pf: make reply-to work with nat64

Just like route-to reply-to is problematic when used in combination with nat64.

In the normal (i.e. without nat64) flow we return immediately from pf_route().
Howe

pf: make reply-to work with nat64

Just like route-to reply-to is problematic when used in combination with nat64.

In the normal (i.e. without nat64) flow we return immediately from pf_route().
However, with nat64 we need to continue and do a route lookup. In that case
we should not make the extra pf_test(PF_OUT) call to remain similar to the
non-nat64 flow.

We also have to fix the interface binding. We can only bind to the interface
after we've done the route lookup, not before.

Add a funcional test case, and a test for pfctl's rule printing.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: cope with route-to on af-to rules

af-to uses pf_route() and pf_route6(), which caused issues when af-to and
route-to were combined in a single rule.
Extend the relevant functions to cope with th

pf: cope with route-to on af-to rules

af-to uses pf_route() and pf_route6(), which caused issues when af-to and
route-to were combined in a single rule.
Extend the relevant functions to cope with this and add test cases.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: add a dedicated pf pool for route options

As suggested by henning.
Which unbreaks ie route-to after the recent pf changes.

With much help debugging and pointing out of missing bits from claudio

pf: add a dedicated pf pool for route options

As suggested by henning.
Which unbreaks ie route-to after the recent pf changes.

With much help debugging and pointing out of missing bits from claudio@

ok claudio@ "looks good" henning@

Obtained from: OpenBSD, jsg <jsg@openbsd.org>, 7fa5c09028
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl: allow an implicit address family for af-to rules

If the address family can be determined by the "from" or "to" parameter in the
matching part, it is no longer necessary to specify "inet" or "

pfctl: allow an implicit address family for af-to rules

If the address family can be determined by the "from" or "to" parameter in the
matching part, it is no longer necessary to specify "inet" or "inet6" there.
OK henning@ mikeb@

Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, ff33038bc1
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl: improve NAT pool handling

Ensure we always free the NAT pool (as well as the rdr pool) and actually handle
it in the optimiser.

Sponsored by: Rubicon Communications, LLC ("Netgate")

pfctl: follow rpool -> rdr rename

In e11dacbf8484adc7bbb61b20fee3ab8385745925 the redirect pool was renamed from
rpool to rdr. It included backwards compatibility support for libpfctl users,
but did

pfctl: follow rpool -> rdr rename

In e11dacbf8484adc7bbb61b20fee3ab8385745925 the redirect pool was renamed from
rpool to rdr. It included backwards compatibility support for libpfctl users,
but didn't fully implement the rename in our own code.

Do so now. No functional change.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: add 'allow-related' to always allow SCTP multihome extra connections

Allow users to choose to allow permitted SCTP connections to set up additional
multihomed connections regardless of the rules

pf: add 'allow-related' to always allow SCTP multihome extra connections

Allow users to choose to allow permitted SCTP connections to set up additional
multihomed connections regardless of the ruleset. That is, allow an already
established connection to set up flows that would otherwise be disallowed.

In case of if-bound connections we initially set the extra associations to
be floating, because we don't know what path they'll be taking when they're
created. Once we see the first traffic we can bind them.

MFC after: 2 weeks
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D48453

show more ...

pfctl: unbreak rule optimizer

ok henning, looks

Obtained from: OpenBSD, mikeb <mikeb@openbsd.org>, 4a16887b1b
Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: fixup af-to regression with match rules

pfctl should not infer the af-to behavior from the af/naf difference.
instead, we should be clear that this is an af-to rule. essentially
this change con

pf: fixup af-to regression with match rules

pfctl should not infer the af-to behavior from the af/naf difference.
instead, we should be clear that this is an af-to rule. essentially
this change converts FOM_AFTO marker into a rule flag PFRULE_AFTO so
that we don't rely on ambiguous checks (like r->af != r->naf) when
setting things up.

positive review and comments from claudio, ok henning, sperreault

Obtained from: OpenBSD, mikeb <mikeb@openbsd.org>, fc302162c0
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl: pfctl_set_hostid always returns 0

Don't pretend otherwise and make it a void function instead.

ok dlg

Obtained from: OpenBSD, mcbride <mcbride@openbsd.org>, 9ac6101ff7
Sponsored by: Rubicon

pfctl: pfctl_set_hostid always returns 0

Don't pretend otherwise and make it a void function instead.

ok dlg

Obtained from: OpenBSD, mcbride <mcbride@openbsd.org>, 9ac6101ff7
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl: do not allow af-to tables without round-robin

Tables can only be used as a redirspec (i.e. in pf_map_addr()) in round-robin mode.
Enforce this for af-to tables as well.

Add a test case to ve

pfctl: do not allow af-to tables without round-robin

Tables can only be used as a redirspec (i.e. in pf_map_addr()) in round-robin mode.
Enforce this for af-to tables as well.

Add a test case to verify.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl: change for af-to / NAT64 support.

The general syntax is:
pass in inet from any to 192.168.1.1 af-to inet6 from 2001::1 to 2001::2
In the NAT64 case the "to" is not needed in af-to and the IP

pfctl: change for af-to / NAT64 support.

The general syntax is:
pass in inet from any to 192.168.1.1 af-to inet6 from 2001::1 to 2001::2
In the NAT64 case the "to" is not needed in af-to and the IP is extraced
from the IPv6 dst (assuming a /64 prefix).
Again most work by sperreault@, mikeb@ and reyk@
OK mcbride@, put it in deraadt@

Obtained from: OpenBSD, claudio <claudio@openbsd.org>, 0cde32ce3f
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D47790

show more ...

pfctl: avoid possible SIGSEGV when wrong tos option

Obtained from: OpenBSD, haesbaert <haesbaert@openbsd.org>, 934eaac797
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision:

pfctl: avoid possible SIGSEGV when wrong tos option

Obtained from: OpenBSD, haesbaert <haesbaert@openbsd.org>, 934eaac797
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46933

show more ...

pf: fold pf_test_fragment() into pf_test_rule()

Reduces code and fixes a bunch of bugs with fragment handling not being in sync
with the rest of the ruleset.

Much feedback from mpf, bluhm & markus

pf: fold pf_test_fragment() into pf_test_rule()

Reduces code and fixes a bunch of bugs with fragment handling not being in sync
with the rest of the ruleset.

Much feedback from mpf, bluhm & markus
Thanks to Tony Sarendal for help with testing

ok bluhm; various previous versions ok henning, claudio, mpf, markus

Note that while this changes the order of src addr/src port/dst addr/dst port
skips this doesn't actually affect the kernel/userspace ABI. The kernel always
recalculates skip steps. As a result we have to fix one of the pfctl parser
tests. Note that this is an order change that does not affect what packets are
acceppted or dropped.

Obtained from: OpenBSD, mcbride <mcbride@openbsd.org>, 04c69899a7
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46705

show more ...

pf: add a new log opt PF_LOG_MATCHES

forces logging on all subsequent matching rules
new log opt "matches"
awesome for debugging, a rule like
match log(matches) from $testbox
will show you exactly w

pf: add a new log opt PF_LOG_MATCHES

forces logging on all subsequent matching rules
new log opt "matches"
awesome for debugging, a rule like
match log(matches) from $testbox
will show you exactly which subsequent rules match on that packet
real ok theo assumed oks ryan & dlg bikeshedding many

Obtained from: OpenBSD, henning <henning@openbsd.org>, 1603e01ae4
Obtained from: OpenBSD, henning <henning@openbsd.org>, f496e91672
Obtained from: OpenBSD, henning <henning@openbsd.org>, 07481a9fee
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46588

show more ...

pfctl: lex <=, >=, and != into a single token

lex <=, >=, and != into a single token for correctness and to reduce the
lookahead in the parser
ok henning otto

Reviewed by: zlei
Obtained from: OpenB

pfctl: lex <=, >=, and != into a single token

lex <=, >=, and != into a single token for correctness and to reduce the
lookahead in the parser
ok henning otto

Reviewed by: zlei
Obtained from: OpenBSD, deraadt <deraadt@openbsd.org>, e6e3ecf338
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46582

show more ...

pfctl: fix incorrect optimization

In the non-optimized case, an address list containing "any" (ie. { any 10.0.0.1 })
should be folded in the parser to any, not to 10.0.0.1. How long this bug has
be

pfctl: fix incorrect optimization

In the non-optimized case, an address list containing "any" (ie. { any 10.0.0.1 })
should be folded in the parser to any, not to 10.0.0.1. How long this bug has
been with us is unclear.
ok guenther mcbride

Obtained from: OpenBSD, deraadt <deraadt@openbsd.org>, e3b4bc25a0
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46580

show more ...

pf: allow filtering on the receive interface

add support to pf for filtering a packet by the interface it was received
on. use the received-on IFNAME filter option on a pf.conf rule to restrict
whic

pf: allow filtering on the receive interface

add support to pf for filtering a packet by the interface it was received
on. use the received-on IFNAME filter option on a pf.conf rule to restrict
which packet the interface had to be received on. eg:

pass out on em0 from $foo to $bar received-on fxp0

ive been running this in production for a week now. i find it particularly
usefull with interface groups.

no objections, and a few "i like"s from henning, claudio, deraadt, mpf

Obtained from: OpenBSD, dlg <dlg@openbsd.org>, 95b4320893
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46577

show more ...

pf: Add support for endpoint independent NAT bindings for UDP

With Endpoint Independent NAT bindings for UDP flows from a NATed source
address are always mapped to the same ip:port pair on the NAT r

pf: Add support for endpoint independent NAT bindings for UDP

With Endpoint Independent NAT bindings for UDP flows from a NATed source
address are always mapped to the same ip:port pair on the NAT router.
This allows a client to connect to multiple external servers while
appearing as the same host and enables NAT traversal without requiring
the client to use a middlebox traversal protocol such as STUN or TURN.

Introduce the 'endpoint-independent' option to NAT rules to allow
configuration of endpoint independent without effecting existing
deployments.

This change satisfies REQ 1 and 3 of RFC 4787 also known as 'full cone'
NAT.

Using Endpoint Independent NAT changes NAT exhaustion behaviour it does
not introduce any additional security considerations compared to other
forms of NAT.

PR: 219803
Co-authored-by: Damjan Jovanovic <damjan.jov@gmail.com>
Co-authored-by: Naman Sood <mail@nsood.in>
Reviewed-by: kp
Sponsored-by: Tailscale
Sponsored-by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D11137

show more ...

pf: 'sticky-address' requires 'keep state'

When route_to() processes a packet without state, pf_map_addr() is called for
each packet. Pf_map_addr() will search for a source node and will find none
s

pf: 'sticky-address' requires 'keep state'

When route_to() processes a packet without state, pf_map_addr() is called for
each packet. Pf_map_addr() will search for a source node and will find none
since those are created only in pf_create_state(). Thus sticky address,
even though requested in rule definition, will never work.

Raise an error when a stateless filter rule uses sticky address to avoid
confusion and to keep ruleset limitations in sync with what the pf code
really does.

Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D46310

show more ...

pf: migrate DIOCGETLIMIT/DIOCSETLIMIT to netlink

Event: Kitchener-Waterloo Hackathon 202406

pf: convert DIOCGETTIMEOUT/DIOCSETTIMEOUT to netlink

pfctl: fix possible out-of-bounds read

Tags in $10 (filter_opts) are not guaranteed to be the maximum possible
tag length, so memcpy() can end up reading outside of the allocated
buffer.

Use strlcp

pfctl: fix possible out-of-bounds read

Tags in $10 (filter_opts) are not guaranteed to be the maximum possible
tag length, so memcpy() can end up reading outside of the allocated
buffer.

Use strlcpy() instead.

Reported by: CheriBSD
Event: Kitchener-Waterloo Hackathon 202406

show more ...

pf: convert DIOCSETDEBUG to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")

pflow: add RFC8158 NAT support

Extend pflow(4) to send NAT44 Session Create and Delete events.
This applies only to IPFIX (i.e. proto version 10), and requires no
user configuration.

Sponsored by:

pflow: add RFC8158 NAT support

Extend pflow(4) to send NAT44 Session Create and Delete events.
This applies only to IPFIX (i.e. proto version 10), and requires no
user configuration.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D43114

show more ...