pf: remove NULL check before uma_zfree()

uma_zfree() can be called on a NULL pointer. Simplify the pf code a
little by removing the redundant checks.

Sponsored by: Rubicon Communications, LLC ("Net

pf: remove NULL check before uma_zfree()

uma_zfree() can be called on a NULL pointer. Simplify the pf code a
little by removing the redundant checks.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: backport OpenBSD syntax of "scrub" option for "match" and "pass" rules

Introduce the OpenBSD syntax of "scrub" option for "match" and "pass"
rules and the "set reassemble" flag. The patch is bac

pf: backport OpenBSD syntax of "scrub" option for "match" and "pass" rules

Introduce the OpenBSD syntax of "scrub" option for "match" and "pass"
rules and the "set reassemble" flag. The patch is backward-compatible,
pf.conf can be still written in FreeBSD-style.

Obtained from: OpenBSD
MFC after: never
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D38025

show more ...

pf: remove pd_refs from pfsync

It only served to complicate cleanup, and added no value.

While here drop packets in pfsync_defer_tmo() if we don't have a syncif,
rather than just leaving them on th

pf: remove pd_refs from pfsync

It only served to complicate cleanup, and added no value.

While here drop packets in pfsync_defer_tmo() if we don't have a syncif,
rather than just leaving them on the queue.

Reviewed by: markj
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D39248

show more ...

pfsync: hold b_mtx for callout_stop(pd_tmo)

The pd_tmo callout has an associated mutex, which we must hold while
calling callout_stop().

Reported by: markj
Reviewed by: markj
MFC after: 3 days
Spon

pfsync: hold b_mtx for callout_stop(pd_tmo)

The pd_tmo callout has an associated mutex, which we must hold while
calling callout_stop().

Reported by: markj
Reviewed by: markj
MFC after: 3 days
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D39223

show more ...

pfsync: fix pfsync_undefer_state() locking

pfsync_undefer_state() takes the bucket lock, but could get called from
places (e.g. from pfsync_update_state() or pfsync_delete_state()) where
we already

pfsync: fix pfsync_undefer_state() locking

pfsync_undefer_state() takes the bucket lock, but could get called from
places (e.g. from pfsync_update_state() or pfsync_delete_state()) where
we already held the lock.

As it can also be called from places where we don't yet hold the lock
create new locked variant for use when the lock is already held. Keep
using pfsync_undefer_state() where the lock must still be taken.

PR: 268246
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC (Netgate)

show more ...

pfsync: add missing unlock in pfsync_defer_tmo()

The callout for pfsync_defer_tmo() is created with
CALLOUT_RETURNUNLOCKED, because while the callout framework takes care
of taking the lock we want

pfsync: add missing unlock in pfsync_defer_tmo()

The callout for pfsync_defer_tmo() is created with
CALLOUT_RETURNUNLOCKED, because while the callout framework takes care
of taking the lock we want to run a few operations outside of the lock,
so we unlock ourselves.

However, if `sc->sc_sync_if == NULL` we return without releasing the
lock, and leak the lock, causing later deadlocks.
Ensure we always release the bucket lock when we exit pfsync_defer_tmo()

PR: 268246
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC (Netgate)

show more ...

pfsync: ensure 'error' is always initialised

Reported by: Herbert J. Skuhra <herbert@gojira.at>
MFC after: 2 weeks

pfsync: support deferring IPv6 packets

When we send out a deferred packet we must make sure to call
ip6_output() for IPv6 packets. If not we might end up attempting to
ip_fragment() an IPv6 packet,

pfsync: support deferring IPv6 packets

When we send out a deferred packet we must make sure to call
ip6_output() for IPv6 packets. If not we might end up attempting to
ip_fragment() an IPv6 packet, which could lead to us reading outside of
the mbuf.

PR: 268246
Reviewed by: melifaro, zlei
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D38586

show more ...

pfsync: add missing bucket lock

pfsync_q_ins() expects us to hold the bucket lock, but when we enter it
from pfsync_state_import() we don't.

MFC after: 2 weeks

IfAPI: Explicitly include <net/if_private.h> in netstack

Summary:
In preparation of making if_t completely opaque outside of the netstack,
explicitly include the header. <net/if_var.h> will stop in

IfAPI: Explicitly include <net/if_private.h> in netstack

Summary:
In preparation of making if_t completely opaque outside of the netstack,
explicitly include the header. <net/if_var.h> will stop including the
header in the future.

Sponsored by: Juniper Networks, Inc.
Reviewed by: glebius, melifaro
Differential Revision: https://reviews.freebsd.org/D38200

show more ...

pf: fix panic on deferred packets

The pfsync_defer_tmo() callout needs to set the correct vnet before it
can transmit packets. It used the rcvif in the mbuf to get this vnet,
but that doesn't work f

pf: fix panic on deferred packets

The pfsync_defer_tmo() callout needs to set the correct vnet before it
can transmit packets. It used the rcvif in the mbuf to get this vnet,
but that doesn't work for locally originated traffic. In that case the
rcvif pointer is NULL, and the dereference leads to a panic.

Instead use the sc_sync_if, which is always set (if pfsync is enabled,
at least).

PR: 268246
MFC after: 2 weeks

show more ...

pfsync: fix memory leak

The recent refactoring to prepare for pfsync over IPv6 introduced a
memory leak.
If we don't have a sync peer configured we return early (without sending
out a packet), but f

pfsync: fix memory leak

The recent refactoring to prepare for pfsync over IPv6 introduced a
memory leak.
If we don't have a sync peer configured we return early (without sending
out a packet), but failed to free the newly allocated packet.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfsync: prepare code to accommodate AF_INET6 family

Work is ongoing to add support for pfsync over IPv6. This required some
changes to allow for differentiating between the two families in a more
ge

pfsync: prepare code to accommodate AF_INET6 family

Work is ongoing to add support for pfsync over IPv6. This required some
changes to allow for differentiating between the two families in a more
generic way.

This patch converts the relevant ioctls to using nvlists, making future
extensions (such as supporting IPv6 addresses) easier.

Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D36277

show more ...

pf: make pfsync_state_import appease an assert in pf_free_state

The newly created state failed to be inserted anywhere. This follows
other places.

Reviewed by: kp
Sponsored by: Rubicon Communicatio

pf: make pfsync_state_import appease an assert in pf_free_state

The newly created state failed to be inserted anywhere. This follows
other places.

Reviewed by: kp
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfsync: replace struct pfsync_pkt with int flags

Get rid of struct pfsync_pkt. It was used to store data on the stack to
pass to all the submessage handlers, but only the flags part of it was
ever u

pfsync: replace struct pfsync_pkt with int flags

Get rid of struct pfsync_pkt. It was used to store data on the stack to
pass to all the submessage handlers, but only the flags part of it was
ever used. Just pass the flags directly instead.

Reviewed by: kp
Obtained from: OpenBSD
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D36294

show more ...

protosw: separate pr_input and pr_ctlinput out of protosw

The protosw KPI historically has implemented two quite orthogonal
things: protocols that implement a certain kind of socket, and
protocols t

protosw: separate pr_input and pr_ctlinput out of protosw

The protosw KPI historically has implemented two quite orthogonal
things: protocols that implement a certain kind of socket, and
protocols that are IPv4/IPv6 protocol. These two things do not
make one-to-one correspondence. The pr_input and pr_ctlinput methods
were utilized only in IP protocols. This strange duality required
IP protocols that doesn't have a socket to declare protosw, e.g.
carp(4). On the other hand developers of socket protocols thought
that they need to define pr_input/pr_ctlinput always, which lead to
strange dead code, e.g. div_input() or sdp_ctlinput().

With this change pr_input and pr_ctlinput as part of protosw disappear
and IPv4/IPv6 get their private single level protocol switch table
ip_protox[] and ip6_protox[] respectively, pointing at array of
ipproto_input_t functions. The pr_ctlinput that was used for
control input coming from the network (ICMP, ICMPv6) is now represented
by ip_ctlprotox[] and ip6_ctlprotox[].

ipproto_register() becomes the only official way to register in the
table. Those protocols that were always static and unlikely anybody
is interested in making them loadable, are now registered by ip_init(),
ip6_init(). An IP protocol that considers itself unloadable shall
register itself within its own private SYSINIT().

Reviewed by: tuexen, melifaro
Differential revision: https://reviews.freebsd.org/D36157

show more ...

protosw: retire pr_output method

The only place to execute this method was raw_usend(). Only those
protocols that used raw socket were able to actually enter that method.
All pr_output assignments b

protosw: retire pr_output method

The only place to execute this method was raw_usend(). Only those
protocols that used raw socket were able to actually enter that method.
All pr_output assignments being deleted by this commit were a dead code
for many years.

Reviewed by: melifaro
Differential revision: https://reviews.freebsd.org/D36126

show more ...

Adjust function definitions in if_pfsync.c to avoid clang 15 warnings

With clang 15, the following -Werror warnings are produced:

sys/netpfil/pf/if_pfsync.c:2439:21: error: a function declarati

Adjust function definitions in if_pfsync.c to avoid clang 15 warnings

With clang 15, the following -Werror warnings are produced:

sys/netpfil/pf/if_pfsync.c:2439:21: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
pfsync_pointers_init()
^
void
sys/netpfil/pf/if_pfsync.c:2453:23: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
pfsync_pointers_uninit()
^
void
sys/netpfil/pf/if_pfsync.c:2503:12: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
pfsync_init()
^
void
sys/netpfil/pf/if_pfsync.c:2524:14: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
pfsync_uninit()
^
void

This is because pfsync_pointers_init(), pfsync_pointers_uninit(),
pfsync_init(), and pfsync_uninit() are declared with (void) argument
lists, but defined with empty argument lists. Make the definitions match
the declarations.

MFC after: 3 days

show more ...

Fix unused variable warning in if_pfsync.c

With clang 15, the following -Werror warning is produced:

sys/netpfil/pf/if_pfsync.c:2153:9: error: variable 'sent' set but not used [-Werror,-Wunused

Fix unused variable warning in if_pfsync.c

With clang 15, the following -Werror warning is produced:

sys/netpfil/pf/if_pfsync.c:2153:9: error: variable 'sent' set but not used [-Werror,-Wunused-but-set-variable]
int i, sent = 0;
^

The 'sent' variable was used in the for loop later in the
pfsync_bulk_update() function, but refactoring in 4fc65bcbe3fb7 got rid
of it. Remove the variable since it no longer serves any purpose.

MFC after: 3 days

show more ...

pfsync: NULL check before dereference

Move the use of 'sc' to after the NULL check.
It's very unlikely that we'd actually hit this, but Coverity is correct
that it's not a good idea to dereference t

pfsync: NULL check before dereference

Move the use of 'sc' to after the NULL check.
It's very unlikely that we'd actually hit this, but Coverity is correct
that it's not a good idea to dereference the pointer and only then NULL
check it.

Reported by: Coverity (CID 1398362)
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfsync: Add CTLFLAG_VNET to carp_demotion_factor sysctl

When trying to avoid a CARP demotion during a pfsync service restart, I
noticed that a non-default value for the net.pfsync.carp_demotion_fact

pfsync: Add CTLFLAG_VNET to carp_demotion_factor sysctl

When trying to avoid a CARP demotion during a pfsync service restart, I
noticed that a non-default value for the net.pfsync.carp_demotion_factor
sysctl was not being applied during the demotion. The CARP was always
demoted by 240.

After investigating, I realized that the sysctl was using VNET_NAME()
without the CTLFLAG_VNET.

PR: 262983
Reviewed by: kp
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D34737

show more ...

pfsync: fix incorrect enabling of defer mode

When we exposed the PFSYNCF_OK flag to userspace in 5f5bf88949d we
unintentionally caused defer mode to always be enabled.
The ioctl check only looked fo

pfsync: fix incorrect enabling of defer mode

When we exposed the PFSYNCF_OK flag to userspace in 5f5bf88949d we
unintentionally caused defer mode to always be enabled.
The ioctl check only looked for nonzero, not for the PFSYNCF_DEFER flag.

Fix this check and ensure ifconfig sets the flag.

Reviewed by: glebius
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D33244

show more ...

pfsync: locking fixes

* Ensure we unlock the pfsync lock in pfsync_defer()
* We must hold the bucket lock when calling pfsync_push()
* The pfsync_defer_tmo() callout locks the bucket lock, not th

pfsync: locking fixes

* Ensure we unlock the pfsync lock in pfsync_defer()
* We must hold the bucket lock when calling pfsync_push()
* The pfsync_defer_tmo() callout locks the bucket lock, not the pfsync
lock

Reviewed by: glebius
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D33243

show more ...

pfsync: fix defer timeout

Don't use a fixed number of ticks, but take hz into account so we have a
consistent timeout, regardless of what hz is set up.
Use a 20ms timeout, becaues that's what OpenBS

pfsync: fix defer timeout

Don't use a fixed number of ticks, but take hz into account so we have a
consistent timeout, regardless of what hz is set up.
Use a 20ms timeout, becaues that's what OpenBSD uses.

Reviewed by: glebius
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D33242

show more ...

pfsync: check IFF_DRV_RUNNING in the correct field

This flag is stored in if_drv_flags, not if_flags.

Reviewed by: glebius
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Di

pfsync: check IFF_DRV_RUNNING in the correct field

This flag is stored in if_drv_flags, not if_flags.

Reviewed by: glebius
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D33241

show more ...