pf: convert DIOCGETSRCNODES to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")

pfctl: fix incorrect optimization

In the non-optimized case, an address list containing "any" (ie. { any 10.0.0.1 })
should be folded in the parser to any, not to 10.0.0.1. How long this bug has
be

pfctl: fix incorrect optimization

In the non-optimized case, an address list containing "any" (ie. { any 10.0.0.1 })
should be folded in the parser to any, not to 10.0.0.1. How long this bug has
been with us is unclear.
ok guenther mcbride

Obtained from: OpenBSD, deraadt <deraadt@openbsd.org>, e3b4bc25a0
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46580

show more ...

pf: migrate DIOCGETLIMIT/DIOCSETLIMIT to netlink

Event: Kitchener-Waterloo Hackathon 202406

pf: convert DIOCGETTIMEOUT/DIOCSETTIMEOUT to netlink

pf: convert DIOCSETDEBUG to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")

libpfctl: fix file descriptor leak

pfctl_get_rules_info() opened a netlink socket, but failed to close it again.
Fix this by factoring out the netlink-based function into a _h variant that
takes str

libpfctl: fix file descriptor leak

pfctl_get_rules_info() opened a netlink socket, but failed to close it again.
Fix this by factoring out the netlink-based function into a _h variant that
takes struct pfctl_handle, and implement pfctl_get_rules_info() based on that,
remembering to close the fd.

While here migrate all in-tree consumers to the _h variant.

MFC after: 3 days
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl: fix incorrect mask on dynamic address

A PF rule using an IPv4 address followed by an IPv6 address and then a
dynamic address, e.g. "pass from {192.0.2.1 2001:db8::1} to (pppoe0)",
will have a

pfctl: fix incorrect mask on dynamic address

A PF rule using an IPv4 address followed by an IPv6 address and then a
dynamic address, e.g. "pass from {192.0.2.1 2001:db8::1} to (pppoe0)",
will have an incorrect /32 mask applied to the dynamic address.

MFC after: 3 weeks
Obtained from: OpenBSD
See also: https://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/007_pfctl.patch.sig
Sponsored by: Rubicon Communications, LLC ("Netgate")
Event: Oslo Hackathon at Modirum

show more ...

Remove $FreeBSD$: two-line .h pattern

Remove /^\s*\*\n \*\s+\$FreeBSD\$$\n/

pfctl: match geticmpcodeby*()/print_fromto() prototypes to definitions

The definitions use sa_family_t, not u_int8_t.

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: backport OpenBSD syntax of "scrub" option for "match" and "pass" rules

Introduce the OpenBSD syntax of "scrub" option for "match" and "pass"
rules and the "set reassemble" flag. The patch is bac

pf: backport OpenBSD syntax of "scrub" option for "match" and "pass" rules

Introduce the OpenBSD syntax of "scrub" option for "match" and "pass"
rules and the "set reassemble" flag. The patch is backward-compatible,
pf.conf can be still written in FreeBSD-style.

Obtained from: OpenBSD
MFC after: never
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D38025

show more ...

pfctl: print ethernet rules when called with '-n'

Just as pfctl already does for other rules we print the ethernet rules
we would have loaded if '-n' is specified.

Sponsored by: Rubicon Communicati

pfctl: print ethernet rules when called with '-n'

Just as pfctl already does for other rules we print the ethernet rules
we would have loaded if '-n' is specified.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: support masking mac addresses

When filtering Ethernet packets allow rules to specify a mac address
with a mask. This indicates which bits of the specified address are
significant. This allows us

pf: support masking mac addresses

When filtering Ethernet packets allow rules to specify a mac address
with a mask. This indicates which bits of the specified address are
significant. This allows users to do things like filter based on device
manufacturer.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: add anchor support for ether rules

Support anchors in ether rules.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D32482

pfctl: support lists of mac addresses

Teach the 'ether' rules to accept { mac1, mac2, ... } lists, similar to
the lists of interfaces or IP addresses we already supported for layer 3
filtering.

Spo

pfctl: support lists of mac addresses

Teach the 'ether' rules to accept { mac1, mac2, ... } lists, similar to
the lists of interfaces or IP addresses we already supported for layer 3
filtering.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D32481

show more ...

pfctl: Print Ethernet rules

Extent pfctl to be able to read configured Ethernet filtering rules from
the kernel and print them.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Re

pfctl: Print Ethernet rules

Extent pfctl to be able to read configured Ethernet filtering rules from
the kernel and print them.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31738

show more ...

sys/bitset.h: reduce visibility of BIT_* macros

Add two underscore characters "__" to names of BIT_* and BITSET_*
macros to move them to the implementation name space and to prevent
a name space pol

sys/bitset.h: reduce visibility of BIT_* macros

Add two underscore characters "__" to names of BIT_* and BITSET_*
macros to move them to the implementation name space and to prevent
a name space pollution due to BIT_* macros in 3rd party programs with
conflicting parameter signatures.

These prefixed macro names are used in kernel header files to define
macros in e.g. sched.h, sys/cpuset.h and sys/domainset.h.

If C programs are built with either -D_KERNEL (automatically passed
when building a kernel or kernel modules) or -D_WANT_FREENBSD_BITSET
(or this macros is defined in the source code before including the
bitset macros), then all macros are made visible with their previous
names, too. E.g., both __BIT_SET() and BIT_SET() are visible with
either of _KERNEL or _WANT_FREEBSD_BITSET defined.

The main reason for this change is that some 3rd party sources
including sched.h have been found to contain conflicting BIT_*
macros.

As a work-around, parts of shed.h have been made conditional and
depend on _WITH_CPU_SET_T being set when sched.h is included.
Ports that expect the full functionality provided by sched.h need
to be built with -D_WITH_CPU_SET_T. But this leads to conflicts if
BIT_* macros are defined in that program, too.

This patch set makes all of sched.h visible again without this
parameter being passed and without any name space pollution due
to BIT_* macros becoming visible when sched.h is included.

This patch set will be backported to the STABLE branches, but ports
will need to use -D_WITH_CPU_SET_T as long as there are supported
releases that do not contain these patches.

Reviewed by: kib, markj
MFC after: 1 month
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D33235

show more ...

pfctl: Remove unused variable

MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")

pfctl: userspace adaptive syncookies configration

Hook up the userspace bits to configure syncookies in adaptive mode.

MFC after: 1 week
Sponsored by: Modirum MDPay
Differential Revision: https://r

pfctl: userspace adaptive syncookies configration

Hook up the userspace bits to configure syncookies in adaptive mode.

MFC after: 1 week
Sponsored by: Modirum MDPay
Differential Revision: https://reviews.freebsd.org/D32136

show more ...

pfctl: use libpfctl to retrieve pf status

Rather than call DIOCGETSTATUS ourselves use the new libpfctl functions.

MFC after: 1 week
Sponsored by: Modirum MDPay
Differential Revision: https://revie

pfctl: use libpfctl to retrieve pf status

Rather than call DIOCGETSTATUS ourselves use the new libpfctl functions.

MFC after: 1 week
Sponsored by: Modirum MDPay
Differential Revision: https://reviews.freebsd.org/D31697

show more ...

pfctl: syncookie configuration

pfctl and libpfctl code required to enable/disable the syncookie
feature.

MFC after: 1 week
Sponsored by: Modirum MDPay
Differential Revision: https://reviews.freebsd

pfctl: syncookie configuration

pfctl and libpfctl code required to enable/disable the syncookie
feature.

MFC after: 1 week
Sponsored by: Modirum MDPay
Differential Revision: https://reviews.freebsd.org/D31140

show more ...

pf: Support killing 'matching' states

Optionally also kill states that match (i.e. are the NATed state or
opposite direction state entry for) the state we're killing.

See also https://redmine.pfsen

pf: Support killing 'matching' states

Optionally also kill states that match (i.e. are the NATed state or
opposite direction state entry for) the state we're killing.

See also https://redmine.pfsense.org/issues/8555

Submitted by: Steven Brown
Reviewed by: bcr (man page)
Obtained from: https://github.com/pfsense/FreeBSD-src/pull/11/
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30092

show more ...

pf: Optionally attempt to preserve rule counter values across ruleset updates

Usually rule counters are reset to zero on every update of the ruleset.
With keepcounters set pf will attempt to find ma

pf: Optionally attempt to preserve rule counter values across ruleset updates

Usually rule counters are reset to zero on every update of the ruleset.
With keepcounters set pf will attempt to find matching rules between old
and new rulesets and preserve the rule counters.

MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29780

show more ...

pfctl, libpfctl: introduce pfctl_pool

Introduce pfctl_pool to be able to extend the pool part of the pf rule
without breaking the ABI.

Reviewed by: kp
MFC after: 4 weeks
Differential Revision: http

pfctl, libpfctl: introduce pfctl_pool

Introduce pfctl_pool to be able to extend the pool part of the pf rule
without breaking the ABI.

Reviewed by: kp
MFC after: 4 weeks
Differential Revision: https://reviews.freebsd.org/D29721

show more ...

libpfctl: Switch to pfctl_rule

Stop using the kernel's struct pf_rule, switch to libpfctl's pfctl_rule.
Now that we use nvlists to communicate with the kernel these structures
can be fully decoupled

libpfctl: Switch to pfctl_rule

Stop using the kernel's struct pf_rule, switch to libpfctl's pfctl_rule.
Now that we use nvlists to communicate with the kernel these structures
can be fully decoupled.

Reviewed by: glebius
MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29644

show more ...

pfctl: Move ioctl abstraction functions into libpfctl

Introduce a library to wrap the pf ioctl interface.

MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revis

pfctl: Move ioctl abstraction functions into libpfctl

Introduce a library to wrap the pf ioctl interface.

MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29562

show more ...