pf: add 'allow-related' to always allow SCTP multihome extra connections

Allow users to choose to allow permitted SCTP connections to set up additional
multihomed connections regardless of the rules

pf: add 'allow-related' to always allow SCTP multihome extra connections

Allow users to choose to allow permitted SCTP connections to set up additional
multihomed connections regardless of the ruleset. That is, allow an already
established connection to set up flows that would otherwise be disallowed.

In case of if-bound connections we initially set the extra associations to
be floating, because we don't know what path they'll be taking when they're
created. Once we see the first traffic we can bind them.

MFC after: 2 weeks
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D48453

show more ...

pf.conf.5: fix description for tcp.opening timeout

Issue reported by Felix Rust; ok jmc@

Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, 9278cfc6cf
Sponsored by: Rubicon Communications, LLC ("Ne

pf.conf.5: fix description for tcp.opening timeout

Issue reported by Felix Rust; ok jmc@

Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, 9278cfc6cf
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf.conf.5: make "self" a bit more visible

from Sebastian Benoit <benoit-lists at fb12.de>, ok/input jmc, reminder/input
deraadt and too much of a trail to mention all of it, thx everybody involved

pf.conf.5: make "self" a bit more visible

from Sebastian Benoit <benoit-lists at fb12.de>, ok/input jmc, reminder/input
deraadt and too much of a trail to mention all of it, thx everybody involved

Obtained from: OpenBSD, henning <henning@openbsd.org>, 682c71ec7c
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf.conf.5: Fix endpoint-independent description

The description of the endpoint-independent option accidentally ended up
in the middle of map-e-portset's text.

Fixes: 390dc369efaa ("pf: Add support

pf.conf.5: Fix endpoint-independent description

The description of the endpoint-independent option accidentally ended up
in the middle of map-e-portset's text.

Fixes: 390dc369efaa ("pf: Add support for endpoint independent NAT bindings for UDP")

Reviewed by: kp
Sponsored by: Tailscale
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48158

show more ...

pf.conf.5: document af-to (aka nat64)

the patch was started by todd about a year ago and have been
finally finished by phessler and myself today; discussed with
and tweaks from jmc, ok sthen, hennin

pf.conf.5: document af-to (aka nat64)

the patch was started by todd about a year ago and have been
finally finished by phessler and myself today; discussed with
and tweaks from jmc, ok sthen, henning

Obtained from: OpenBSD, mikeb <mikeb@openbsd.org>, 4d5e14dff3
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

manuals: Fix "unusual .Xr" warnings with a script

These were reported by `mandoc -T lint ...` as warnings:
- unusual Xr order
- unusual Xr punctuation

Fixes made by script in https://github.com/Tar

manuals: Fix "unusual .Xr" warnings with a script

These were reported by `mandoc -T lint ...` as warnings:
- unusual Xr order
- unusual Xr punctuation

Fixes made by script in https://github.com/Tarsnap/freebsd-doc-scripts

Signed-off-by: Graham Percival <gperciva@tarsnap.com>
Reviewed by: mhorne, Alexander Ziaee <concussious.bugzilla@runbox.com>
Sponsored by: Tarsnap Backup Inc.
Pull Request: https://github.com/freebsd/freebsd-src/pull/1464

show more ...

pf.conf.5: sync documentation with code on the matter of max state limit behavior

When one of the state limits is reached, further packets that would
create state are dropped, until existing states

pf.conf.5: sync documentation with code on the matter of max state limit behavior

When one of the state limits is reached, further packets that would
create state are dropped, until existing states time out. Discussed
with mcbride, ok henning, jmc

Obtained from: OpenBSD, mikeb <mikeb@openbsd.org>, 677ed08ce1
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46932

show more ...

manuals: Fix "skipping end of block" .Ed errors

These were reported by `mandoc -T lint ...` as errors; this commit only
handles unnecessary .Ed commands.

The rendered output (in ascii and html) is

manuals: Fix "skipping end of block" .Ed errors

These were reported by `mandoc -T lint ...` as errors; this commit only
handles unnecessary .Ed commands.

The rendered output (in ascii and html) is not affected by this commit.

Signed-off-by: Graham Percival <gperciva@tarsnap.com>
Reviewed by: mhorne
MFC after: 3 days
Sponsored by: Tarsnap Backup Inc.
Pull Request: https://github.com/freebsd/freebsd-src/pull/1435

show more ...

pf: add a new log opt PF_LOG_MATCHES

forces logging on all subsequent matching rules
new log opt "matches"
awesome for debugging, a rule like
match log(matches) from $testbox
will show you exactly w

pf: add a new log opt PF_LOG_MATCHES

forces logging on all subsequent matching rules
new log opt "matches"
awesome for debugging, a rule like
match log(matches) from $testbox
will show you exactly which subsequent rules match on that packet
real ok theo assumed oks ryan & dlg bikeshedding many

Obtained from: OpenBSD, henning <henning@openbsd.org>, 1603e01ae4
Obtained from: OpenBSD, henning <henning@openbsd.org>, f496e91672
Obtained from: OpenBSD, henning <henning@openbsd.org>, 07481a9fee
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46588

show more ...

pf.conf.5: document received-on

Reviewed by: zlei
Obtained from: OpenBSD, dlg <dlg@openbsd.org>, 456093dddc
Obtained from: OpenBSD, jmc <jmc@openbsd.org>, 2bf0158fa8
Obtained from: OpenBSD, deraadt

pf.conf.5: document received-on

Reviewed by: zlei
Obtained from: OpenBSD, dlg <dlg@openbsd.org>, 456093dddc
Obtained from: OpenBSD, jmc <jmc@openbsd.org>, 2bf0158fa8
Obtained from: OpenBSD, deraadt <deraadt@openbsd.org>, be785dc6e2
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46579

show more ...

pf: Add a sysctl to limit work done for rdr source port rewriting

It was pointed out that the current approach of exhaustively searching
for a free source port might be very time consuming. Limit t

pf: Add a sysctl to limit work done for rdr source port rewriting

It was pointed out that the current approach of exhaustively searching
for a free source port might be very time consuming. Limit the amount
of work that we might do before giving up.

Reviewed by: kp
Reported by: Eirik Øverby <ltning-freebsd@anduin.net>
MFC after: 3 months
Sponsored by: Klara, Inc.
Sponsored by: Modirum
Differential Revision: https://reviews.freebsd.org/D46495

show more ...

pf: Add support for endpoint independent NAT bindings for UDP

With Endpoint Independent NAT bindings for UDP flows from a NATed source
address are always mapped to the same ip:port pair on the NAT r

pf: Add support for endpoint independent NAT bindings for UDP

With Endpoint Independent NAT bindings for UDP flows from a NATed source
address are always mapped to the same ip:port pair on the NAT router.
This allows a client to connect to multiple external servers while
appearing as the same host and enables NAT traversal without requiring
the client to use a middlebox traversal protocol such as STUN or TURN.

Introduce the 'endpoint-independent' option to NAT rules to allow
configuration of endpoint independent without effecting existing
deployments.

This change satisfies REQ 1 and 3 of RFC 4787 also known as 'full cone'
NAT.

Using Endpoint Independent NAT changes NAT exhaustion behaviour it does
not introduce any additional security considerations compared to other
forms of NAT.

PR: 219803
Co-authored-by: Damjan Jovanovic <damjan.jov@gmail.com>
Co-authored-by: Naman Sood <mail@nsood.in>
Reviewed-by: kp
Sponsored-by: Tailscale
Sponsored-by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D11137

show more ...

pf: Let rdr rules modify the src port if doing so would avoid a conflict

If NAT rules cause inbound connections to different external IPs to be
mapped to the same internal IP, and some application u

pf: Let rdr rules modify the src port if doing so would avoid a conflict

If NAT rules cause inbound connections to different external IPs to be
mapped to the same internal IP, and some application uses the same
source port for multiple such connections, rdr translation may result in
conflicts that cause some of the connections to be dropped.

Address this by letting rdr rules detect state conflicts and modulate
the source port to avoid them.

Reviewed by: kp, allanjude
MFC after: 3 months
Sponsored by: Klara, Inc.
Sponsored by: Modirum
Differential Revision: https://reviews.freebsd.org/D44488

show more ...

pf.conf.5: remove 'set limit tables'

We've never supported this (or at least not since 2012) limit. Remove it from
the man page.

Event: Kitchener-Waterloo Hackathon 202406

pf: allow pflow to be activated per rule

Only generate ipfix/netflow reports (through pflow) for the rules where
this is enabled. Reports can also be enabled globally through 'set
state-default pflo

pf: allow pflow to be activated per rule

Only generate ipfix/netflow reports (through pflow) for the rules where
this is enabled. Reports can also be enabled globally through 'set
state-default pflow'.

Obtained from: OpenBSD
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D43108

show more ...

pf.conf.5: revise divert-to and divert-reply

pf: support SCTP-specific timeouts

Allow SCTP state timeouts to be configured independently from TCP state
timeouts.

Reviewed by: tuexen
MFC after: 1 week
Sponsored by: Orange Business Services
Dif

pf: support SCTP-specific timeouts

Allow SCTP state timeouts to be configured independently from TCP state
timeouts.

Reviewed by: tuexen
MFC after: 1 week
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D42393

show more ...

pf: Update documentation regarding matching, scrubbing and reassembly

Update pf documentation:

- default behaviour of fragment reassembly
- introduction of scrub option for filter rules
- disadv

pf: Update documentation regarding matching, scrubbing and reassembly

Update pf documentation:

- default behaviour of fragment reassembly
- introduction of scrub option for filter rules
- disadvantages of using the old scrub ruleset
- options supported for match rules
- fix missing list block end
- remove duplicate description of match filter rule
- update example to modern syntax

Reviewed by: kp
Fragments obtained from: OpenBSD
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D42270

show more ...

Remove $FreeBSD$: one-line nroff pattern

Remove /^\.\\"\s*\$FreeBSD\$$\n/

pf.conf.5: document SCTP support

Mention SCTP in the pf.conf.5

Reviewed by: tuexen
MFC after: 3 weeks
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D40870

pf: introduce ridentifier and labels to ether rules

Make Ethernet rules more similar to the usual layer 3 rules by also
allowing ridentifier and labels to be set on them.

Reviewed by: kp
Sponsored

pf: introduce ridentifier and labels to ether rules

Make Ethernet rules more similar to the usual layer 3 rules by also
allowing ridentifier and labels to be set on them.

Reviewed by: kp
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf.conf.5: minor improvements

* Align 'on <interface>' parameter with the BNF, so use 'on <ifspec>'
* Clarify etherprotospec BNF, to make it clearer that only numbers are
supported.

Suggested by:

pf.conf.5: minor improvements

* Align 'on <interface>' parameter with the BNF, so use 'on <ifspec>'
* Clarify etherprotospec BNF, to make it clearer that only numbers are
supported.

Suggested by: Christian McDonald
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: backport OpenBSD syntax of "scrub" option for "match" and "pass" rules

Introduce the OpenBSD syntax of "scrub" option for "match" and "pass"
rules and the "set reassemble" flag. The patch is bac

pf: backport OpenBSD syntax of "scrub" option for "match" and "pass" rules

Introduce the OpenBSD syntax of "scrub" option for "match" and "pass"
rules and the "set reassemble" flag. The patch is backward-compatible,
pf.conf can be still written in FreeBSD-style.

Obtained from: OpenBSD
MFC after: never
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D38025

show more ...

pf.conf.5: typo fixes

PR: 270501 (partially)

Document another example for "binat".