| #
0972294e |
| 20-Jan-2025 |
Kristof Provost <kp@FreeBSD.org> |
pf: add a dedicated pf pool for route options
As suggested by henning.
Which unbreaks ie route-to after the recent pf changes.
With much help debugging and pointing out of missing bits from claudio
pf: add a dedicated pf pool for route options
As suggested by henning.
Which unbreaks ie route-to after the recent pf changes.
With much help debugging and pointing out of missing bits from claudio@
ok claudio@ "looks good" henning@
Obtained from: OpenBSD, jsg <jsg@openbsd.org>, 7fa5c09028
Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
| #
7c882c69 |
| 15-Jan-2025 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: use snl_f_p_empty instead of declaring own empty array
Just as we did in the kernel in e9255dafa1ef0c635385aee78ead3a0050b19cca
Suggested by: glebius
Reviewed by: glebius, melifaro
Sponso
libpfctl: use snl_f_p_empty instead of declaring own empty array
Just as we did in the kernel in e9255dafa1ef0c635385aee78ead3a0050b19cca
Suggested by: glebius
Reviewed by: glebius, melifaro
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D48460
show more ...
|
| #
441d4894 |
| 03-Dec-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCRCLRTABLES to netlink
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
|
Revision tags: release/14.2.0 |
|
| #
aa69fdf1 |
| 10-Oct-2024 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: change for af-to / NAT64 support.
The general syntax is:
pass in inet from any to 192.168.1.1 af-to inet6 from 2001::1 to 2001::2
In the NAT64 case the "to" is not needed in af-to and the IP
pfctl: change for af-to / NAT64 support.
The general syntax is:
pass in inet from any to 192.168.1.1 af-to inet6 from 2001::1 to 2001::2
In the NAT64 case the "to" is not needed in af-to and the IP is extraced
from the IPv6 dst (assuming a /64 prefix).
Again most work by sperreault@, mikeb@ and reyk@
OK mcbride@, put it in deraadt@
Obtained from: OpenBSD, claudio <claudio@openbsd.org>, 0cde32ce3f
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D47790
show more ...
|
| #
ebe11b46 |
| 25-Oct-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: fix state export in the face of NAT64
Now that we can NAT64 we can have states where the wire and stack address
families (and protocol) are different. Update the state export code to account
fo
pf: fix state export in the face of NAT64
Now that we can NAT64 we can have states where the wire and stack address
families (and protocol) are different. Update the state export code to account
for this.
We keep exporting address family and protocol outside of the key, for backwards
compatibility. This'll return misleading information to userspace in the NAT64
case, but it's assumed that userspace will either understand NAT64 (and thus
look for them in the correct place), or not configure it.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D47787
show more ...
|
| #
e11dacbf |
| 11-Oct-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: partially import OpenBSD's NAT rewrite
We won't follow this fully, because it involves breaking syntax changes
(removing nat/rdr rules and moving this functionality into regular rules) as
well a
pf: partially import OpenBSD's NAT rewrite
We won't follow this fully, because it involves breaking syntax changes
(removing nat/rdr rules and moving this functionality into regular rules) as
well as behaviour changes because NAT is now done after the rules evaluation,
rather than before it.
We import some related changes anyway, because it paves the way for nat64
support.
This change introduces a new pf_kpool in struct pf_krule, for nat. It is not yet
used (but will be for nat64) and renames the existing 'rpool' to 'rdr'.
Obtained from: OpenBSD, henning <henning@openbsd.org>, 0ef3d4febe
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D47783
show more ...
|
| #
9c125336 |
| 11-Oct-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCGETSRCNODES to netlink
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| #
48f5bf8b |
| 03-Oct-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCGETRULESET to netlink
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46938
|
| #
25e0f8f9 |
| 01-Oct-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCGETRULESETS to netlink
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46930
|
| #
7fe42038 |
| 27-Sep-2024 |
Kajetan Staszkiewicz <vegeta@tuxpowered.net> |
pf: fix max-src-conn when rules are added via netlink
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D46797
|
| #
93e96359 |
| 20-Sep-2024 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: ensure we return useful error codes
Return errno rather than -1 on error. This allows pfctl to report much
more useful errors.
Reported by: Alexander Leidinger <Alexander@Leidinger.net>
M
libpfctl: ensure we return useful error codes
Return errno rather than -1 on error. This allows pfctl to report much
more useful errors.
Reported by: Alexander Leidinger <Alexander@Leidinger.net>
MFC after: 1 week
show more ...
|
|
Revision tags: release/13.4.0 |
|
| #
2339ead6 |
| 29-Aug-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: allow filtering on the receive interface
add support to pf for filtering a packet by the interface it was received
on. use the received-on IFNAME filter option on a pf.conf rule to restrict
whic
pf: allow filtering on the receive interface
add support to pf for filtering a packet by the interface it was received
on. use the received-on IFNAME filter option on a pf.conf rule to restrict
which packet the interface had to be received on. eg:
pass out on em0 from $foo to $bar received-on fxp0
ive been running this in production for a week now. i find it particularly
usefull with interface groups.
no objections, and a few "i like"s from henning, claudio, deraadt, mpf
Obtained from: OpenBSD, dlg <dlg@openbsd.org>, 95b4320893
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46577
show more ...
|
| #
9ae91f59 |
| 19-Jul-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCGETADDR to netlink
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| #
644b7b5a |
| 19-Jul-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCGETADDRS to netlink
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| #
d909f06b |
| 16-Jul-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCADDADDR to netlink
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| #
ba2a9207 |
| 07-Jun-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCBEGINADDRS to netlink
|
| #
d9ab8999 |
| 07-Jun-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: migrate DIOCGETLIMIT/DIOCSETLIMIT to netlink
Event: Kitchener-Waterloo Hackathon 202406
|
| #
30bad751 |
| 05-Jun-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCGETTIMEOUT/DIOCSETTIMEOUT to netlink
|
| #
c36c90a2 |
| 01-Jun-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCSETDEBUG to netlink
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| #
71d3c704 |
| 31-May-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCNATLOOK to netlink
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
|
Revision tags: release/14.1.0 |
|
| #
9dbbe68b |
| 30-May-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCCLRSTATUS to netlink
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| #
cd2054d4 |
| 24-May-2024 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: add pfctl_get_rule_h()
Add a handle variant of pfctl_get_rule(). This converts us from using
the nvlist variant to the netlink variant, and also moves us closer to a
world where all libpfc
libpfctl: add pfctl_get_rule_h()
Add a handle variant of pfctl_get_rule(). This converts us from using
the nvlist variant to the netlink variant, and also moves us closer to a
world where all libpfctl functions take the handle.
While here have pfctl use the new function.
Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
| #
f1612e70 |
| 09-May-2024 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: fix file descriptor leak
pfctl_get_rules_info() opened a netlink socket, but failed to close it again.
Fix this by factoring out the netlink-based function into a _h variant that
takes str
libpfctl: fix file descriptor leak
pfctl_get_rules_info() opened a netlink socket, but failed to close it again.
Fix this by factoring out the netlink-based function into a _h variant that
takes struct pfctl_handle, and implement pfctl_get_rules_info() based on that,
remembering to close the fd.
While here migrate all in-tree consumers to the _h variant.
MFC after: 3 days
Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
| #
5824df8d |
| 23-Mar-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCGETSTATUS to netlink
Introduce pfctl_get_status_h() because we need the pfctl_handle. In this variant
use netlink to obtain the information.
Sponsored by: Rubicon Communications, LL
pf: convert DIOCGETSTATUS to netlink
Introduce pfctl_get_status_h() because we need the pfctl_handle. In this variant
use netlink to obtain the information.
Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
| #
044243fc |
| 24-Apr-2024 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: allow access to the fd
pfctl_open() opens both /dev/pf and a netlink socket. Allow access to the /dev/
pf fd via pfctl_fd().
This means that libpfctl users no longer have to open /dev/pf t
libpfctl: allow access to the fd
pfctl_open() opens both /dev/pf and a netlink socket. Allow access to the /dev/
pf fd via pfctl_fd().
This means that libpfctl users no longer have to open /dev/pf themselves for any
calls that are not yet available in libpfctl.
Sponsored by: Rubicon Communications, LLC ("Netgate")
MFC after: 2 weeks
show more ...
|