pf: allow multiple pflog interfaces to be created

Fixes: 3bf6554017b78f03bb779a5a3115034243e5c6c7
Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: remove PFLOGIFS_MAX

There was a limit on the number of pflog interfaces - 16. remove that.
mostly by dynamically allocating pflogifs instead of making that a static
array. ok claudio zinke

Obta

pf: remove PFLOGIFS_MAX

There was a limit on the number of pflog interfaces - 16. remove that.
mostly by dynamically allocating pflogifs instead of making that a static
array. ok claudio zinke

Obtained from: OpenBSD, henning <henning@openbsd.org>, ab0a082ea6
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: move the mbuf into struct pf_pdesc too

As requested by henning, move the mbuf pointer into struct pf_pdesc.
Also sort pd to the beginning of the functions' parameter lists for
consistency.
ok he

pf: move the mbuf into struct pf_pdesc too

As requested by henning, move the mbuf pointer into struct pf_pdesc.
Also sort pd to the beginning of the functions' parameter lists for
consistency.
ok henning

Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, 776f210a75
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46941

show more ...

pf: put kif into struct pf_pdesc

Put kif and dir into pdesc an use this instead of passing the values
around. This is a mechanical change. Initialize pd2 and use it
where appropriate.
ok henning o

pf: put kif into struct pf_pdesc

Put kif and dir into pdesc an use this instead of passing the values
around. This is a mechanical change. Initialize pd2 and use it
where appropriate.
ok henning on an earlier version; ok mpf

Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, 47de5c193e
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46939

show more ...

pf: do not pass af to PFLOG_PACKET

Do not pass AF specific information to pf_test_rule() and PFLOG_PACKET()
because either the info is already available in struct pd or easy
to figure out. Makes pf

pf: do not pass af to PFLOG_PACKET

Do not pass AF specific information to pf_test_rule() and PFLOG_PACKET()
because either the info is already available in struct pd or easy
to figure out. Makes pf_test() and pf_test6() even more similar
(with the target to remove one of them in the near future).
OK henning@

Reviewed by: zlei
Obtained from: OpenBSD, claudio <claudio@openbsd.org>, 5480721ed1
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46596

show more ...

if_pflog: Limit the maximum unit via the new KPI

The cloner has the ability to limit the maximum unit. Employ it to do
that rather than roll our own.

No functional change intended.

Reviewed by: kp

if_pflog: Limit the maximum unit via the new KPI

The cloner has the ability to limit the maximum unit. Employ it to do
that rather than roll our own.

No functional change intended.

Reviewed by: kp
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D45767

show more ...

net: Remove unneeded NULL check for the allocated ifnet

Change 4787572d0580 made if_alloc_domain() never fail, then also do the
wrappers if_alloc(), if_alloc_dev(), and if_gethandle().

No functiona

net: Remove unneeded NULL check for the allocated ifnet

Change 4787572d0580 made if_alloc_domain() never fail, then also do the
wrappers if_alloc(), if_alloc_dev(), and if_gethandle().

No functional change intended.

Reviewed by: kp, imp, glebius, stevek
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D45740

show more ...

pflog: Correctly check if bpf peers are present

On creating the pflog(4) interface, pflog_clone_create() does an
unconditional bpfattach(). Use bpf_peers_present() which was introduced
in commit 16d

pflog: Correctly check if bpf peers are present

On creating the pflog(4) interface, pflog_clone_create() does an
unconditional bpfattach(). Use bpf_peers_present() which was introduced
in commit 16d878cc99ef [1] to check the presence of bpf peers.

This will save a little CPU cycles when no bpf peers present. There
should be no functional change.

1. 16d878cc99ef Fix the following bpf(4) race condition which can result in a panic

Reviewed by: kp
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D45532

show more ...

pflog: pass the action to pflog directly

If a packet is malformed, it is dropped by pf(4). The rule referenced
in pflog(4) is the default rule. As the default rule is a pass
rule, tcpdump printed

pflog: pass the action to pflog directly

If a packet is malformed, it is dropped by pf(4). The rule referenced
in pflog(4) is the default rule. As the default rule is a pass
rule, tcpdump printed "pass" although the packet was actually
dropped. Use the actual action, rather than the rule's action, or an
attempt at guessing the correct action.

Inspired by OpenBSD's 'pflog(4) logs packet dropped by default rule with block.' commit.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

sys: Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

pf: Fix duplicate storage of direction

The variable storing the direction of a processed packet is passed
around to many functions. Most of those functions already have a pointer
to struct pf_pdesc

pf: Fix duplicate storage of direction

The variable storing the direction of a processed packet is passed
around to many functions. Most of those functions already have a pointer
to struct pf_pdesc which also contains the direction. By using the one
in struct pf_pdesc we can reduce the amount of arguments passed around.

Reviewed by: kp
Sponsored by: InnGames GmbH
Differential Revision: https://reviews.freebsd.org/D41008

show more ...

IfAPI: Explicitly include <net/if_private.h> in netstack

Summary:
In preparation of making if_t completely opaque outside of the netstack,
explicitly include the header. <net/if_var.h> will stop in

IfAPI: Explicitly include <net/if_private.h> in netstack

Summary:
In preparation of making if_t completely opaque outside of the netstack,
explicitly include the header. <net/if_var.h> will stop including the
header in the future.

Sponsored by: Juniper Networks, Inc.
Reviewed by: glebius, melifaro
Differential Revision: https://reviews.freebsd.org/D38200

show more ...

if_clone: migrate some consumers to the new KPI.

Convert most of the cloner customers who require custom params
to the new if_clone KPI.

Reviewed by: kp
Differential Revision: https://reviews.free

if_clone: migrate some consumers to the new KPI.

Convert most of the cloner customers who require custom params
to the new if_clone KPI.

Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D36636
MFC after: 2 weeks

show more ...

if_pflog: fix packet length

There were two issues with the new pflog packet length.
The first is that the length is expected to be a multiple of
sizeof(long), but we'd assumed it had to be a multipl

if_pflog: fix packet length

There were two issues with the new pflog packet length.
The first is that the length is expected to be a multiple of
sizeof(long), but we'd assumed it had to be a multiple of
sizeof(uint32_t).

The second is that there's some broken software out there (such as
Wireshark) that makes incorrect assumptions about the amount of padding.
That is, Wireshark assumes there's always three bytes of padding, rather
than however much is needed to get to a multiple of sizeof(long).

Fix this by adding extra padding, and a fake field to maintain
Wireshark's assumption.

Reported by: Ozkan KIRIK <ozkan.kirik@gmail.com>
Tested by: Ozkan KIRIK <ozkan.kirik@gmail.com>
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D33236

show more ...

pf: Introduce ridentifier

Allow users to set a number on rules which will be exposed as part of
the pflog header.
The intent behind this is to allow users to correlate rules across
updates (remember

pf: Introduce ridentifier

Allow users to set a number on rules which will be exposed as part of
the pflog header.
The intent behind this is to allow users to correlate rules across
updates (remember that pf rules continue to exist and match existing
states, even if they're removed from the active ruleset) and pflog.

Obtained from: pfSense
MFC after: 3 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D32750

show more ...

pf: Split pfi_kif into a user and kernel space structure

No functional change.

MFC after: 2 weeks
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D27761

pf: Split pf_rule into kernel and user space versions

No functional change intended.

MFC after: 2 weeks
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D27

pf: Split pf_rule into kernel and user space versions

No functional change intended.

MFC after: 2 weeks
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D27758

show more ...

MFH @ r337607, in preparation for boarding

Use the new VNET_DEFINE_STATIC macro when we are defining static VNET
variables.

Reviewed by: bz
Sponsored by: DARPA, AFRL
Differential Revision: https://reviews.freebsd.org/D16147

SPDX: license IDs for some ISC-related files.

Merge ^/head r309519 through r309757.

pflog: Correctly initialise subrulenr

subrulenr is considered unset if it's set to -1, not if it's set to 1.
See contrib/tcpdump/print-pflog.c pflog_print() for a user.

This caused incorrect pflog

pflog: Correctly initialise subrulenr

subrulenr is considered unset if it's set to -1, not if it's set to 1.
See contrib/tcpdump/print-pflog.c pflog_print() for a user.

This caused incorrect pflog output (tcpdump -n -e -ttt -i pflog0):
rule 0..16777216(match)
instead of the correct output of
rule 0/0(match)

PR: 214832
Submitted by: andywhite@gmail.com

show more ...

Make sure pflog is attached after pf is initializaed so we can
borrow pf's lock, and also make sure pflog goes after pf is gone
in order to avoid callouts in VNETs to an already freed instance.

Repo

Make sure pflog is attached after pf is initializaed so we can
borrow pf's lock, and also make sure pflog goes after pf is gone
in order to avoid callouts in VNETs to an already freed instance.

Reported by: Ivan Klymenko, Johan Hendriks on current@ today
Obtained from: projects/vnet
Sponsored by: The FreeBSD Foundation
MFC after: 13 days
Approved by: re (gjb)

show more ...

Update pf(4) and pflog(4) to survive basic VNET testing, which includes
proper virtualisation, teardown, avoiding use-after-free, race conditions,
no longer creating a thread per VNET (which could ea

Update pf(4) and pflog(4) to survive basic VNET testing, which includes
proper virtualisation, teardown, avoiding use-after-free, race conditions,
no longer creating a thread per VNET (which could easily be a couple of
thousand threads), gracefully ignoring global events (e.g., eventhandlers)
on teardown, clearing various globally cached pointers and checking
them before use.

Reviewed by: kp
Approved by: re (gjb)
Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D6924

show more ...

Merge from head@274682