pfctl: remove unused function prototype

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: convert DIOCRCLRTSTATS to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")

pfctl: simplify pfr_del_tables() to pfr_del_table()

We only ever delete a single table at a time, so remove the size argument.
This will make subsequent conversion to netlink easier.

Sponsored by:

pfctl: simplify pfr_del_tables() to pfr_del_table()

We only ever delete a single table at a time, so remove the size argument.
This will make subsequent conversion to netlink easier.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl: simplify pfr_add_tables() to pfr_add_table()

We only ever add a single table at a time, so remove the size argument.
This will make subsequent conversion to netlink easier.

Sponsored by: Rub

pfctl: simplify pfr_add_tables() to pfr_add_table()

We only ever add a single table at a time, so remove the size argument.
This will make subsequent conversion to netlink easier.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: convert DIOCRCLRTABLES to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")

pfctl: clear statistic for specified addresses

The ioctl DIOCRCLRASTATS provides the functionality of clearing stats
not only for the whole table for for addresses stored in that table. The
function

pfctl: clear statistic for specified addresses

The ioctl DIOCRCLRASTATS provides the functionality of clearing stats
not only for the whole table for for addresses stored in that table. The
functionality was missing from pfctl, though. Add it now.

PR: 282877
Obtained from: OpenBSD, kirill <kirill@openbsd.org>, e496dff3a7
MFC after: 3 weeks

show more ...

pf: add a way to list creator ids

Allow userspace to retrieve a list of distinct creator ids for the
current states.

This is used by pfSense, and used to require dumping all states to
userspace. It

pf: add a way to list creator ids

Allow userspace to retrieve a list of distinct creator ids for the
current states.

This is used by pfSense, and used to require dumping all states to
userspace. It's rather inefficient to export a (potentially extremely
large) state table to obtain a handful (typically 2) of 32-bit integers.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D42092

show more ...

Remove $FreeBSD$: two-line .h pattern

Remove /^\s*\*\n \*\s+\$FreeBSD\$$\n/

pf: add anchor support for ether rules

Support anchors in ether rules.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D32482

pfctl: delay label macro expansion until after rule optimisation

We used to expand the $nr macro in labels into the rule number prior to
the optimisation step. This would occasionally produce incorr

pfctl: delay label macro expansion until after rule optimisation

We used to expand the $nr macro in labels into the rule number prior to
the optimisation step. This would occasionally produce incorrect rule
numbers in the labels.

Delay all macro expansion until after the optimisation step to ensure
that we expand the correct values.

MFC after: 1 week
Reported by: Özkan KIRIK <ozkan.kirik@gmail.com>
Differential Revision: https://reviews.freebsd.org/D32488

show more ...

pfctl: cache getprotobynumber results

As for example pfctl -ss keeps calling it, it saves a lot of overhead
from elided parsing of /etc/nsswitch.conf and /etc/protocols.

Sample result when running

pfctl: cache getprotobynumber results

As for example pfctl -ss keeps calling it, it saves a lot of overhead
from elided parsing of /etc/nsswitch.conf and /etc/protocols.

Sample result when running a pre-nvlist binary with nfs root and dumping
7 mln states:
before: 24.817u 62.993s 1:28.52 99.1%
after: 8.064u 1.117s 0:18.87 48.5%

Idea by Jim Thompson

Reviewed by: kp
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl: Use DIOCGETSTATESNV

Migrate to using the new nvlist-based DIOCGETSTATESNV call to obtain the
states list.

MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential

pfctl: Use DIOCGETSTATESNV

Migrate to using the new nvlist-based DIOCGETSTATESNV call to obtain the
states list.

MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30244

show more ...

libpfctl: Switch to pfctl_rule

Stop using the kernel's struct pf_rule, switch to libpfctl's pfctl_rule.
Now that we use nvlists to communicate with the kernel these structures
can be fully decoupled

libpfctl: Switch to pfctl_rule

Stop using the kernel's struct pf_rule, switch to libpfctl's pfctl_rule.
Now that we use nvlists to communicate with the kernel these structures
can be fully decoupled.

Reviewed by: glebius
MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29644

show more ...

pf: Move prototypes for userspace functions to userspace header

These functions no longer exist in the kernel, so there's no reason to
keep the prototypes in a kernel header. Move them to pfctl wher

pf: Move prototypes for userspace functions to userspace header

These functions no longer exist in the kernel, so there's no reason to
keep the prototypes in a kernel header. Move them to pfctl where they're
actually implemented.

Reviewed by: glebius
MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29643

show more ...

Merge ^/head r343202 through r343319.

Reduce pf.conf parsing cost for configs that define N queues from O(N^2) to O(N)

The number of syscalls made during parsing of any config that
defines tables is also reduced, and incorrect warnings

Reduce pf.conf parsing cost for configs that define N queues from O(N^2) to O(N)

The number of syscalls made during parsing of any config that
defines tables is also reduced, and incorrect warnings that HFSC
parent queue bandwidths were smaller than the sum of their child
bandwidths have been fixed.

Reviewed by: kp
MFC after: 1 week
Sponsored by: RG Nets
Differential Revision: https://reviews.freebsd.org/D18759

show more ...

various: general adoption of SPDX licensing ID tags.

Mainly focus on files that use BSD 2-Clause license, however the tool I
was using misidentified many licenses so this was mostly a manual - error

various: general adoption of SPDX licensing ID tags.

Mainly focus on files that use BSD 2-Clause license, however the tool I
was using misidentified many licenses so this was mostly a manual - error
prone - task.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

No functional change intended.

show more ...

Merge fresh head.

MFC @ r241285

IFC @ r242684

Sync from head

o Create directory sys/netpfil, where all packet filters should
reside, and move there ipfw(4) and pf(4).

o Move most modified parts of pf out of contrib.

Actual movements:

sys/contrib/pf/net/*.

o Create directory sys/netpfil, where all packet filters should
reside, and move there ipfw(4) and pf(4).

o Move most modified parts of pf out of contrib.

Actual movements:

sys/contrib/pf/net/*.c -> sys/netpfil/pf/
sys/contrib/pf/net/*.h -> sys/net/
contrib/pf/pfctl/*.c -> sbin/pfctl
contrib/pf/pfctl/*.h -> sbin/pfctl
contrib/pf/pfctl/pfctl.8 -> sbin/pfctl
contrib/pf/pfctl/*.4 -> share/man/man4
contrib/pf/pfctl/*.5 -> share/man/man5

sys/netinet/ipfw -> sys/netpfil/ipfw

The arguable movement is pf/net/*.h -> sys/net. There are
future plans to refactor pf includes, so I decided not to
break things twice.

Not modified bits of pf left in contrib: authpf, ftp-proxy,
tftp-proxy, pflogd.

The ipfw(4) movement is planned to be merged to stable/9,
to make head and stable match.

Discussed with: bz, luigi

show more ...