#
788f194f |
| 16-Aug-2024 |
Kajetan Staszkiewicz <vegeta@tuxpowered.net> |
pf: 'sticky-address' requires 'keep state'
When route_to() processes a packet without state, pf_map_addr() is called for each packet. Pf_map_addr() will search for a source node and will find none s
pf: 'sticky-address' requires 'keep state'
When route_to() processes a packet without state, pf_map_addr() is called for each packet. Pf_map_addr() will search for a source node and will find none since those are created only in pf_create_state(). Thus sticky address, even though requested in rule definition, will never work.
Raise an error when a stateless filter rule uses sticky address to avoid confusion and to keep ruleset limitations in sync with what the pf code really does.
Reviewed by: kp Differential Revision: https://reviews.freebsd.org/D46310
show more ...
|
#
d9ab8999 |
| 07-Jun-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: migrate DIOCGETLIMIT/DIOCSETLIMIT to netlink
Event: Kitchener-Waterloo Hackathon 202406
|
#
30bad751 |
| 05-Jun-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCGETTIMEOUT/DIOCSETTIMEOUT to netlink
|
#
dc3ee89c |
| 05-Jun-2024 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: fix possible out-of-bounds read
Tags in $10 (filter_opts) are not guaranteed to be the maximum possible tag length, so memcpy() can end up reading outside of the allocated buffer.
Use strlcp
pfctl: fix possible out-of-bounds read
Tags in $10 (filter_opts) are not guaranteed to be the maximum possible tag length, so memcpy() can end up reading outside of the allocated buffer.
Use strlcpy() instead.
Reported by: CheriBSD Event: Kitchener-Waterloo Hackathon 202406
show more ...
|
#
c36c90a2 |
| 01-Jun-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCSETDEBUG to netlink
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
Revision tags: release/14.1.0, release/13.3.0 |
|
#
fc6e5069 |
| 13-Dec-2023 |
Kristof Provost <kp@FreeBSD.org> |
pflow: add RFC8158 NAT support
Extend pflow(4) to send NAT44 Session Create and Delete events. This applies only to IPFIX (i.e. proto version 10), and requires no user configuration.
Sponsored by:
pflow: add RFC8158 NAT support
Extend pflow(4) to send NAT44 Session Create and Delete events. This applies only to IPFIX (i.e. proto version 10), and requires no user configuration.
Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D43114
show more ...
|
#
baf9b6d0 |
| 01-Dec-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: allow pflow to be activated per rule
Only generate ipfix/netflow reports (through pflow) for the rules where this is enabled. Reports can also be enabled globally through 'set state-default pflo
pf: allow pflow to be activated per rule
Only generate ipfix/netflow reports (through pflow) for the rules where this is enabled. Reports can also be enabled globally through 'set state-default pflow'.
Obtained from: OpenBSD Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D43108
show more ...
|
Revision tags: release/14.0.0 |
|
#
7ce98cf2 |
| 06-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: fix incorrect mask on dynamic address
A PF rule using an IPv4 address followed by an IPv6 address and then a dynamic address, e.g. "pass from {192.0.2.1 2001:db8::1} to (pppoe0)", will have a
pfctl: fix incorrect mask on dynamic address
A PF rule using an IPv4 address followed by an IPv6 address and then a dynamic address, e.g. "pass from {192.0.2.1 2001:db8::1} to (pppoe0)", will have an incorrect /32 mask applied to the dynamic address.
MFC after: 3 weeks Obtained from: OpenBSD See also: https://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/007_pfctl.patch.sig Sponsored by: Rubicon Communications, LLC ("Netgate") Event: Oslo Hackathon at Modirum
show more ...
|
#
1d386b48 |
| 16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
Remove $FreeBSD$: one-line .c pattern
Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
|
#
0bd4a683 |
| 26-Apr-2023 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: SCTP can have port numbers
MFC after: 3 weeks Sponsored by: Orange Business Services Differential Revision: https://reviews.freebsd.org/D40861
|
#
9ec48bc3 |
| 25-Apr-2023 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: match expand_label_addr() prototype to definition
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
ef661d4a |
| 24-Apr-2023 |
Christian McDonald <cmcdonald@netgate.com> |
pf: introduce ridentifier and labels to ether rules
Make Ethernet rules more similar to the usual layer 3 rules by also allowing ridentifier and labels to be set on them.
Reviewed by: kp Sponsored
pf: introduce ridentifier and labels to ether rules
Make Ethernet rules more similar to the usual layer 3 rules by also allowing ridentifier and labels to be set on them.
Reviewed by: kp Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
#
39282ef3 |
| 13-Apr-2023 |
Kajetan Staszkiewicz <vegeta@tuxpowered.net> |
pf: backport OpenBSD syntax of "scrub" option for "match" and "pass" rules
Introduce the OpenBSD syntax of "scrub" option for "match" and "pass" rules and the "set reassemble" flag. The patch is bac
pf: backport OpenBSD syntax of "scrub" option for "match" and "pass" rules
Introduce the OpenBSD syntax of "scrub" option for "match" and "pass" rules and the "set reassemble" flag. The patch is backward-compatible, pf.conf can be still written in FreeBSD-style.
Obtained from: OpenBSD MFC after: never Sponsored by: InnoGames GmbH Differential Revision: https://reviews.freebsd.org/D38025
show more ...
|
Revision tags: release/13.2.0, release/12.4.0 |
|
#
88e858e5 |
| 22-Nov-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: drop support for fragment crop|drop-ovl
We removed the code for these modes back in 2015, but converted such configurations to 'scrub fragment reassemble'. It's been long enough, drop the backwa
pf: drop support for fragment crop|drop-ovl
We removed the code for these modes back in 2015, but converted such configurations to 'scrub fragment reassemble'. It's been long enough, drop the backwards compatibility glue too.
Reviewed by: mjg MFC after: never Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D37460
show more ...
|
#
57e047e5 |
| 22-Nov-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: allow scrub rules without fragment reassemble
scrub rules have defaulted to handling fragments for a long time, but since we removed "fragment crop" and "fragment drop-ovl" in 64b3b4d611 this ha
pf: allow scrub rules without fragment reassemble
scrub rules have defaulted to handling fragments for a long time, but since we removed "fragment crop" and "fragment drop-ovl" in 64b3b4d611 this has become less obvious and more expensive ("reassemble" being the more expensive option, even if it's the one the vast majority of users should be using).
Extend the 'scrub' syntax to allow fragment reassembly to be disabled, while retaining the other scrub behaviour (e.g. TTL changes, random-id, ..) using 'scrub fragment no reassemble'.
Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D37459
show more ...
|
#
8a8af942 |
| 22-Sep-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: bridge-to
Allow pf (l2) to be used to redirect ethernet packets to a different interface.
The intended use case is to send 802.1x challenges out to a side interface, to enable AT&T links to fun
pf: bridge-to
Allow pf (l2) to be used to redirect ethernet packets to a different interface.
The intended use case is to send 802.1x challenges out to a side interface, to enable AT&T links to function with pfSense as a gateway, rather than the AT&T provided hardware.
Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D37193
show more ...
|
#
cfa1a130 |
| 01-Sep-2022 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: fix recrusive printing of ethernet anchors
Similar to the preceding fix for layer three rules, ensure that we recursively list wildcard anchors for ethernet rules.
MFC after: 3 weeks Sponsor
pfctl: fix recrusive printing of ethernet anchors
Similar to the preceding fix for layer three rules, ensure that we recursively list wildcard anchors for ethernet rules.
MFC after: 3 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D36417
show more ...
|
#
585a5ed0 |
| 01-Sep-2022 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: fix recrusive printing of anchors
Fix a couple of problems with printing of anchors, in particular recursive printing, both of inline anchors and when requested explicitly with a '*' in the a
pfctl: fix recrusive printing of anchors
Fix a couple of problems with printing of anchors, in particular recursive printing, both of inline anchors and when requested explicitly with a '*' in the anchor. - Correct recursive printing of wildcard anchors (recurse into child anchors rather than rules, which don't exist) - Print multi-part anchor paths correctly (pr6065) - Fix comments and prevent users from specifying multi-component names for inline anchors.
tested by phessler ok henning
Also fix the relevant pfctl test case to reflect the new (and now correct) behaviour).
MFC after: 3 weeks Obtained from: OpenBSD (mcbride, f9a568a27c740528301ca3419316c85a9fc7f1de) Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D36416
show more ...
|
#
1e73fbd8 |
| 06-Aug-2022 |
Franco Fichtner <franco@opnsense.org> |
pfctl: fix FOM_ICMP/POM_STICKYADDRESS clash
pass inet proto icmp icmp-type {unreach} pass route-to (if0 127.0.0.1/8) sticky-address inet
The wrong struct was being tested. The parser tries to pre
pfctl: fix FOM_ICMP/POM_STICKYADDRESS clash
pass inet proto icmp icmp-type {unreach} pass route-to (if0 127.0.0.1/8) sticky-address inet
The wrong struct was being tested. The parser tries to prevent "sticky-address sticky-address" syntax but was actually cross-rule enforcing that ICMP filter cannot be before the use of "sticky-address" in next rule.
MFC after: 2 weeks Reviewed by: kp Differential Revision: https://reviews.freebsd.org/D36050
show more ...
|
#
1f61367f |
| 31-May-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: support matching on tags for Ethernet rules
Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D35362
|
Revision tags: release/13.1.0 |
|
#
812839e5 |
| 12-Apr-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: allow the use of tables in ethernet rules
Allow tables to be used for the l3 source/destination matching. This requires taking the PF_RULES read lock.
Sponsored by: Rubicon Communications, LLC
pf: allow the use of tables in ethernet rules
Allow tables to be used for the l3 source/destination matching. This requires taking the PF_RULES read lock.
Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D34917
show more ...
|
#
2fa6223a |
| 27-Mar-2022 |
Gordon Bergling <gbe@FreeBSD.org> |
pfctl(8): Fix a typo in a comment
- s/steping/stepping/
MFC after: 3 days
|
#
3468cd95 |
| 25-Mar-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: ether l3 rules can only use addresses
Disallow the use of tables in ethernet rules. Using tables requires taking the PF_RULES lock. Moreover, the current table code isn't ready to deal with ethe
pf: ether l3 rules can only use addresses
Disallow the use of tables in ethernet rules. Using tables requires taking the PF_RULES lock. Moreover, the current table code isn't ready to deal with ethernet rules.
Disallow their use for now.
Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
#
8a42005d |
| 08-Mar-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: support basic L3 filtering in the Ethernet rules
Allow filtering based on the source or destination IP/IPv6 address in the Ethernet layer rules.
Reviewed by: pauamma_gundo.com (man), debdrup (m
pf: support basic L3 filtering in the Ethernet rules
Allow filtering based on the source or destination IP/IPv6 address in the Ethernet layer rules.
Reviewed by: pauamma_gundo.com (man), debdrup (man) Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D34482
show more ...
|
#
c32cd180 |
| 21-Jan-2022 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: print ethernet rules when called with '-n'
Just as pfctl already does for other rules we print the ethernet rules we would have loaded if '-n' is specified.
Sponsored by: Rubicon Communicati
pfctl: print ethernet rules when called with '-n'
Just as pfctl already does for other rules we print the ethernet rules we would have loaded if '-n' is specified.
Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|