pf: add a dedicated pf pool for route options

As suggested by henning.
Which unbreaks ie route-to after the recent pf changes.

With much help debugging and pointing out of missing bits from claudio

pf: add a dedicated pf pool for route options

As suggested by henning.
Which unbreaks ie route-to after the recent pf changes.

With much help debugging and pointing out of missing bits from claudio@

ok claudio@ "looks good" henning@

Obtained from: OpenBSD, jsg <jsg@openbsd.org>, 7fa5c09028
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: clean up mbuf passing for reassembly

When we call pf_normalize_ip() or pf_normalize_ip6() we passed the mbuf twice.
Once as m0, and once inside the struct pf_pdesc. Remove the former to avoid
co

pf: clean up mbuf passing for reassembly

When we call pf_normalize_ip() or pf_normalize_ip6() we passed the mbuf twice.
Once as m0, and once inside the struct pf_pdesc. Remove the former to avoid
confusion when we free *m0, but don't update pd->m.

This could lead to use-after-free errors e.g. if reassembly failed.

PR: 283705
Reported by: Yichen Chai <yichen.chai@gmail.com>, Zhuo Ying Jiang Li <zyj20@cl.cam.ac.uk>
MFC after: 3 days
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: add 'allow-related' to always allow SCTP multihome extra connections

Allow users to choose to allow permitted SCTP connections to set up additional
multihomed connections regardless of the rules

pf: add 'allow-related' to always allow SCTP multihome extra connections

Allow users to choose to allow permitted SCTP connections to set up additional
multihomed connections regardless of the ruleset. That is, allow an already
established connection to set up flows that would otherwise be disallowed.

In case of if-bound connections we initially set the extra associations to
be floating, because we don't know what path they'll be taking when they're
created. Once we see the first traffic we can bind them.

MFC after: 2 weeks
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D48453

show more ...

pf: pass struct pf_pdesc to pf_walk_option6() and pf_walk_header6()

This makes their argument list shorter. Also fix a bug where pf_walk_option6()
used the outer header in the pd2 case.
ok henning@

pf: pass struct pf_pdesc to pf_walk_option6() and pf_walk_header6()

This makes their argument list shorter. Also fix a bug where pf_walk_option6()
used the outer header in the pd2 case.
ok henning@ mikeb@

Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, dfff4707a1
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: sprinkle const over function arguments

Document that these are not supposed to modify their arguments.

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: handle fragmentation for nat64

When we reassemble IPv4 packets tag them just like we tag the IPv6 reassembled
packtes. Use this information as the basis for refragmenting the IPv6 packet.

Spons

pf: handle fragmentation for nat64

When we reassemble IPv4 packets tag them just like we tag the IPv6 reassembled
packtes. Use this information as the basis for refragmenting the IPv6 packet.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D47804

show more ...

pfctl: change for af-to / NAT64 support.

The general syntax is:
pass in inet from any to 192.168.1.1 af-to inet6 from 2001::1 to 2001::2
In the NAT64 case the "to" is not needed in af-to and the IP

pfctl: change for af-to / NAT64 support.

The general syntax is:
pass in inet from any to 192.168.1.1 af-to inet6 from 2001::1 to 2001::2
In the NAT64 case the "to" is not needed in af-to and the IP is extraced
from the IPv6 dst (assuming a /64 prefix).
Again most work by sperreault@, mikeb@ and reyk@
OK mcbride@, put it in deraadt@

Obtained from: OpenBSD, claudio <claudio@openbsd.org>, 0cde32ce3f
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D47790

show more ...

pf: nat64

Since the IPv6 madness is not enough introduce NAT64 -- which is actually
"af-to" a generic IP version translator for pf(4).
Not everything perfect yet but lets fix these things in the tre

pf: nat64

Since the IPv6 madness is not enough introduce NAT64 -- which is actually
"af-to" a generic IP version translator for pf(4).
Not everything perfect yet but lets fix these things in the tree.
Insane amount of work done by sperreault@, mikeb@ and reyk@.
Looked over by mcbride@ henning@ and myself at eurobsdcon.
OK mcbride@ and general put it in from deraadt@

Obtained from: OpenBSD, claudio <claudio@openbsd.org>, 97326e01c9
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D47786

show more ...

pf: add post-NAT src/dst address/port to pf_pdesc

stuff nsaddr/ndaddr/nsport/ndport (addrs/ports after NAT, used a lot while
walking the ruleset and up until state is fully set up) into pf_pdesc ins

pf: add post-NAT src/dst address/port to pf_pdesc

stuff nsaddr/ndaddr/nsport/ndport (addrs/ports after NAT, used a lot while
walking the ruleset and up until state is fully set up) into pf_pdesc instead
of passing around those 4 seperately all the time, also shrinks the argument
count for a few functions that have/partialy had an insane count of arguments.
kinda preparational since we'll need them elsewhere too, soon
ok ryan jsing

Obtained from: OpenBSD, henning <henning@openbsd.org>, ccf63ac6cb
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D47784

show more ...

pf: partially import OpenBSD's NAT rewrite

We won't follow this fully, because it involves breaking syntax changes
(removing nat/rdr rules and moving this functionality into regular rules) as
well a

pf: partially import OpenBSD's NAT rewrite

We won't follow this fully, because it involves breaking syntax changes
(removing nat/rdr rules and moving this functionality into regular rules) as
well as behaviour changes because NAT is now done after the rules evaluation,
rather than before it.

We import some related changes anyway, because it paves the way for nat64
support.
This change introduces a new pf_kpool in struct pf_krule, for nat. It is not yet
used (but will be for nat64) and renames the existing 'rpool' to 'rdr'.

Obtained from: OpenBSD, henning <henning@openbsd.org>, 0ef3d4febe
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D47783

show more ...

pf: remove unused variable from pf_pdesc

We only every assigned proto_sum, never used it.
Remove it entirely.

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: Move route-to information to rule actions

Route-to redirection information (rt, rt_kif, rt_addr) can be considered an
action of a rule. This information is duplicated in struct pf_kstate which
m

pf: Move route-to information to rule actions

Route-to redirection information (rt, rt_kif, rt_addr) can be considered an
action of a rule. This information is duplicated in struct pf_kstate which
means that the pf_route() function must always figure out where to get this
information from: state for stateful forwarding, or rule for stateless.

Create the necessary members in struct pf_rule_action. Fill them in right after
parsing the ruleset, similar for how NAT redirection is applied right after
parsing the NAT ruleset. Remove the logic for finding the right source for
route-to redirection from pf_route().

As a bonus simplify pf_map_addr_sn() and source node handling. Both for the
NAT and the filter ruleset there is now only one path:
1. parse the rules
2. apply redirection either from an existing source node or by load balancing
for the last matching rule
3. create the source node using the redirection if the node does not yet exist

Reviewed by: kp
Approved by: kp (mentor)
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D47827

show more ...

tcp: add TH_AE capabilities to ppp and pf

Add support for the AE Flag in the TCP header to pf and ppp.
Commonalize to the use of "E"(ECE), "W"(CWR) and "e"(AE)
for the TCP header flags, in line with

tcp: add TH_AE capabilities to ppp and pf

Add support for the AE Flag in the TCP header to pf and ppp.
Commonalize to the use of "E"(ECE), "W"(CWR) and "e"(AE)
for the TCP header flags, in line with tcpdump.

Reviewers: kp, cc, tuexen, cy, #transport!
Sponsored by: NetApp, Inc.
Differential Revision: https://reviews.freebsd.org/D47106

show more ...

pf: Fix source node locking

Source nodes are created quite early in pf_create_state(), even before
the state is allocated, locked and inserted into its hash row. They are
prone to being freed by sou

pf: Fix source node locking

Source nodes are created quite early in pf_create_state(), even before
the state is allocated, locked and inserted into its hash row. They are
prone to being freed by source node killing or clearing ioctl while
pf_create_state() is still running.

The function pf_map_addr_sn() can be called in two very different paths.

One is for filter rules where it is called from
pf_create_state() after pf_insert_src_node(). In this case it is called
with a given source node and does not perform its own search and must
return the source node.

The other one is for NAT rules where it is called from
pf_get_translation() or its descendants. In this case it is called with
no known source node and performs its own search for source nodes. This
source node is then passed back to pf_create_state() without locking.

The states property of source node is increased in pf_find_src_node()
which allows for the counter to increase when a packet matches the NAT
rule but not a pass keep state rule.

The function pf_map_addr() operates on unlocked source node.

Modify pf_find_src_node() to return locked on source node found, so
that any subsequent operations can access the source node safely.

Move sn->states++ counter increase to pf_insert_src_node() to ensure
that it's called only from pf_create_state() and not from NAT ruleset
path, and have it increased only if the source node has really been
inserted or found, simplifying the cleanup.

Add locking in pf_src_connlimit() and pf_map_addr(). Sprinkle mutex
assertions in pf_map_addr().

Add a function pf_src_node_exists() to check a known source node is
still valid. Use it in pf_create_state() where it's impossible to hold
locks from pf_insert_src_node() because that would cause LoR (nodes
first, then state) against pf_src_connlimit() (state first, then node).

Don't propagate the source node found while parsing the NAT ruleset to
pf_create_state() because it must be found again and locked or created.

Reviewed by: kp
Approved by: kp (mentor)
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D47770

show more ...

pf: handle IPv6 fragmentation for route-to

If a fragmented IPv6 packet hits a route-to rule we have to first prevent
the pf_test(PF_OUT) check in pf_route6() from refragmenting (and calling
ip6_outp

pf: handle IPv6 fragmentation for route-to

If a fragmented IPv6 packet hits a route-to rule we have to first prevent
the pf_test(PF_OUT) check in pf_route6() from refragmenting (and calling
ip6_output()/ip6_forward()). We then have to refragment in pf_route6() and
transmit the packets on the route-to interface.

Split pf_refragment6() into two parts, the first to perform the refragmentation,
the second to call ip6_output()/ip6_forward() and call the former from
pf_route6().

Add a test case for route-to-ing fragmented IPv6 packets to verify this works
as expected.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D47684

show more ...

pf: Fix handling of v6 loopback connections with pf syncookies enabled

The SYN|ACK generated by pf needs to inherit M_LOOP from the original
SYN, otherwise it gets dropped by ip6_input().

Fix this

pf: Fix handling of v6 loopback connections with pf syncookies enabled

The SYN|ACK generated by pf needs to inherit M_LOOP from the original
SYN, otherwise it gets dropped by ip6_input().

Fix this by adding an mbuf_flags argument to pf_build_tcp() that can be
used to set both M_SKIP_FIREWALL and M_LOOP as needed. Set M_LOOP on
the output mbuf if it was generated in response to an mbuf with M_LOOP
set.

Add a regression test case. The v4 case had no problems, but the v6
case fails without this change.

Reviewed by: kp
MFC after: 1 month
Sponsored by: Klara, Inc.
Sponsored by: Zenarmor
Differential Revision: https://reviews.freebsd.org/D47257

show more ...

pf: move the mbuf into struct pf_pdesc too

As requested by henning, move the mbuf pointer into struct pf_pdesc.
Also sort pd to the beginning of the functions' parameter lists for
consistency.
ok he

pf: move the mbuf into struct pf_pdesc too

As requested by henning, move the mbuf pointer into struct pf_pdesc.
Also sort pd to the beginning of the functions' parameter lists for
consistency.
ok henning

Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, 776f210a75
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46941

show more ...

pf: put kif into struct pf_pdesc

Put kif and dir into pdesc an use this instead of passing the values
around. This is a mechanical change. Initialize pd2 and use it
where appropriate.
ok henning o

pf: put kif into struct pf_pdesc

Put kif and dir into pdesc an use this instead of passing the values
around. This is a mechanical change. Initialize pd2 and use it
where appropriate.
ok henning on an earlier version; ok mpf

Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, 47de5c193e
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46939

show more ...

pf: convert DIOCGETRULESET to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46938

pf: consolidate pf function parameters

Move off and hdrlen into pdesc
and change their type from int to u_int32_t. Do not pass struct
tcphdr *th and sa_family_t af, it is in pd anyway. Do not use

pf: consolidate pf function parameters

Move off and hdrlen into pdesc
and change their type from int to u_int32_t. Do not pass struct
tcphdr *th and sa_family_t af, it is in pd anyway. Do not use af
and pd->af intermixed, the latter makes clear where it comes from.
Do not calculate the packet length again if pd already has it. Use
pd2.off instead of off2.
go go go go don't stop henning@ mpf@

Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, 110e53770d
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46937

show more ...

pf: move pf_test_rule() out of pf_setup_pdesc()

Move the call to pf_test_rule() for fragments that have not been
reassembled by normalization from pf_setup_pdesc() to pf_test().
This simplifies the

pf: move pf_test_rule() out of pf_setup_pdesc()

Move the call to pf_test_rule() for fragments that have not been
reassembled by normalization from pf_setup_pdesc() to pf_test().
This simplifies the paramter list of pf_setup_pdesc() as it can
concentrate on its job filling the pf_pdesc struct.
ok henning mpf

Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, fb9fe53b92
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46935

show more ...

pf: remove the last hand-rolled IPv6 extension header loop

Replace the IPv6 header walking loop in pf_test_state_icmp() with
the common function pf_walk_header6(). For that, pf_walk_header6()
can n

pf: remove the last hand-rolled IPv6 extension header loop

Replace the IPv6 header walking loop in pf_test_state_icmp() with
the common function pf_walk_header6(). For that, pf_walk_header6()
can now extract both the information wether it is a fragment and
the final protocol if it is the first fragment. This allows to
match the icmp6 too big packet of a first fragment to the reassembled
packet's state. This is neccesary if a refragmented fragment is
to big for the Path-MTU.
Note that pd.proto contains the real protocol number for the first
fragment and IPPROTO_FRAGMENT for later fragments. pd.virtual_protocol
is set to PF_VPROTO_FRAGMENT for all fragments.
ok mcbride@

Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, 90b3c57e94
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46931

show more ...

pf: convert DIOCGETRULESETS to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46930

pf: add ttl to pf_pdesc

This simplifies the code a little, because we can now avoid looking at the
IP(v6) header at all in pf_test() itself.

We do have to move the Jumbogram check into pf_setup_pde

pf: add ttl to pf_pdesc

This simplifies the code a little, because we can now avoid looking at the
IP(v6) header at all in pf_test() itself.

We do have to move the Jumbogram check into pf_setup_pdesc as well.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46928

show more ...

pf: reduce IPv6 header parsing code duplication

There were two loops in pf_setup_pdesc() and pf_normalize_ip6()
walking over the IPv6 header chain. Merge them into one loop,
adjust some length chec

pf: reduce IPv6 header parsing code duplication

There were two loops in pf_setup_pdesc() and pf_normalize_ip6()
walking over the IPv6 header chain. Merge them into one loop,
adjust some length checks and fix IPv6 jumbo option handling. Also
allow strange but legal IPv6 packets with plen=0 passing through
pf. IPv6 jumbo packets still get dropped.
testing dhill@; ok mcbride@ henning@

Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, d68283bbf0
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46925

show more ...