History log of /freebsd/lib/libpfctl/libpfctl.c (Results 26 – 50 of 114)
Revision (<<< Hide revision tags) (Show revision tags >>>) Date Author Comments
# cd2054d4 24-May-2024 Kristof Provost <kp@FreeBSD.org>

libpfctl: add pfctl_get_rule_h()

Add a handle variant of pfctl_get_rule(). This converts us from using
the nvlist variant to the netlink variant, and also moves us closer to a
world where all libpfc

libpfctl: add pfctl_get_rule_h()

Add a handle variant of pfctl_get_rule(). This converts us from using
the nvlist variant to the netlink variant, and also moves us closer to a
world where all libpfctl functions take the handle.

While here have pfctl use the new function.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...


# f1612e70 09-May-2024 Kristof Provost <kp@FreeBSD.org>

libpfctl: fix file descriptor leak

pfctl_get_rules_info() opened a netlink socket, but failed to close it again.
Fix this by factoring out the netlink-based function into a _h variant that
takes str

libpfctl: fix file descriptor leak

pfctl_get_rules_info() opened a netlink socket, but failed to close it again.
Fix this by factoring out the netlink-based function into a _h variant that
takes struct pfctl_handle, and implement pfctl_get_rules_info() based on that,
remembering to close the fd.

While here migrate all in-tree consumers to the _h variant.

MFC after: 3 days
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...


# 5824df8d 23-Mar-2024 Kristof Provost <kp@FreeBSD.org>

pf: convert DIOCGETSTATUS to netlink

Introduce pfctl_get_status_h() because we need the pfctl_handle. In this variant
use netlink to obtain the information.

Sponsored by: Rubicon Communications, LL

pf: convert DIOCGETSTATUS to netlink

Introduce pfctl_get_status_h() because we need the pfctl_handle. In this variant
use netlink to obtain the information.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...


# 044243fc 24-Apr-2024 Kristof Provost <kp@FreeBSD.org>

libpfctl: allow access to the fd

pfctl_open() opens both /dev/pf and a netlink socket. Allow access to the /dev/
pf fd via pfctl_fd().
This means that libpfctl users no longer have to open /dev/pf t

libpfctl: allow access to the fd

pfctl_open() opens both /dev/pf and a netlink socket. Allow access to the /dev/
pf fd via pfctl_fd().
This means that libpfctl users no longer have to open /dev/pf themselves for any
calls that are not yet available in libpfctl.

Sponsored by: Rubicon Communications, LLC ("Netgate")
MFC after: 2 weeks

show more ...


# a3f71765 26-Apr-2024 Kristof Provost <kp@FreeBSD.org>

libpfctl: fix incorrect pcounters array size

The array is 2 x 2 x 2, not 2 x 2 x 3.

Sponsored by: Rubicon Communications, LLC ("Netgate")
MFC after: 2 weeks


# 88f557a2 22-Mar-2024 Kristof Provost <kp@FreeBSD.org>

libpfctl: fix incorrect labels copy

We copied the entire parsed_labels struct, including the counter to a
field that was only big enough for the labels (so not the counter).

PR: 277875
MFC after:

libpfctl: fix incorrect labels copy

We copied the entire parsed_labels struct, including the counter to a
field that was only big enough for the labels (so not the counter).

PR: 277875
MFC after: 1 week

show more ...


# 470a2b33 18-Mar-2024 Kristof Provost <kp@FreeBSD.org>

pf: convert DIOCSETSTATUSIF to netlink

While here also add a basic test case for it.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D44368


Revision tags: release/13.3.0
# 706d465d 26-Feb-2024 Kristof Provost <kp@FreeBSD.org>

pf: convert kill/clear state to use netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D44090


# 306d3fb2 01-Feb-2024 Kristof Provost <kp@FreeBSD.org>

libpfct: fix incorrect array check

Reported by: Coverity Scan
CID: 1523771
Sponsored by: Rubicon Communications, LLC ("Netgate")


# 777a4702 12-Jan-2024 Kristof Provost <kp@FreeBSD.org>

pf: implement addrule via netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")


# 324fd7ec 04-Jan-2024 Kristof Provost <kp@FreeBSD.org>

libpfctl: introduce a handle-enabled variant of pfctl_add_rule()

Introduce pfctl_add_rule_h(), which takes a pfctl_handle rather than a
file descriptor (which it didn't use). This means that library

libpfctl: introduce a handle-enabled variant of pfctl_add_rule()

Introduce pfctl_add_rule_h(), which takes a pfctl_handle rather than a
file descriptor (which it didn't use). This means that library users can
open the handle while they're running as root, but later drop privileges
and still add rules to pf.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...


# 66cacc14 04-Jan-2024 Kristof Provost <kp@FreeBSD.org>

libpfctl: introduce pfctl_handle

Consumers of libpfctl can (and in future, should) open a handle. This
handle is an opaque object which contains the /dev/pf file descriptor
and a netlink handle. Thi

libpfctl: introduce pfctl_handle

Consumers of libpfctl can (and in future, should) open a handle. This
handle is an opaque object which contains the /dev/pf file descriptor
and a netlink handle. This means that libpfctl users can open the handle
as root, then drop privileges and still access pf.

Already add the handle to pfctl_startstop() and pfctl_get_creatorids()
as these are new in main, and not present on stable branches. Other
calls will have handle-enabled alternatives implemented in subsequent
commits.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...


# 881bf881 21-Dec-2023 Kristof Provost <kp@FreeBSD.org>

pf: export missing state information

We did not export all of the information pfctl expected to print via the
new netlink code. This manifested as pfctl printing 'rtableid: 0', even
when there is no

pf: export missing state information

We did not export all of the information pfctl expected to print via the
new netlink code. This manifested as pfctl printing 'rtableid: 0', even
when there is no rtable set.

While we're addressing that also export other missing fields such as
dummynet, min_ttl, max_mss, ..

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...


# 99bcbef2 11-Dec-2023 Kristof Provost <kp@FreeBSD.org>

libpfctl: remove stray debug printf()

Sponsored by: Rubicon Communications, LLC ("Netgate")


# 44f323ec 25-Nov-2023 Kristof Provost <kp@FreeBSD.org>

pf: implement DIOCGETRULES via netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")


# 498934c5 17-Nov-2023 Kristof Provost <kp@FreeBSD.org>

libpfctl: handle pfctl_do_ioctl() failures better

Ensure that we free nvlists and other allocations if pfctl_do_ioctl()
fails.

MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")


# 33d55d0d 17-Nov-2023 Kristof Provost <kp@FreeBSD.org>

libpfctl: handle allocation failure

While it's unlikely for userspace to fail to allocate memory it is still
possible. Handle malloc() returning NULL.

Reported by: Bill Meeks <bill@themeeks.net>
MF

libpfctl: handle allocation failure

While it's unlikely for userspace to fail to allocate memory it is still
possible. Handle malloc() returning NULL.

Reported by: Bill Meeks <bill@themeeks.net>
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...


Revision tags: release/14.0.0
# a6173e94 06-Nov-2023 Kristof Provost <kp@FreeBSD.org>

pf: expose more syncookie state information to userspace

Allow userspace to retrieve low and high water marks, as well as the
current number of half open states.

MFC after: 1 week
Sponsored by: Mod

pf: expose more syncookie state information to userspace

Allow userspace to retrieve low and high water marks, as well as the
current number of half open states.

MFC after: 1 week
Sponsored by: Modirum MDPay

show more ...


# 497ccc21 06-Nov-2023 Kristof Provost <kp@FreeBSD.org>

libpfctl: handle the 'pfctl' netlink family not being supported

If we fail to find the pfctl family we should not attempt to make the
call. That means that either pf is not loaded, or it's a very ol

libpfctl: handle the 'pfctl' netlink family not being supported

If we fail to find the pfctl family we should not attempt to make the
call. That means that either pf is not loaded, or it's a very old (i.e.
pre-netlink) version.

Reported by: manu
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...


# 2b1eb63f 27-Oct-2023 Kristof Provost <kp@FreeBSD.org>

libpfctl: be more tolerant of kernel extensions

Allow the kernel to supply more array elements than expected, but cut
off when we hit what we think the maximum is. This will improve forward
compatib

libpfctl: be more tolerant of kernel extensions

Allow the kernel to supply more array elements than expected, but cut
off when we hit what we think the maximum is. This will improve forward
compatibility (i.e. old userspace with newer kernel).

Reviewed by: zlei
MFC after: 1 week
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D42392

show more ...


# 1c824f43 30-Oct-2023 Kristof Provost <kp@FreeBSD.org>

libpfctl: add missing pfctl_status_lcounter() function

We already had accessors for the other types of counters, but not this
one.

MFC after: 3 days
Sponsored by: Rubicon Communications, LLC ("Netg

libpfctl: add missing pfctl_status_lcounter() function

We already had accessors for the other types of counters, but not this
one.

MFC after: 3 days
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...


# 4abc3b48 23-Oct-2023 Kristof Provost <kp@FreeBSD.org>

libpfctl: fix Coverity issues

- handle snl_finalize_msg() returning NULL
- insert the correct data into the states list
- add missing nvlist_destroy()
- incorrect order for array bounds

Coverit

libpfctl: fix Coverity issues

- handle snl_finalize_msg() returning NULL
- insert the correct data into the states list
- add missing nvlist_destroy()
- incorrect order for array bounds

Coverity: 1522929, 1522925, 1522923, 1522921, 1522780, 1522770, 1522764, 1487785, 1471250
Reviewed by: emaste
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D42330

show more ...


# 2cffb525 23-Oct-2023 Kristof Provost <kp@FreeBSD.org>

libpfctl: fix pfctl_do_ioctl()

pfctl_do_ioctl() copies the packed request data into the request buffer
and then frees it. However, it's possible for the buffer to be too small
for the reply, causing

libpfctl: fix pfctl_do_ioctl()

pfctl_do_ioctl() copies the packed request data into the request buffer
and then frees it. However, it's possible for the buffer to be too small
for the reply, causing us to allocate a new buffer. We then copied from
the freed request, and freed it again.

Do not free the request buffer until we're all the way done.

PR: 274614
Reviewed by: emaste
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D42329

show more ...


# 4f337550 20-Oct-2023 Kristof Provost <kp@FreeBSD.org>

pf: allow states to be killed by their pre-NAT address

If a connection is NAT-ed we could previously only terminate it by its
ID or the post-NAT IP address. Allow users to specify they want look for

pf: allow states to be killed by their pre-NAT address

If a connection is NAT-ed we could previously only terminate it by its
ID or the post-NAT IP address. Allow users to specify they want look for
the state by its pre-NAT address. Usage: `pfctl -k nat -k <address>`.

See also: https://redmine.pfsense.org/issues/11556
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D42312

show more ...


# 044eef6a 16-Oct-2023 Kristof Provost <kp@FreeBSD.org>

pf: support basic filters for state listing

Allow users(pace) to specify a protocol, interface, address family and/
or address and mask, allowing the state listing to be pre-filtered in
the kernel.

pf: support basic filters for state listing

Allow users(pace) to specify a protocol, interface, address family and/
or address and mask, allowing the state listing to be pre-filtered in
the kernel.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D42280

show more ...


12345