#
ffbf2595 |
| 14-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert rule addition to netlink
The nvlist-based version will be removed in FreeBSD 16.
Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org
pf: convert rule addition to netlink
The nvlist-based version will be removed in FreeBSD 16.
Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D42279
show more ...
|
#
4f8f43b0 |
| 16-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
netlink: cope with growing requests
If a request ends up growing beyong the initially allocated space the netlink functions (such as snl_add_msg_attr_u32()) will allocate a new buffer. This invalida
netlink: cope with growing requests
If a request ends up growing beyong the initially allocated space the netlink functions (such as snl_add_msg_attr_u32()) will allocate a new buffer. This invalidates the header pointer we can have received from snl_create_msg_request(). Always use the hdr returned by snl_finalize_msg().
Reviewed by: melifaro MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D42223
show more ...
|
#
81647eb6 |
| 10-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: implement start/stop calls via netlink
Implement equivalents to DIOCSTART and DIOCSTOP in netlink. Provide a libpfctl implementation and add a basic test case, mostly to verify that we still ret
pf: implement start/stop calls via netlink
Implement equivalents to DIOCSTART and DIOCSTOP in netlink. Provide a libpfctl implementation and add a basic test case, mostly to verify that we still return the same errors as before the conversion
Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D42145
show more ...
|
#
a7191e5d |
| 04-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: add a way to list creator ids
Allow userspace to retrieve a list of distinct creator ids for the current states.
This is used by pfSense, and used to require dumping all states to userspace. It
pf: add a way to list creator ids
Allow userspace to retrieve a list of distinct creator ids for the current states.
This is used by pfSense, and used to require dumping all states to userspace. It's rather inefficient to export a (potentially extremely large) state table to obtain a handful (typically 2) of 32-bit integers.
Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D42092
show more ...
|
#
f218b851 |
| 02-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: introduce state iterator
Allow consumers to start processing states as the kernel supplies them, rather than having to build a full list and only then start processing. Especially for very
libpfctl: introduce state iterator
Allow consumers to start processing states as the kernel supplies them, rather than having to build a full list and only then start processing. Especially for very large state tables this can significantly reduce memory use.
Without this change when retrieving 1M states time -l reports:
real 3.55 user 1.95 sys 1.05 318832 maximum resident set size 194 average shared memory size 15 average unshared data size 127 average unshared stack size 79041 page reclaims 0 page faults 0 swaps 0 block input operations 0 block output operations 15096 messages sent 250001 messages received 0 signals received 22 voluntary context switches 34 involuntary context switches
With it it reported:
real 3.32 user 1.88 sys 0.86 3220 maximum resident set size 195 average shared memory size 11 average unshared data size 128 average unshared stack size 260 page reclaims 0 page faults 0 swaps 0 block input operations 0 block output operations 15096 messages sent 250001 messages received 0 signals received 21 voluntary context switches 31 involuntary context switches
Reviewed by: mjg Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D42091
show more ...
|
#
2cef6288 |
| 15-Sep-2023 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
pf: convert state retrieval to netlink
Use netlink to export pf's state table.
The primary motivation is to improve how we deal with very large state stables. With the previous implementation we ha
pf: convert state retrieval to netlink
Use netlink to export pf's state table.
The primary motivation is to improve how we deal with very large state stables. With the previous implementation we had to build the entire list (both in the kernel and in userspace) before we could start processing. With netlink we start to get data in userspace while the kernel is still generating more. This reduces peak memory consumption (which can get to the GB range once we hit millions of states).
Netlink also makes future extension easier, in that we can easily add fields to the state export without breaking userspace. In that regard it's similar to an nvlist-based approach, except that it also deals with transport to userspace and that it performs significantly better than nvlists. Testing has failed to measure a performance difference between the previous struct-copy based ioctl and the netlink approach.
Differential Revision: https://reviews.freebsd.org/D38888
show more ...
|
#
e3d3d61a |
| 29-Aug-2023 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: implement status counter accessor functions
The new nvlist-based status call allows us to easily add new counters. However, the libpfctl interface defines a TAILQ, so it's not quite trivia
libpfctl: implement status counter accessor functions
The new nvlist-based status call allows us to easily add new counters. However, the libpfctl interface defines a TAILQ, so it's not quite trivial to find the counter consumers are interested in.
Provide convenience functions to access the counters.
MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D41649
show more ...
|
#
0b01878f |
| 29-Aug-2023 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: allow pfctl_free_status(NULL)
Mimic free() and friends, and allow free()ing of NULL.
MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https:/
libpfctl: allow pfctl_free_status(NULL)
Mimic free() and friends, and allow free()ing of NULL.
MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D41648
show more ...
|
#
b3e76948 |
| 16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
Remove $FreeBSD$: two-line .h pattern
Remove /^\s*\*\n \*\s+\$FreeBSD\$$\n/
|
#
6422599e |
| 26-Jul-2023 |
Kristof Provost <kp@FreeBSD.org> |
libpfct: ensure the initial allocation is large enough
Ensure that we allocate enough memory for the packed nvlist, no matter what size hint was provided.
MFC after: 1 week Reported by: R. Christia
libpfct: ensure the initial allocation is large enough
Ensure that we allocate enough memory for the packed nvlist, no matter what size hint was provided.
MFC after: 1 week Reported by: R. Christian McDonald <rcm@rcm.sh> Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
#
c45d6b0e |
| 29-May-2023 |
Kajetan Staszkiewicz <vegeta@tuxpowered.net> |
pfctl: Add missing state parameters in DIOCGETSTATESV2
Reviewed by: kp Sponsored by: InnoGames GmbH Different Revision: https://reviews.freebsd.org/D40259
|
#
ef661d4a |
| 24-Apr-2023 |
Christian McDonald <cmcdonald@netgate.com> |
pf: introduce ridentifier and labels to ether rules
Make Ethernet rules more similar to the usual layer 3 rules by also allowing ridentifier and labels to be set on them.
Reviewed by: kp Sponsored
pf: introduce ridentifier and labels to ether rules
Make Ethernet rules more similar to the usual layer 3 rules by also allowing ridentifier and labels to be set on them.
Reviewed by: kp Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
#
39282ef3 |
| 13-Apr-2023 |
Kajetan Staszkiewicz <vegeta@tuxpowered.net> |
pf: backport OpenBSD syntax of "scrub" option for "match" and "pass" rules
Introduce the OpenBSD syntax of "scrub" option for "match" and "pass" rules and the "set reassemble" flag. The patch is bac
pf: backport OpenBSD syntax of "scrub" option for "match" and "pass" rules
Introduce the OpenBSD syntax of "scrub" option for "match" and "pass" rules and the "set reassemble" flag. The patch is backward-compatible, pf.conf can be still written in FreeBSD-style.
Obtained from: OpenBSD MFC after: never Sponsored by: InnoGames GmbH Differential Revision: https://reviews.freebsd.org/D38025
show more ...
|
Revision tags: release/13.2.0 |
|
#
48c519be |
| 22-Mar-2023 |
John Baldwin <jhb@FreeBSD.org> |
libpfctl: Don't pass stack garbage to free.
GCC 9 on stable/12 reports a -Wmaybe-uninitialized error for the call to free in _pfctl_clear_states.
Reviewed by: mjg Differential Revision: https://rev
libpfctl: Don't pass stack garbage to free.
GCC 9 on stable/12 reports a -Wmaybe-uninitialized error for the call to free in _pfctl_clear_states.
Reviewed by: mjg Differential Revision: https://reviews.freebsd.org/D39198
show more ...
|
Revision tags: release/12.4.0 |
|
#
8a8af942 |
| 22-Sep-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: bridge-to
Allow pf (l2) to be used to redirect ethernet packets to a different interface.
The intended use case is to send 802.1x challenges out to a side interface, to enable AT&T links to fun
pf: bridge-to
Allow pf (l2) to be used to redirect ethernet packets to a different interface.
The intended use case is to send 802.1x challenges out to a side interface, to enable AT&T links to function with pfSense as a gateway, rather than the AT&T provided hardware.
Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D37193
show more ...
|
#
444a77ca |
| 24-Sep-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: expose syncookie active/inactive status
When syncookies are in adaptive mode they may be active or inactive. Expose this status to users.
Suggested by: Guido van Rooij Sponsored by: Rubicon Com
pf: expose syncookie active/inactive status
When syncookies are in adaptive mode they may be active or inactive. Expose this status to users.
Suggested by: Guido van Rooij Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
#
6049ee60 |
| 08-Sep-2022 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: improve syncookie watermark calculation
Ensure that we always pass sane limits for the high and low watermark values. This is especially important if users do something silly, like set the
libpfctl: improve syncookie watermark calculation
Ensure that we always pass sane limits for the high and low watermark values. This is especially important if users do something silly, like set the state limit to 1. In that case we wound up calculating 0/0 as a limit, which gets rejected by the kernel.
While here also shift the calculation to use uint64_t, so we don't end up with overflows (and subsequently higher low than high values) with very large state limits.
Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D36497
show more ...
|
#
1f61367f |
| 31-May-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: support matching on tags for Ethernet rules
Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D35362
|
Revision tags: release/13.1.0 |
|
#
0abcc1d2 |
| 22-Apr-2022 |
Reid Linnemann <rlinnemann@netgate.com> |
pf: Add per-rule timestamps for rule and eth_rule
Similar to ipfw rule timestamps, these timestamps internally are uint32_t snaps of the system time in seconds. The timestamp is CPU local and update
pf: Add per-rule timestamps for rule and eth_rule
Similar to ipfw rule timestamps, these timestamps internally are uint32_t snaps of the system time in seconds. The timestamp is CPU local and updated each time a rule or a state associated with a rule or state is matched.
Reviewed by: kp Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D34970
show more ...
|
#
7ed19f5c |
| 14-Apr-2022 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: grow request buffer on ENOSPC
When we issue a request to pf and expect a serialised nvlist as a reply we have to supply a suitable buffer to the kernel. The required size for this buffer i
libpfctl: grow request buffer on ENOSPC
When we issue a request to pf and expect a serialised nvlist as a reply we have to supply a suitable buffer to the kernel. The required size for this buffer is difficult to predict, and may be (slightly) different from request to request. If it's insufficient the kernel will return ENOSPC. Teach libpfctl to catch this and send the request again with a larger buffer.
MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D34908
show more ...
|
#
4823489a |
| 04-Apr-2022 |
Reid Linnemann <rlinnemann@netgate.com> |
libpfctl: relocate implementations of pfr_add/get/set_addrs
Reviewed by: kp MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D34740
|
#
c4a08ef2 |
| 01-Apr-2022 |
Mateusz Guzik <mjg@FreeBSD.org> |
pf: handle duplicate rules gracefully
Reviewed by: kp Reported by: dch PR: 262971 Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
514039bb |
| 29-Mar-2022 |
Kristof Provost <kp@FreeBSD.org> |
libpfct: Return errno from pfctl_add_eth_rule()
If the pfctl_add_eth_rule() ioctl fails return the errno, not the error returned by ioctl(). That will give us slightly more insight into what went wr
libpfct: Return errno from pfctl_add_eth_rule()
If the pfctl_add_eth_rule() ioctl fails return the errno, not the error returned by ioctl(). That will give us slightly more insight into what went wrong, because ioctl() would always return -1.
Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
#
9bb06778 |
| 29-Mar-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: support listing ethernet anchors
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
8a42005d |
| 08-Mar-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: support basic L3 filtering in the Ethernet rules
Allow filtering based on the source or destination IP/IPv6 address in the Ethernet layer rules.
Reviewed by: pauamma_gundo.com (man), debdrup (m
pf: support basic L3 filtering in the Ethernet rules
Allow filtering based on the source or destination IP/IPv6 address in the Ethernet layer rules.
Reviewed by: pauamma_gundo.com (man), debdrup (man) Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D34482
show more ...
|