#
bc941291 |
| 10-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Use DIOCGETSTATESNV
Migrate to using the new nvlist-based DIOCGETSTATESNV call to obtain the states list.
MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential
pfctl: Use DIOCGETSTATESNV
Migrate to using the new nvlist-based DIOCGETSTATESNV call to obtain the states list.
MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30244
show more ...
|
#
93abcf17 |
| 03-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Support killing 'matching' states
Optionally also kill states that match (i.e. are the NATed state or opposite direction state entry for) the state we're killing.
See also https://redmine.pfsen
pf: Support killing 'matching' states
Optionally also kill states that match (i.e. are the NATed state or opposite direction state entry for) the state we're killing.
See also https://redmine.pfsense.org/issues/8555
Submitted by: Steven Brown Reviewed by: bcr (man page) Obtained from: https://github.com/pfsense/FreeBSD-src/pull/11/ MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30092
show more ...
|
#
abbcba9c |
| 30-Apr-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Allow states to by killed per 'gateway'
This allows us to kill states created from a rule with route-to/reply-to set. This is particularly useful in multi-wan setups, where one of the WAN links
pf: Allow states to by killed per 'gateway'
This allows us to kill states created from a rule with route-to/reply-to set. This is particularly useful in multi-wan setups, where one of the WAN links goes down.
Submitted by: Steven Brown Obtained from: https://github.com/pfsense/FreeBSD-src/pull/11/ MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30058
show more ...
|
#
2a00c4db |
| 29-Apr-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Start using DIOCKILLSTATESNV
MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30055
|
#
53714a58 |
| 29-Apr-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Start using DIOCCLRSTATESNV
MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30053
|
#
402dfb0a |
| 24-Apr-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Fix parsing of long table names
When parsing the nvlist for a struct pf_addr_wrap we unconditionally tried to parse "ifname". This broke for PF_ADDR_TABLE when the table name was longer than IFN
pf: Fix parsing of long table names
When parsing the nvlist for a struct pf_addr_wrap we unconditionally tried to parse "ifname". This broke for PF_ADDR_TABLE when the table name was longer than IFNAMSIZ. PF_TABLE_NAME_SIZE is longer than IFNAMSIZ, so this is a valid configuration.
Only parse (or return) ifname or tblname for the corresponding pf_addr_wrap type.
This manifested as a failure to set rules such as these, where the pfctl optimiser generated an automatic table:
pass in proto tcp to 192.168.0.1 port ssh pass in proto tcp to 192.168.0.2 port ssh pass in proto tcp to 192.168.0.3 port ssh pass in proto tcp to 192.168.0.4 port ssh pass in proto tcp to 192.168.0.5 port ssh pass in proto tcp to 192.168.0.6 port ssh pass in proto tcp to 192.168.0.7 port ssh
Reported by: Florian Smeets Tested by: Florian Smeets Reviewed by: donner X-MFC-With: 5c11c5a3655842a176124ef2334fcdf830422c8a MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D29962
show more ...
|
#
6fcc8e04 |
| 20-Apr-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Allow multiple labels to be set on a rule
Allow up to 5 labels to be set on each rule. This offers more flexibility in using labels. For example, it replaces the customer 'schedule' keyword used
pf: Allow multiple labels to be set on a rule
Allow up to 5 labels to be set on each rule. This offers more flexibility in using labels. For example, it replaces the customer 'schedule' keyword used by pfSense to terminate states according to a schedule.
Reviewed by: glebius MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D29936
show more ...
|
#
42ec75f8 |
| 15-Apr-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Optionally attempt to preserve rule counter values across ruleset updates
Usually rule counters are reset to zero on every update of the ruleset. With keepcounters set pf will attempt to find ma
pf: Optionally attempt to preserve rule counter values across ruleset updates
Usually rule counters are reset to zero on every update of the ruleset. With keepcounters set pf will attempt to find matching rules between old and new rulesets and preserve the rule counters.
MFC after: 4 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D29780
show more ...
|
#
4eabfe46 |
| 12-Apr-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Fix clearing rules counters
After the migration to libpfctl for rule retrieval we accidentally lost support for clearing the rules counters.
Introduce a get_clear variant of pfctl_get_rule()
pfctl: Fix clearing rules counters
After the migration to libpfctl for rule retrieval we accidentally lost support for clearing the rules counters.
Introduce a get_clear variant of pfctl_get_rule() which allows rules counters to be cleared.
MFC after: 4 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D29727
show more ...
|
#
2aa21096 |
| 13-Apr-2021 |
Kurosawa Takahiro <takahiro.kurosawa@gmail.com> |
pf: Implement the NAT source port selection of MAP-E Customer Edge
MAP-E (RFC 7597) requires special care for selecting source ports in NAT operation on the Customer Edge because a part of bits of t
pf: Implement the NAT source port selection of MAP-E Customer Edge
MAP-E (RFC 7597) requires special care for selecting source ports in NAT operation on the Customer Edge because a part of bits of the port numbers are used by the Border Relay to distinguish another side of the IPv4-over-IPv6 tunnel.
PR: 254577 Reviewed by: kp Differential Revision: https://reviews.freebsd.org/D29468
show more ...
|
#
600bd6ce |
| 12-Apr-2021 |
Kurosawa Takahiro <takahiro.kurosawa@gmail.com> |
pfctl, libpfctl: introduce pfctl_pool
Introduce pfctl_pool to be able to extend the pool part of the pf rule without breaking the ABI.
Reviewed by: kp MFC after: 4 weeks Differential Revision: http
pfctl, libpfctl: introduce pfctl_pool
Introduce pfctl_pool to be able to extend the pool part of the pf rule without breaking the ABI.
Reviewed by: kp MFC after: 4 weeks Differential Revision: https://reviews.freebsd.org/D29721
show more ...
|
#
ab5707a5 |
| 08-Apr-2021 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: Fix u_* counters
struct pf_rule had a few counter_u64_t counters. Those couldn't be usefully comminicated with userspace, so the fields were doubled up in uint64_t u_* versions.
Now that
libpfctl: Fix u_* counters
struct pf_rule had a few counter_u64_t counters. Those couldn't be usefully comminicated with userspace, so the fields were doubled up in uint64_t u_* versions.
Now that we use struct pfctl_rule (i.e. a fully userspace version) we can safely change the structure and remove this wart.
Reviewed by: glebius MFC after: 4 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D29645
show more ...
|
#
e9eb0941 |
| 08-Apr-2021 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: Switch to pfctl_rule
Stop using the kernel's struct pf_rule, switch to libpfctl's pfctl_rule. Now that we use nvlists to communicate with the kernel these structures can be fully decoupled
libpfctl: Switch to pfctl_rule
Stop using the kernel's struct pf_rule, switch to libpfctl's pfctl_rule. Now that we use nvlists to communicate with the kernel these structures can be fully decoupled.
Reviewed by: glebius MFC after: 4 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D29644
show more ...
|
#
0d71f9f3 |
| 26-Mar-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Move ioctl abstraction functions into libpfctl
Introduce a library to wrap the pf ioctl interface.
MFC after: 4 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revis
pfctl: Move ioctl abstraction functions into libpfctl
Introduce a library to wrap the pf ioctl interface.
MFC after: 4 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D29562
show more ...
|