#
cd2054d4 |
| 24-May-2024 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: add pfctl_get_rule_h()
Add a handle variant of pfctl_get_rule(). This converts us from using the nvlist variant to the netlink variant, and also moves us closer to a world where all libpfc
libpfctl: add pfctl_get_rule_h()
Add a handle variant of pfctl_get_rule(). This converts us from using the nvlist variant to the netlink variant, and also moves us closer to a world where all libpfctl functions take the handle.
While here have pfctl use the new function.
Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
#
f1612e70 |
| 09-May-2024 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: fix file descriptor leak
pfctl_get_rules_info() opened a netlink socket, but failed to close it again. Fix this by factoring out the netlink-based function into a _h variant that takes str
libpfctl: fix file descriptor leak
pfctl_get_rules_info() opened a netlink socket, but failed to close it again. Fix this by factoring out the netlink-based function into a _h variant that takes struct pfctl_handle, and implement pfctl_get_rules_info() based on that, remembering to close the fd.
While here migrate all in-tree consumers to the _h variant.
MFC after: 3 days Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
#
5824df8d |
| 23-Mar-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCGETSTATUS to netlink
Introduce pfctl_get_status_h() because we need the pfctl_handle. In this variant use netlink to obtain the information.
Sponsored by: Rubicon Communications, LL
pf: convert DIOCGETSTATUS to netlink
Introduce pfctl_get_status_h() because we need the pfctl_handle. In this variant use netlink to obtain the information.
Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
#
044243fc |
| 24-Apr-2024 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: allow access to the fd
pfctl_open() opens both /dev/pf and a netlink socket. Allow access to the /dev/ pf fd via pfctl_fd(). This means that libpfctl users no longer have to open /dev/pf t
libpfctl: allow access to the fd
pfctl_open() opens both /dev/pf and a netlink socket. Allow access to the /dev/ pf fd via pfctl_fd(). This means that libpfctl users no longer have to open /dev/pf themselves for any calls that are not yet available in libpfctl.
Sponsored by: Rubicon Communications, LLC ("Netgate") MFC after: 2 weeks
show more ...
|
#
a3f71765 |
| 26-Apr-2024 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: fix incorrect pcounters array size
The array is 2 x 2 x 2, not 2 x 2 x 3.
Sponsored by: Rubicon Communications, LLC ("Netgate") MFC after: 2 weeks
|
#
88f557a2 |
| 22-Mar-2024 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: fix incorrect labels copy
We copied the entire parsed_labels struct, including the counter to a field that was only big enough for the labels (so not the counter).
PR: 277875 MFC after:
libpfctl: fix incorrect labels copy
We copied the entire parsed_labels struct, including the counter to a field that was only big enough for the labels (so not the counter).
PR: 277875 MFC after: 1 week
show more ...
|
#
470a2b33 |
| 18-Mar-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCSETSTATUSIF to netlink
While here also add a basic test case for it.
Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D44368
|
Revision tags: release/13.3.0 |
|
#
706d465d |
| 26-Feb-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert kill/clear state to use netlink
Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D44090
|
#
306d3fb2 |
| 01-Feb-2024 |
Kristof Provost <kp@FreeBSD.org> |
libpfct: fix incorrect array check
Reported by: Coverity Scan CID: 1523771 Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
777a4702 |
| 12-Jan-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: implement addrule via netlink
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
324fd7ec |
| 04-Jan-2024 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: introduce a handle-enabled variant of pfctl_add_rule()
Introduce pfctl_add_rule_h(), which takes a pfctl_handle rather than a file descriptor (which it didn't use). This means that library
libpfctl: introduce a handle-enabled variant of pfctl_add_rule()
Introduce pfctl_add_rule_h(), which takes a pfctl_handle rather than a file descriptor (which it didn't use). This means that library users can open the handle while they're running as root, but later drop privileges and still add rules to pf.
Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
#
66cacc14 |
| 04-Jan-2024 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: introduce pfctl_handle
Consumers of libpfctl can (and in future, should) open a handle. This handle is an opaque object which contains the /dev/pf file descriptor and a netlink handle. Thi
libpfctl: introduce pfctl_handle
Consumers of libpfctl can (and in future, should) open a handle. This handle is an opaque object which contains the /dev/pf file descriptor and a netlink handle. This means that libpfctl users can open the handle as root, then drop privileges and still access pf.
Already add the handle to pfctl_startstop() and pfctl_get_creatorids() as these are new in main, and not present on stable branches. Other calls will have handle-enabled alternatives implemented in subsequent commits.
Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
#
881bf881 |
| 21-Dec-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: export missing state information
We did not export all of the information pfctl expected to print via the new netlink code. This manifested as pfctl printing 'rtableid: 0', even when there is no
pf: export missing state information
We did not export all of the information pfctl expected to print via the new netlink code. This manifested as pfctl printing 'rtableid: 0', even when there is no rtable set.
While we're addressing that also export other missing fields such as dummynet, min_ttl, max_mss, ..
Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
#
99bcbef2 |
| 11-Dec-2023 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: remove stray debug printf()
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
44f323ec |
| 25-Nov-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: implement DIOCGETRULES via netlink
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
498934c5 |
| 17-Nov-2023 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: handle pfctl_do_ioctl() failures better
Ensure that we free nvlists and other allocations if pfctl_do_ioctl() fails.
MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
33d55d0d |
| 17-Nov-2023 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: handle allocation failure
While it's unlikely for userspace to fail to allocate memory it is still possible. Handle malloc() returning NULL.
Reported by: Bill Meeks <bill@themeeks.net> MF
libpfctl: handle allocation failure
While it's unlikely for userspace to fail to allocate memory it is still possible. Handle malloc() returning NULL.
Reported by: Bill Meeks <bill@themeeks.net> MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
Revision tags: release/14.0.0 |
|
#
a6173e94 |
| 06-Nov-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: expose more syncookie state information to userspace
Allow userspace to retrieve low and high water marks, as well as the current number of half open states.
MFC after: 1 week Sponsored by: Mod
pf: expose more syncookie state information to userspace
Allow userspace to retrieve low and high water marks, as well as the current number of half open states.
MFC after: 1 week Sponsored by: Modirum MDPay
show more ...
|
#
497ccc21 |
| 06-Nov-2023 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: handle the 'pfctl' netlink family not being supported
If we fail to find the pfctl family we should not attempt to make the call. That means that either pf is not loaded, or it's a very ol
libpfctl: handle the 'pfctl' netlink family not being supported
If we fail to find the pfctl family we should not attempt to make the call. That means that either pf is not loaded, or it's a very old (i.e. pre-netlink) version.
Reported by: manu Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
#
2b1eb63f |
| 27-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: be more tolerant of kernel extensions
Allow the kernel to supply more array elements than expected, but cut off when we hit what we think the maximum is. This will improve forward compatib
libpfctl: be more tolerant of kernel extensions
Allow the kernel to supply more array elements than expected, but cut off when we hit what we think the maximum is. This will improve forward compatibility (i.e. old userspace with newer kernel).
Reviewed by: zlei MFC after: 1 week Sponsored by: Orange Business Services Differential Revision: https://reviews.freebsd.org/D42392
show more ...
|
#
1c824f43 |
| 30-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: add missing pfctl_status_lcounter() function
We already had accessors for the other types of counters, but not this one.
MFC after: 3 days Sponsored by: Rubicon Communications, LLC ("Netg
libpfctl: add missing pfctl_status_lcounter() function
We already had accessors for the other types of counters, but not this one.
MFC after: 3 days Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
#
4abc3b48 |
| 23-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: fix Coverity issues
- handle snl_finalize_msg() returning NULL - insert the correct data into the states list - add missing nvlist_destroy() - incorrect order for array bounds
Coverit
libpfctl: fix Coverity issues
- handle snl_finalize_msg() returning NULL - insert the correct data into the states list - add missing nvlist_destroy() - incorrect order for array bounds
Coverity: 1522929, 1522925, 1522923, 1522921, 1522780, 1522770, 1522764, 1487785, 1471250 Reviewed by: emaste MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D42330
show more ...
|
#
2cffb525 |
| 23-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: fix pfctl_do_ioctl()
pfctl_do_ioctl() copies the packed request data into the request buffer and then frees it. However, it's possible for the buffer to be too small for the reply, causing
libpfctl: fix pfctl_do_ioctl()
pfctl_do_ioctl() copies the packed request data into the request buffer and then frees it. However, it's possible for the buffer to be too small for the reply, causing us to allocate a new buffer. We then copied from the freed request, and freed it again.
Do not free the request buffer until we're all the way done.
PR: 274614 Reviewed by: emaste MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D42329
show more ...
|
#
4f337550 |
| 20-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: allow states to be killed by their pre-NAT address
If a connection is NAT-ed we could previously only terminate it by its ID or the post-NAT IP address. Allow users to specify they want look for
pf: allow states to be killed by their pre-NAT address
If a connection is NAT-ed we could previously only terminate it by its ID or the post-NAT IP address. Allow users to specify they want look for the state by its pre-NAT address. Usage: `pfctl -k nat -k <address>`.
See also: https://redmine.pfsense.org/issues/11556 Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D42312
show more ...
|
#
044eef6a |
| 16-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: support basic filters for state listing
Allow users(pace) to specify a protocol, interface, address family and/ or address and mask, allowing the state listing to be pre-filtered in the kernel.
pf: support basic filters for state listing
Allow users(pace) to specify a protocol, interface, address family and/ or address and mask, allowing the state listing to be pre-filtered in the kernel.
Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D42280
show more ...
|