History log of /freebsd/lib/libpfctl/libpfctl.c (Results 76 – 100 of 114)
Revision (<<< Hide revision tags) (Show revision tags >>>) Date Author Comments
# 8c1400b0 04-Mar-2022 Kristof Provost <kp@FreeBSD.org>

libpfct: factor out pfctl_get_rules_info()

Introduce pfctl_get_rules_info(), similar to pfctl_get_eth_rules_info()
to retrieve rules information (ticket and total number of rules).

Use the new func

libpfct: factor out pfctl_get_rules_info()

Introduce pfctl_get_rules_info(), similar to pfctl_get_eth_rules_info()
to retrieve rules information (ticket and total number of rules).

Use the new function in pfctl.

MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D34443

show more ...


# f0c334e4 04-Mar-2022 Kristof Provost <kp@FreeBSD.org>

libpfctl: support flushing rules/nat/eth

Move the code to flush regular rules, nat rules and Ethernet rules into
libpfctl for easier re-use.

MFC after: 1 week
Sponsored by: Rubicon Communications,

libpfctl: support flushing rules/nat/eth

Move the code to flush regular rules, nat rules and Ethernet rules into
libpfctl for easier re-use.

MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D34442

show more ...


# b590f17a 20-Jan-2022 Kristof Provost <kp@FreeBSD.org>

pf: support masking mac addresses

When filtering Ethernet packets allow rules to specify a mac address
with a mask. This indicates which bits of the specified address are
significant. This allows us

pf: support masking mac addresses

When filtering Ethernet packets allow rules to specify a mac address
with a mask. This indicates which bits of the specified address are
significant. This allows users to do things like filter based on device
manufacturer.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...


Revision tags: release/12.3.0
# c5131afe 01-Oct-2021 Kristof Provost <kp@FreeBSD.org>

pf: add anchor support for ether rules

Support anchors in ether rules.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D32482


# fb330f39 27-Sep-2021 Kristof Provost <kp@FreeBSD.org>

pf: support dummynet on L2 rules

Allow packets to be tagged with dummynet information. Note that we do
not apply dummynet shaping on the L2 traffic, but instead mark it for
dummynet processing in th

pf: support dummynet on L2 rules

Allow packets to be tagged with dummynet information. Note that we do
not apply dummynet shaping on the L2 traffic, but instead mark it for
dummynet processing in the L3 code. This is the same approach as we take
for ALTQ.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D32222

show more ...


Revision tags: release/13.0.0
# c696d5c7 17-Feb-2021 Kristof Provost <kp@FreeBSD.org>

pfctl: Don't print (ether) to / from if they're not set

If we're not filtering on a specific MAC address don't print it at all,
rather than showing an all-zero address.

Sponsored by: Rubicon Commun

pfctl: Don't print (ether) to / from if they're not set

If we're not filtering on a specific MAC address don't print it at all,
rather than showing an all-zero address.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31749

show more ...


# 2b29ceb8 04-Feb-2021 Kristof Provost <kp@FreeBSD.org>

pfctl: Print Ethernet rules

Extent pfctl to be able to read configured Ethernet filtering rules from
the kernel and print them.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Re

pfctl: Print Ethernet rules

Extent pfctl to be able to read configured Ethernet filtering rules from
the kernel and print them.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31738

show more ...


# 6f47a72d 31-Jan-2022 Kristof Provost <kp@FreeBSD.org>

libpfctl: fix pfctl_kill_states()

735748f30a changed the output of the states so that the creator id
endianness would be consistent. This means that we need to convert the
host endianness creatorid

libpfctl: fix pfctl_kill_states()

735748f30a changed the output of the states so that the creator id
endianness would be consistent. This means that we need to convert the
host endianness creatorid back to big-endian before we give it to the
kernel.

MFC after: 3 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...


# 735748f3 21-Jan-2022 Kristof Provost <kp@FreeBSD.org>

libpfctl: fix creatorid endianness

We provide the hostid (which is the state creatorid) to the kernel as a
big endian number (see pfctl/pfctl.c pfctl_set_hostid()), so convert it
back to system endi

libpfctl: fix creatorid endianness

We provide the hostid (which is the state creatorid) to the kernel as a
big endian number (see pfctl/pfctl.c pfctl_set_hostid()), so convert it
back to system endianness when we get it from the kernel.

This avoids a confusing mismatch between the value the user configures
and the value displayed in the state.

MFC after: 3 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D33989

show more ...


# 2de49dee 08-Nov-2021 Kristof Provost <kp@FreeBSD.org>

pf tests: Test PR259689

We didn't populate dyncnt/tblcnt, so `pfctl -sr -vv` might not have the
table element count.

PR: 259689
MFC after: 3 weeks
Sponsored by: Rubicon Communications, LLC ("Netga

pf tests: Test PR259689

We didn't populate dyncnt/tblcnt, so `pfctl -sr -vv` might not have the
table element count.

PR: 259689
MFC after: 3 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D32893

show more ...


# 218a8a49 08-Nov-2021 Kristof Provost <kp@FreeBSD.org>

pf: ensure we populate dyncnt/tblcnt in struct pf_addr_wrap

PR: 259689
MFC after: 3 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D3

pf: ensure we populate dyncnt/tblcnt in struct pf_addr_wrap

PR: 259689
MFC after: 3 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D32892

show more ...


# 7bb3c927 05-Nov-2021 Kristof Provost <kp@FreeBSD.org>

libpfct: be consistent with u_int vs. uint

Always use uint64_t over u_int64_t, for the sake of consistency.

No functional change.

MFC after: 3 weeks
Sponsored by: Rubicon Communications, LLC ("Net

libpfct: be consistent with u_int vs. uint

Always use uint64_t over u_int64_t, for the sake of consistency.

No functional change.

MFC after: 3 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...


# 76c5eecc 29-Oct-2021 Kristof Provost <kp@FreeBSD.org>

pf: Introduce ridentifier

Allow users to set a number on rules which will be exposed as part of
the pflog header.
The intent behind this is to allow users to correlate rules across
updates (remember

pf: Introduce ridentifier

Allow users to set a number on rules which will be exposed as part of
the pflog header.
The intent behind this is to allow users to correlate rules across
updates (remember that pf rules continue to exist and match existing
states, even if they're removed from the active ruleset) and pflog.

Obtained from: pfSense
MFC after: 3 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D32750

show more ...


# 5062afff 13-Aug-2021 Kristof Provost <kp@FreeBSD.org>

pfctl: userspace adaptive syncookies configration

Hook up the userspace bits to configure syncookies in adaptive mode.

MFC after: 1 week
Sponsored by: Modirum MDPay
Differential Revision: https://r

pfctl: userspace adaptive syncookies configration

Hook up the userspace bits to configure syncookies in adaptive mode.

MFC after: 1 week
Sponsored by: Modirum MDPay
Differential Revision: https://reviews.freebsd.org/D32136

show more ...


# 63b3c1c7 15-May-2021 Kristof Provost <kp@FreeBSD.org>

pf: support dummynet

Allow pf to use dummynet pipes and queues.

We re-use the currently unused IPFW_IS_DUMMYNET flag to allow dummynet
to tell us that a packet is being re-injected after being dela

pf: support dummynet

Allow pf to use dummynet pipes and queues.

We re-use the currently unused IPFW_IS_DUMMYNET flag to allow dummynet
to tell us that a packet is being re-injected after being delayed. This
is needed to avoid endlessly looping the packet between pf and dummynet.

MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31904

show more ...


# 46fb68b1 26-Aug-2021 Kristof Provost <kp@FreeBSD.org>

libpfctl: Implement DIOCGETSTATUS wrappers

MFC after: 1 week
Sponsored by: Modirum MDPay
Differential Revision: https://reviews.freebsd.org/D31696


# b0ccc2e2 22-Aug-2021 Kristof Provost <kp@FreeBSD.org>

libpfctl: fix double free

Reviewed by: donner
MFC after: 1 week
Sponsored by: Modirum MDPay
Differential Revision: https://reviews.freebsd.org/D31695


# 719b5397 20-Aug-2021 Kristof Provost <kp@FreeBSD.org>

libpfctl: Fix endianness issues

Several fields are supplied in big-endian format, so we need to convert
them before we display them.

MFC after: 3 days
Sponsored by: Rubicon Communications, LLC ("Ne

libpfctl: Fix endianness issues

Several fields are supplied in big-endian format, so we need to convert
them before we display them.

MFC after: 3 days
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...


# c69121c4 26-May-2021 Kristof Provost <kp@FreeBSD.org>

pfctl: syncookie configuration

pfctl and libpfctl code required to enable/disable the syncookie
feature.

MFC after: 1 week
Sponsored by: Modirum MDPay
Differential Revision: https://reviews.freebsd

pfctl: syncookie configuration

pfctl and libpfctl code required to enable/disable the syncookie
feature.

MFC after: 1 week
Sponsored by: Modirum MDPay
Differential Revision: https://reviews.freebsd.org/D31140

show more ...


# be70c7a5 06-Jul-2021 Kristof Provost <kp@FreeBSD.org>

libpfctl: migrate to DIOCGETSTATESV2

Stop using the *NV version to retrieve states, as its performance is
unacceptably bad.

For 1,000,000 states the nvlist version needed ~100 seconds to retrieve
t

libpfctl: migrate to DIOCGETSTATESV2

Stop using the *NV version to retrieve states, as its performance is
unacceptably bad.

For 1,000,000 states the nvlist version needed ~100 seconds to retrieve
the states, the new version needs ~3 seconds.

Reviewed by: mjg
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31098

show more ...


# 0e9f1892 30-Jun-2021 Kristof Provost <kp@FreeBSD.org>

libpfctl: memory leak fix

We must remember to free the nvlist we create from the kernel's response
to DIOCGETSTATESNV, on every iteration.

Reviewed by: donner
MFC after: 1 week
Sponsored by: Rubico

libpfctl: memory leak fix

We must remember to free the nvlist we create from the kernel's response
to DIOCGETSTATESNV, on every iteration.

Reviewed by: donner
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30957

show more ...


# 34285eef 29-Jun-2021 Kristof Provost <kp@FreeBSD.org>

pf: Reduce the data returned in DIOCGETSTATESNV

This call is particularly slow due to the large amount of data it
returns. Remove all fields pfctl does not use. There is no functional
impact to pfct

pf: Reduce the data returned in DIOCGETSTATESNV

This call is particularly slow due to the large amount of data it
returns. Remove all fields pfctl does not use. There is no functional
impact to pfctl, but it somewhat speeds up the call.

It might affect other (i.e. non-FreeBSD) code that uses the new
interface, but this call is very new, so there's unlikely to be any. No
releases contained the previous version, so we choose to live with the
ABI modification.

Reviewed by: donner
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30944

show more ...


# 27c77f42 27-May-2021 Kristof Provost <kp@FreeBSD.org>

libpfctl: Improve error handling in pfctl_get_states()

Ensure that we always free nvlists and other allocated memory.

Reviewed by: scottl
MFC after: 3 days
Sponsored by: Rubicon Communications, LLC

libpfctl: Improve error handling in pfctl_get_states()

Ensure that we always free nvlists and other allocated memory.

Reviewed by: scottl
MFC after: 3 days
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30493

show more ...


# 6dbb729d 27-May-2021 Kristof Provost <kp@FreeBSD.org>

libpfctl: fix memory leak

When we create an nvlist and insert it into another nvlist we must
remember to destroy it. The nvlist_add_nvlist() function makes a copy,
just like nvlist_add_string() make

libpfctl: fix memory leak

When we create an nvlist and insert it into another nvlist we must
remember to destroy it. The nvlist_add_nvlist() function makes a copy,
just like nvlist_add_string() makes a copy of the string.

See also 4483fb47735c29408c72045469c9c4b3e549668b

Reviewed by: scottl
MFC after: 3 days
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30492

show more ...


# d0fdf2b2 12-May-2021 Kristof Provost <kp@FreeBSD.org>

pf: Track the original kif for floating states

Track (and display) the interface that created a state, even if it's a
floating state (and thus uses virtual interface 'all').

MFC after: 1 week
Spons

pf: Track the original kif for floating states

Track (and display) the interface that created a state, even if it's a
floating state (and thus uses virtual interface 'all').

MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30245

show more ...


12345