need to update our own cache though, or we risk overruling the kernel afterwards. This manifested as 'set skip' working initially, then not working when the rules were reloaded. PR: 229241 MFC after: 1 week
|
#
249cc75f |
|
22-Aug-2018 |
Patrick Kelsey <pkelsey@FreeBSD.org> |
Extended pf(4) ioctl interface and pfctl(8) to allow bandwidths of 2^32 bps or greater to be used. Prior to this, bandwidth parameters would simply wrap at the 2^32 boundary. The computations in the HFSC scheduler and token bucket regulator have been modified to operate correctly up to at least 100 Gbps. No other algorithms have been examined or modified for correct operation above 2^32 bps (some may have existing computation resolution or overflow issues at rates below that threshold). pfctl(8) will now limit non-HFSC bandwidth parameters to 2^32 - 1 before passing them to the kernel. The extensions to the pf(4) ioctl interface have been made in a backwards-compatible way by versioning affected data structures, supporting all versions in the kernel, and implementing macros that will cause existing code that consumes that interface to use version 0 without source modifications. If version 0 consumers of the interface are used against a new kernel that has had bandwidth parameters of 2^32 or greater configured by updated tools, such bandwidth parameters will be reported as 2^32 - 1 bps by those old consumers. All in-tree consumers of the pf(4) interface have been updated. To update out-of-tree consumers to the latest version of the interface, define PFIOC_USE_LATEST ahead of any includes and use the code of pfctl(8) as a guide for the ioctls of interest. PR: 211730 Reviewed by: jmallett, kp, loos MFC after: 2 weeks Relnotes: yes Sponsored by: RG Nets Differential Revision: https://reviews.freebsd.org/D16782
|
#
cd615bf5 |
|
22-Aug-2018 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Remove unused function Fix compile issues. MFC after: 1 week
|
#
7a831fec |
|
22-Aug-2018 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Improve set skip handling for groups Rely on the kernel to appropriately mark group members as skipped. Once a group is skipped we can clear the update flag on all the members. PR: 229241 Submitted by: Andreas Longwitz <longwitz AT incore.de> MFC after: 1 week
|
#
7a2bf4c5 |
|
03-Jul-2018 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Don't retrieve interface list if '-n' is set If '-n' is set we don't use the list of skip interfaces, so don't retrieve it. This fixes issues if 'pfctl -n' is used before the pf module is loaded. This was broken by r333181. Reported by: Jakub Chromy <hicks AT cgi.cz> MFC after: 1 week
|
#
fa1d4439 |
|
06-Jun-2018 |
Kristof Provost <kp@FreeBSD.org> |
pf: Return non-zero from 'status' if pf is not enabled In the pf rc.d script the output of `/etc/rc.d/pf status` or `/etc/rc.d/pf onestatus` always provided an exit status of zero. This made it fiddly to programmatically determine if pf was running or not. Return a non-zero status if the pf module is not loaded, extend pfctl to have an option to return an error status if pf is not enabled. PR: 228632 Submitted by: James Park-Watt <jimmypw AT gmail.com> MFC after: 1 week
|
#
c5e10565 |
|
28-Apr-2018 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Don't break connections on skipped interfaces on reload On reload we used to first flush everything, including the list of skipped interfaces. This can lead to termination of these connections if they send packets before the new configuration is applied. Note that this doesn't currently happen on 12 or 11, because of special EACCES handling introduced in r315514. This special behaviour in tcp_output() may change, hence the fix in pfctl. PR: 214613
|
#
07695000 |
|
27-Dec-2017 |
Warner Losh <imp@FreeBSD.org> |
Free path before returnig. CID: 977827
|
#
1de7b4b8 |
|
27-Nov-2017 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
various: general adoption of SPDX licensing ID tags. Mainly focus on files that use BSD 2-Clause license, however the tool I was using misidentified many licenses so this was mostly a manual - error prone - task. The Software Package Data Exchange (SPDX) group provides a specification to make it easier for automated tools to detect and summarize well known opensource licenses. We are gradually adopting the specification, noting that the tags are considered only advisory and do not, in any way, superceed or replace the license texts. No functional change intended.
|
#
2fd47dea |
|
10-Nov-2016 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: fix nested inline anchors Import the OpenBSD fix for nested inline anchors. PR: 196314 Submitted by: krichy@cflinux.hu Obtained from: OpenBSD
|
#
13cfafab |
|
04-Aug-2016 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Make most global variables static. This will make it easier to link as a library. Submitted by: Christian Mauderer <christian.mauderer@embedded-brains.de>
|
#
72a3cf0f |
|
02-Aug-2016 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Use const where possible. This adds const qualifiers where it is possible. Submitted by: Christian Mauderer <christian.mauderer@embedded-brains.de>
|
#
9a5e33be |
|
02-Aug-2016 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Match prototype of pfctl_load_hostid. The prototype and the implementation of the pfctl_load_hostid used a different data type for one of the parameters. Submitted by: Christian Mauderer <christian.mauderer@embedded-brains.de>
|
#
3e768368 |
|
01-Nov-2015 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Fix uninitialised veriable In pfctl_set_debug() we used 'level' without ever initialising it. We correctly parsed the option, but them failed to actually assign the parsed value to 'level' before performing to ioctl() to configure the debug level. PR: 202996 Submitted by: Andrej Kolontai
|
#
a4134647 |
|
20-Jul-2015 |
George V. Neville-Neil <gnn@FreeBSD.org> |
Only report the lack of ALTQ support if pfctl is using verbose (-v) mode. PR: 194935 Submitted by: Jim Thompson MFC after: 2 weeks
|
#
772e66a6 |
|
16-Apr-2015 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Move ALTQ from contrib to net/altq. The ALTQ code is for many years discontinued by its initial authors. In FreeBSD the code was already slightly edited during the pf(4) SMP project. It is about to be edited more in the projects/ifnet. Moving out of contrib also allows to remove several hacks to the make glue. Reviewed by: net@
|
#
5a9ab487 |
|
05-Mar-2014 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Fix compilation for 32-bit machines.
|
#
fb3541ad |
|
04-Mar-2014 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Instead of playing games with casts simply add 3 more members to the structure pf_rule, that are used when the structure is passed via ioctl(). PR: 187074
|
#
2dfe3ec2 |
|
15-Feb-2014 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Better build fix.
|
#
4a70ff6d |
|
14-Feb-2014 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Fix build on 32bit arches broken by me in r261882.
|
#
48278b88 |
|
14-Feb-2014 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Once pf became not covered by a single mutex, many counters in it became race prone. Some just gather statistics, but some are later used in different calculations. A real problem was the race provoked underflow of the states_cur counter on a rule. Once it goes below zero, it wraps to UINT32_MAX. Later this value is used in pf_state_expires() and any state created by this rule is immediately expired. Thus, make fields states_cur, states_tot and src_nodes of struct pf_rule be counter(9)s. Thanks to Dennis for providing me shell access to problematic box and his help with reproducing, debugging and investigating the problem. Thanks to: Dennis Yusupoff <dyr smartspb.net> Also reported by: dumbbell, pgj, Rambler Sponsored by: Nginx, Inc.
|
#
116e43f0 |
|
22-Nov-2013 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Remove __FreeBSD__ ifdefs.
|
#
0c46447b |
|
22-Nov-2013 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Rewrite usage() so that its source code resembles what is printed.
|
#
3b3a8eb9 |
|
14-Sep-2012 |
Gleb Smirnoff <glebius@FreeBSD.org> |
o Create directory sys/netpfil, where all packet filters should reside, and move there ipfw(4) and pf(4). o Move most modified parts of pf out of contrib. Actual movements: sys/contrib/pf/net/*.c -> sys/netpfil/pf/ sys/contrib/pf/net/*.h -> sys/net/ contrib/pf/pfctl/*.c -> sbin/pfctl contrib/pf/pfctl/*.h -> sbin/pfctl contrib/pf/pfctl/pfctl.8 -> sbin/pfctl contrib/pf/pfctl/*.4 -> share/man/man4 contrib/pf/pfctl/*.5 -> share/man/man5 sys/netinet/ipfw -> sys/netpfil/ipfw The arguable movement is pf/net/*.h -> sys/net. There are future plans to refactor pf includes, so I decided not to break things twice. Not modified bits of pf left in contrib: authpf, ftp-proxy, tftp-proxy, pflogd. The ipfw(4) movement is planned to be merged to stable/9, to make head and stable match. Discussed with: bz, luigi
|