#
8c1400b0 |
| 04-Mar-2022 |
Kristof Provost <kp@FreeBSD.org> |
libpfct: factor out pfctl_get_rules_info()
Introduce pfctl_get_rules_info(), similar to pfctl_get_eth_rules_info() to retrieve rules information (ticket and total number of rules).
Use the new func
libpfct: factor out pfctl_get_rules_info()
Introduce pfctl_get_rules_info(), similar to pfctl_get_eth_rules_info() to retrieve rules information (ticket and total number of rules).
Use the new function in pfctl.
MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D34443
show more ...
|
#
f0c334e4 |
| 04-Mar-2022 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: support flushing rules/nat/eth
Move the code to flush regular rules, nat rules and Ethernet rules into libpfctl for easier re-use.
MFC after: 1 week Sponsored by: Rubicon Communications,
libpfctl: support flushing rules/nat/eth
Move the code to flush regular rules, nat rules and Ethernet rules into libpfctl for easier re-use.
MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D34442
show more ...
|
#
b590f17a |
| 20-Jan-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: support masking mac addresses
When filtering Ethernet packets allow rules to specify a mac address with a mask. This indicates which bits of the specified address are significant. This allows us
pf: support masking mac addresses
When filtering Ethernet packets allow rules to specify a mac address with a mask. This indicates which bits of the specified address are significant. This allows users to do things like filter based on device manufacturer.
Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
Revision tags: release/12.3.0 |
|
#
c5131afe |
| 01-Oct-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: add anchor support for ether rules
Support anchors in ether rules.
Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D32482
|
#
fb330f39 |
| 27-Sep-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: support dummynet on L2 rules
Allow packets to be tagged with dummynet information. Note that we do not apply dummynet shaping on the L2 traffic, but instead mark it for dummynet processing in th
pf: support dummynet on L2 rules
Allow packets to be tagged with dummynet information. Note that we do not apply dummynet shaping on the L2 traffic, but instead mark it for dummynet processing in the L3 code. This is the same approach as we take for ALTQ.
Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D32222
show more ...
|
Revision tags: release/13.0.0 |
|
#
c696d5c7 |
| 17-Feb-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Don't print (ether) to / from if they're not set
If we're not filtering on a specific MAC address don't print it at all, rather than showing an all-zero address.
Sponsored by: Rubicon Commun
pfctl: Don't print (ether) to / from if they're not set
If we're not filtering on a specific MAC address don't print it at all, rather than showing an all-zero address.
Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D31749
show more ...
|
#
2b29ceb8 |
| 04-Feb-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Print Ethernet rules
Extent pfctl to be able to read configured Ethernet filtering rules from the kernel and print them.
Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Re
pfctl: Print Ethernet rules
Extent pfctl to be able to read configured Ethernet filtering rules from the kernel and print them.
Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D31738
show more ...
|
#
6f47a72d |
| 31-Jan-2022 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: fix pfctl_kill_states()
735748f30a changed the output of the states so that the creator id endianness would be consistent. This means that we need to convert the host endianness creatorid
libpfctl: fix pfctl_kill_states()
735748f30a changed the output of the states so that the creator id endianness would be consistent. This means that we need to convert the host endianness creatorid back to big-endian before we give it to the kernel.
MFC after: 3 weeks Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
#
735748f3 |
| 21-Jan-2022 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: fix creatorid endianness
We provide the hostid (which is the state creatorid) to the kernel as a big endian number (see pfctl/pfctl.c pfctl_set_hostid()), so convert it back to system endi
libpfctl: fix creatorid endianness
We provide the hostid (which is the state creatorid) to the kernel as a big endian number (see pfctl/pfctl.c pfctl_set_hostid()), so convert it back to system endianness when we get it from the kernel.
This avoids a confusing mismatch between the value the user configures and the value displayed in the state.
MFC after: 3 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D33989
show more ...
|
#
2de49dee |
| 08-Nov-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf tests: Test PR259689
We didn't populate dyncnt/tblcnt, so `pfctl -sr -vv` might not have the table element count.
PR: 259689 MFC after: 3 weeks Sponsored by: Rubicon Communications, LLC ("Netga
pf tests: Test PR259689
We didn't populate dyncnt/tblcnt, so `pfctl -sr -vv` might not have the table element count.
PR: 259689 MFC after: 3 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D32893
show more ...
|
#
218a8a49 |
| 08-Nov-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: ensure we populate dyncnt/tblcnt in struct pf_addr_wrap
PR: 259689 MFC after: 3 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D3
pf: ensure we populate dyncnt/tblcnt in struct pf_addr_wrap
PR: 259689 MFC after: 3 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D32892
show more ...
|
#
7bb3c927 |
| 05-Nov-2021 |
Kristof Provost <kp@FreeBSD.org> |
libpfct: be consistent with u_int vs. uint
Always use uint64_t over u_int64_t, for the sake of consistency.
No functional change.
MFC after: 3 weeks Sponsored by: Rubicon Communications, LLC ("Net
libpfct: be consistent with u_int vs. uint
Always use uint64_t over u_int64_t, for the sake of consistency.
No functional change.
MFC after: 3 weeks Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
#
76c5eecc |
| 29-Oct-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Introduce ridentifier
Allow users to set a number on rules which will be exposed as part of the pflog header. The intent behind this is to allow users to correlate rules across updates (remember
pf: Introduce ridentifier
Allow users to set a number on rules which will be exposed as part of the pflog header. The intent behind this is to allow users to correlate rules across updates (remember that pf rules continue to exist and match existing states, even if they're removed from the active ruleset) and pflog.
Obtained from: pfSense MFC after: 3 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D32750
show more ...
|
#
5062afff |
| 13-Aug-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: userspace adaptive syncookies configration
Hook up the userspace bits to configure syncookies in adaptive mode.
MFC after: 1 week Sponsored by: Modirum MDPay Differential Revision: https://r
pfctl: userspace adaptive syncookies configration
Hook up the userspace bits to configure syncookies in adaptive mode.
MFC after: 1 week Sponsored by: Modirum MDPay Differential Revision: https://reviews.freebsd.org/D32136
show more ...
|
#
63b3c1c7 |
| 15-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: support dummynet
Allow pf to use dummynet pipes and queues.
We re-use the currently unused IPFW_IS_DUMMYNET flag to allow dummynet to tell us that a packet is being re-injected after being dela
pf: support dummynet
Allow pf to use dummynet pipes and queues.
We re-use the currently unused IPFW_IS_DUMMYNET flag to allow dummynet to tell us that a packet is being re-injected after being delayed. This is needed to avoid endlessly looping the packet between pf and dummynet.
MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D31904
show more ...
|
#
46fb68b1 |
| 26-Aug-2021 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: Implement DIOCGETSTATUS wrappers
MFC after: 1 week Sponsored by: Modirum MDPay Differential Revision: https://reviews.freebsd.org/D31696
|
#
b0ccc2e2 |
| 22-Aug-2021 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: fix double free
Reviewed by: donner MFC after: 1 week Sponsored by: Modirum MDPay Differential Revision: https://reviews.freebsd.org/D31695
|
#
719b5397 |
| 20-Aug-2021 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: Fix endianness issues
Several fields are supplied in big-endian format, so we need to convert them before we display them.
MFC after: 3 days Sponsored by: Rubicon Communications, LLC ("Ne
libpfctl: Fix endianness issues
Several fields are supplied in big-endian format, so we need to convert them before we display them.
MFC after: 3 days Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
#
c69121c4 |
| 26-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: syncookie configuration
pfctl and libpfctl code required to enable/disable the syncookie feature.
MFC after: 1 week Sponsored by: Modirum MDPay Differential Revision: https://reviews.freebsd
pfctl: syncookie configuration
pfctl and libpfctl code required to enable/disable the syncookie feature.
MFC after: 1 week Sponsored by: Modirum MDPay Differential Revision: https://reviews.freebsd.org/D31140
show more ...
|
#
be70c7a5 |
| 06-Jul-2021 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: migrate to DIOCGETSTATESV2
Stop using the *NV version to retrieve states, as its performance is unacceptably bad.
For 1,000,000 states the nvlist version needed ~100 seconds to retrieve t
libpfctl: migrate to DIOCGETSTATESV2
Stop using the *NV version to retrieve states, as its performance is unacceptably bad.
For 1,000,000 states the nvlist version needed ~100 seconds to retrieve the states, the new version needs ~3 seconds.
Reviewed by: mjg MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D31098
show more ...
|
#
0e9f1892 |
| 30-Jun-2021 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: memory leak fix
We must remember to free the nvlist we create from the kernel's response to DIOCGETSTATESNV, on every iteration.
Reviewed by: donner MFC after: 1 week Sponsored by: Rubico
libpfctl: memory leak fix
We must remember to free the nvlist we create from the kernel's response to DIOCGETSTATESNV, on every iteration.
Reviewed by: donner MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30957
show more ...
|
#
34285eef |
| 29-Jun-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Reduce the data returned in DIOCGETSTATESNV
This call is particularly slow due to the large amount of data it returns. Remove all fields pfctl does not use. There is no functional impact to pfct
pf: Reduce the data returned in DIOCGETSTATESNV
This call is particularly slow due to the large amount of data it returns. Remove all fields pfctl does not use. There is no functional impact to pfctl, but it somewhat speeds up the call.
It might affect other (i.e. non-FreeBSD) code that uses the new interface, but this call is very new, so there's unlikely to be any. No releases contained the previous version, so we choose to live with the ABI modification.
Reviewed by: donner MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30944
show more ...
|
#
27c77f42 |
| 27-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: Improve error handling in pfctl_get_states()
Ensure that we always free nvlists and other allocated memory.
Reviewed by: scottl MFC after: 3 days Sponsored by: Rubicon Communications, LLC
libpfctl: Improve error handling in pfctl_get_states()
Ensure that we always free nvlists and other allocated memory.
Reviewed by: scottl MFC after: 3 days Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30493
show more ...
|
#
6dbb729d |
| 27-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
libpfctl: fix memory leak
When we create an nvlist and insert it into another nvlist we must remember to destroy it. The nvlist_add_nvlist() function makes a copy, just like nvlist_add_string() make
libpfctl: fix memory leak
When we create an nvlist and insert it into another nvlist we must remember to destroy it. The nvlist_add_nvlist() function makes a copy, just like nvlist_add_string() makes a copy of the string.
See also 4483fb47735c29408c72045469c9c4b3e549668b
Reviewed by: scottl MFC after: 3 days Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30492
show more ...
|
#
d0fdf2b2 |
| 12-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Track the original kif for floating states
Track (and display) the interface that created a state, even if it's a floating state (and thus uses virtual interface 'all').
MFC after: 1 week Spons
pf: Track the original kif for floating states
Track (and display) the interface that created a state, even if it's a floating state (and thus uses virtual interface 'all').
MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30245
show more ...
|