pf: remove PFLOGIFS_MAX

There was a limit on the number of pflog interfaces - 16. remove that.
mostly by dynamically allocating pflogifs instead of making that a static
array. ok claudio zinke

Obta

pf: remove PFLOGIFS_MAX

There was a limit on the number of pflog interfaces - 16. remove that.
mostly by dynamically allocating pflogifs instead of making that a static
array. ok claudio zinke

Obtained from: OpenBSD, henning <henning@openbsd.org>, ab0a082ea6
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: add a dedicated pf pool for route options

As suggested by henning.
Which unbreaks ie route-to after the recent pf changes.

With much help debugging and pointing out of missing bits from claudio

pf: add a dedicated pf pool for route options

As suggested by henning.
Which unbreaks ie route-to after the recent pf changes.

With much help debugging and pointing out of missing bits from claudio@

ok claudio@ "looks good" henning@

Obtained from: OpenBSD, jsg <jsg@openbsd.org>, 7fa5c09028
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: check rather than assert pool type

These pool types are passed by userspace, so we must check rather than assert
they are valid.

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: nat64

Since the IPv6 madness is not enough introduce NAT64 -- which is actually
"af-to" a generic IP version translator for pf(4).
Not everything perfect yet but lets fix these things in the tre

pf: nat64

Since the IPv6 madness is not enough introduce NAT64 -- which is actually
"af-to" a generic IP version translator for pf(4).
Not everything perfect yet but lets fix these things in the tree.
Insane amount of work done by sperreault@, mikeb@ and reyk@.
Looked over by mcbride@ henning@ and myself at eurobsdcon.
OK mcbride@ and general put it in from deraadt@

Obtained from: OpenBSD, claudio <claudio@openbsd.org>, 97326e01c9
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D47786

show more ...

pf: partially import OpenBSD's NAT rewrite

We won't follow this fully, because it involves breaking syntax changes
(removing nat/rdr rules and moving this functionality into regular rules) as
well a

pf: partially import OpenBSD's NAT rewrite

We won't follow this fully, because it involves breaking syntax changes
(removing nat/rdr rules and moving this functionality into regular rules) as
well as behaviour changes because NAT is now done after the rules evaluation,
rather than before it.

We import some related changes anyway, because it paves the way for nat64
support.
This change introduces a new pf_kpool in struct pf_krule, for nat. It is not yet
used (but will be for nat64) and renames the existing 'rpool' to 'rdr'.

Obtained from: OpenBSD, henning <henning@openbsd.org>, 0ef3d4febe
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D47783

show more ...

pf: Move route-to information to rule actions

Route-to redirection information (rt, rt_kif, rt_addr) can be considered an
action of a rule. This information is duplicated in struct pf_kstate which
m

pf: Move route-to information to rule actions

Route-to redirection information (rt, rt_kif, rt_addr) can be considered an
action of a rule. This information is duplicated in struct pf_kstate which
means that the pf_route() function must always figure out where to get this
information from: state for stateful forwarding, or rule for stateless.

Create the necessary members in struct pf_rule_action. Fill them in right after
parsing the ruleset, similar for how NAT redirection is applied right after
parsing the NAT ruleset. Remove the logic for finding the right source for
route-to redirection from pf_route().

As a bonus simplify pf_map_addr_sn() and source node handling. Both for the
NAT and the filter ruleset there is now only one path:
1. parse the rules
2. apply redirection either from an existing source node or by load balancing
for the last matching rule
3. create the source node using the redirection if the node does not yet exist

Reviewed by: kp
Approved by: kp (mentor)
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D47827

show more ...

pf: Fix missing connection rate for DIOCGETSRCNODES

The function pf_src_node_copy() copies struct pf_ksrc_node to its ioctl
counterpart. It was missing copying of the conn_rate field, even though
th

pf: Fix missing connection rate for DIOCGETSRCNODES

The function pf_src_node_copy() copies struct pf_ksrc_node to its ioctl
counterpart. It was missing copying of the conn_rate field, even though
the code for adjusting the output for pfctl was in place.

Add copying of conn_rate.

Reviewed by: kp
Approved by: kp (mentor)
MFC after: 2 weeks
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D47679

show more ...

pf: Merge pf_clear_srcnodes() and pf_kill_srcnodes()

The functions pf_clear_srcnodes() and pf_kill_srcnodes() serve the same
purpose, however the former kills all source nodes while the later only
a

pf: Merge pf_clear_srcnodes() and pf_kill_srcnodes()

The functions pf_clear_srcnodes() and pf_kill_srcnodes() serve the same
purpose, however the former kills all source nodes while the later only
a selected subset of them.

They differ in how they reach that goal. pf_clear_srcnodes() first
iterates over all states and detaches the source nodes from them. Then
it iterates over all source nodes and marks them as expired leaving the
cleanup to pf_purge_expired_src_nodes().

If a new state and a new source node are created between iterating over
all states and all source nodes, this source node will have its state
counter set to 0 and expiry to 1, marking it as expired without properly
detaching the state from it. Later the source node will be freed with
the state sill pointing to it.

The function pf_kill_srcnodes() performs the same operation in a safer
manner by first marking the required source nodes as expiring and then
iterating over all states and checking which states point to expiring
nodes. Any source node created between iterating over states and source
nodes will simply be ignored.

Add functionality of killing all source nodes to pf_kill_srcnodes().
Replace all calls to pf_clear_srcnodes() with a calls to
pf_kill_srcnodes(), and remove the former.

Reviewed by: kp
Approved by: kp (mentor)
Differential Revision: https://reviews.freebsd.org/D47440

show more ...

pf: convert DIOCGETRULESET to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46938

pf: convert DIOCGETRULESETS to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46930

pf: replace union pf_krule_ptr with struct pf_krule in in-kernel structs

There is no need for the union pf_krule_ptr for kernel-only structs like
pf_kstate and pf_ksrc_node. The rules are always acc

pf: replace union pf_krule_ptr with struct pf_krule in in-kernel structs

There is no need for the union pf_krule_ptr for kernel-only structs like
pf_kstate and pf_ksrc_node. The rules are always accessed by pointer. The rule
numbers are a leftover from using the same structure for pfctl(8) and pf(4).

Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D46868

show more ...

pf: pf_clear_srcnodes() is always called with NULL

The functions pf_clear_srcnodes() is only used to perform a removal of
all source nodes, never of a given one. Remove the code allowing for
removal

pf: pf_clear_srcnodes() is always called with NULL

The functions pf_clear_srcnodes() is only used to perform a removal of
all source nodes, never of a given one. Remove the code allowing for
removal of a given source node.

Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D46819

show more ...

pf: merge pf_test() and pf_test6()

Bye bye pf_test6(). Only one pf_test function for both IPv4 and v6.
The functions were 95% identical anyway.
OK bluhm@ mcbride@ and most probably henning@ as well

pf: merge pf_test() and pf_test6()

Bye bye pf_test6(). Only one pf_test function for both IPv4 and v6.
The functions were 95% identical anyway.
OK bluhm@ mcbride@ and most probably henning@ as well

Obtained from: OpenBSD, claudio <claudio@openbsd.org>, c8bc4f6e29
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46649

show more ...

pf: remove pointless CURVNET_SET

We're already in the correct vnet when the pfil hook is called. Remove the
pointless set/restore.

Reviewed by: glebius, zlei
Sponsored by: Rubicon Communications, L

pf: remove pointless CURVNET_SET

We're already in the correct vnet when the pfil hook is called. Remove the
pointless set/restore.

Reviewed by: glebius, zlei
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46648

show more ...

pf: allow filtering on the receive interface

add support to pf for filtering a packet by the interface it was received
on. use the received-on IFNAME filter option on a pf.conf rule to restrict
whic

pf: allow filtering on the receive interface

add support to pf for filtering a packet by the interface it was received
on. use the received-on IFNAME filter option on a pf.conf rule to restrict
which packet the interface had to be received on. eg:

pass out on em0 from $foo to $bar received-on fxp0

ive been running this in production for a week now. i find it particularly
usefull with interface groups.

no objections, and a few "i like"s from henning, claudio, deraadt, mpf

Obtained from: OpenBSD, dlg <dlg@openbsd.org>, 95b4320893
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46577

show more ...

pf: ensure we exit net_epoch if pf_keth_anchor_nvcopyout() fails

Reviewed by: markj
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46599

pf: Stop checking for failures from malloc(M_WAITOK)

MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D45852

pf: 'sticky-address' requires 'keep state'

When route_to() processes a packet without state, pf_map_addr() is called for
each packet. Pf_map_addr() will search for a source node and will find none
s

pf: 'sticky-address' requires 'keep state'

When route_to() processes a packet without state, pf_map_addr() is called for
each packet. Pf_map_addr() will search for a source node and will find none
since those are created only in pf_create_state(). Thus sticky address,
even though requested in rule definition, will never work.

Raise an error when a stateless filter rule uses sticky address to avoid
confusion and to keep ruleset limitations in sync with what the pf code
really does.

Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D46310

show more ...

pf: Convert struct pf_addr_wrap before sending it over netlink

The struct pf_addr_wrap when used inside of kernel operates on pointers to
tables or interfaces. When reading a ruleset the struct must

pf: Convert struct pf_addr_wrap before sending it over netlink

The struct pf_addr_wrap when used inside of kernel operates on pointers to
tables or interfaces. When reading a ruleset the struct must contain
counters calculated from the aforementioned tables and interfaces. Both the
pointers and the resulting counters are stored in an union and thus can't be
present in the struct at the same time.

The original ioctl code handles this by making a copy of struct pf_addr_wrap
for pool addresses, accessing the table or interface structures by their
pointers, calculating the counter values and storing them in place of those
pointers in the copy. Then this copy is sent over ioctl.

Use this mechanism for netlink too. Create a copy of src/dst addresses. Use
the existing function pf_addr_copyout() to convert pointers to counters both
for src/dst and pool addresses.

Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D46291

show more ...

pf: convert DIOCGETADDR to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: convert DIOCGETADDRS to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: vnet-ify pf_hashsize, pf_hashmask, pf_srchashsize and V_pf_srchashmask

These variables are tunables, so in principle they never change at runtime.
That would mean they don't need to be tracked p

pf: vnet-ify pf_hashsize, pf_hashmask, pf_srchashsize and V_pf_srchashmask

These variables are tunables, so in principle they never change at runtime.
That would mean they don't need to be tracked per-vnet.

However, they both can be decreased (back to their default values) if the
memory allocations for their respective tables fail, and these allocations are
per-vnet. That is, it's possible for a few vnets to be started and have the
tuned size for the hash and srchash tables only to have later vnets fail the
initial allocation and fall back to smaller allocations. That would confuse
the previously created vnets (because their actual table size and size/mask
variables would no longer match).

Avoid this by turning these into per-vnet variables.

MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: convert DIOCADDADDR to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: fix the "keepcounters" to stop truncating to 32-bit

The machinery to support 64-bit counters even on 32-bit kernels had a
bug where it would unitentionally truncate the value back to 32-bits
whe

pf: fix the "keepcounters" to stop truncating to 32-bit

The machinery to support 64-bit counters even on 32-bit kernels had a
bug where it would unitentionally truncate the value back to 32-bits
when transferring to a new counter. This resulted in buggy be behavior
on 64-bit kernels as well.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: convert DIOCBEGINADDRS to netlink