| #
644b7b5a |
| 19-Jul-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCGETADDRS to netlink
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| #
271f1469 |
| 17-Jul-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: vnet-ify pf_hashsize, pf_hashmask, pf_srchashsize and V_pf_srchashmask
These variables are tunables, so in principle they never change at runtime.
That would mean they don't need to be tracked p
pf: vnet-ify pf_hashsize, pf_hashmask, pf_srchashsize and V_pf_srchashmask
These variables are tunables, so in principle they never change at runtime.
That would mean they don't need to be tracked per-vnet.
However, they both can be decreased (back to their default values) if the
memory allocations for their respective tables fail, and these allocations are
per-vnet. That is, it's possible for a few vnets to be started and have the
tuned size for the hash and srchash tables only to have later vnets fail the
initial allocation and fall back to smaller allocations. That would confuse
the previously created vnets (because their actual table size and size/mask
variables would no longer match).
Avoid this by turning these into per-vnet variables.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
| #
d909f06b |
| 16-Jul-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCADDADDR to netlink
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| #
b6196537 |
| 20-Jun-2024 |
Mateusz Guzik <mjg@FreeBSD.org> |
pf: fix the "keepcounters" to stop truncating to 32-bit
The machinery to support 64-bit counters even on 32-bit kernels had a
bug where it would unitentionally truncate the value back to 32-bits
whe
pf: fix the "keepcounters" to stop truncating to 32-bit
The machinery to support 64-bit counters even on 32-bit kernels had a
bug where it would unitentionally truncate the value back to 32-bits
when transferring to a new counter. This resulted in buggy be behavior
on 64-bit kernels as well.
Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
| #
ba2a9207 |
| 07-Jun-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCBEGINADDRS to netlink
|
| #
d9ab8999 |
| 07-Jun-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: migrate DIOCGETLIMIT/DIOCSETLIMIT to netlink
Event: Kitchener-Waterloo Hackathon 202406
|
| #
30bad751 |
| 05-Jun-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCGETTIMEOUT/DIOCSETTIMEOUT to netlink
|
| #
4779b16f |
| 04-Jun-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: fix overly large copy in pf_rule_to_krule()
The timeout array in struct pf_rule has PFTM_OLD_MAX entries, the one in
struct pf_krule has PFTM_MAX entries (and PFTM_MAX > PFTM_OLD_MAX).
Use the s
pf: fix overly large copy in pf_rule_to_krule()
The timeout array in struct pf_rule has PFTM_OLD_MAX entries, the one in
struct pf_krule has PFTM_MAX entries (and PFTM_MAX > PFTM_OLD_MAX).
Use the smaller of the sizes when copying.
Reported by: CheriBSD
MFC after: 1 week
Event: Kitchener-Waterloo Hackathon 202406
show more ...
|
|
Revision tags: release/14.1.0 |
|
| #
9dbbe68b |
| 30-May-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCCLRSTATUS to netlink
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
|
Revision tags: release/13.3.0 |
|
| #
706d465d |
| 26-Feb-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert kill/clear state to use netlink
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D44090
|
| #
777a4702 |
| 12-Jan-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: implement addrule via netlink
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| #
9d784da3 |
| 30-Jan-2024 |
Igor Ostapenko <pm@igoro.pro> |
pf: uncomment counter asserts after mem leak fix
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D43657
|
| #
04932601 |
| 07-Dec-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: store state creation/expiration timestamps with milisecond precision
The primary beneficiary is pflow(4), which expects milisecond precision
in timestamps.
Sponsored by: Rubicon Communications,
pf: store state creation/expiration timestamps with milisecond precision
The primary beneficiary is pflow(4), which expects milisecond precision
in timestamps.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D43112
show more ...
|
| #
baf9b6d0 |
| 01-Dec-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: allow pflow to be activated per rule
Only generate ipfix/netflow reports (through pflow) for the rules where
this is enabled. Reports can also be enabled globally through 'set
state-default pflo
pf: allow pflow to be activated per rule
Only generate ipfix/netflow reports (through pflow) for the rules where
this is enabled. Reports can also be enabled globally through 'set
state-default pflow'.
Obtained from: OpenBSD
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D43108
show more ...
|
| #
f92d9b1a |
| 28-Nov-2023 |
Kristof Provost <kp@FreeBSD.org> |
pflow: import from OpenBSD
pflow is a pseudo device to export flow accounting data over UDP.
It's compatible with netflow version 5 and IPFIX (10).
The data is extracted from the pf state table. St
pflow: import from OpenBSD
pflow is a pseudo device to export flow accounting data over UDP.
It's compatible with netflow version 5 and IPFIX (10).
The data is extracted from the pf state table. States are exported once
they are removed.
Reviewed by: melifaro
Obtained from: OpenBSD
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D43106
show more ...
|
| #
0626d30e |
| 29-Nov-2023 |
Igor Ostapenko <pm@igoro.pro> |
pf: fix mem leaks upon vnet destroy
Add missing cleanup actions:
- remove user defined anchor rulesets
- remove user defined ether anchor rulesets
- remove tables linked to user defined anchors
- de
pf: fix mem leaks upon vnet destroy
Add missing cleanup actions:
- remove user defined anchor rulesets
- remove user defined ether anchor rulesets
- remove tables linked to user defined anchors
- deal with wildcard anchor peculiarities to get them removed correctly
PR: 274310
Reviewed by: kp
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D42747
show more ...
|
| #
44f323ec |
| 25-Nov-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: implement DIOCGETRULES via netlink
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
|
Revision tags: release/14.0.0 |
|
| #
a6173e94 |
| 06-Nov-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: expose more syncookie state information to userspace
Allow userspace to retrieve low and high water marks, as well as the
current number of half open states.
MFC after: 1 week
Sponsored by: Mod
pf: expose more syncookie state information to userspace
Allow userspace to retrieve low and high water marks, as well as the
current number of half open states.
MFC after: 1 week
Sponsored by: Modirum MDPay
show more ...
|
| #
ca9dbde8 |
| 27-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: support SCTP-specific timeouts
Allow SCTP state timeouts to be configured independently from TCP state
timeouts.
Reviewed by: tuexen
MFC after: 1 week
Sponsored by: Orange Business Services
Dif
pf: support SCTP-specific timeouts
Allow SCTP state timeouts to be configured independently from TCP state
timeouts.
Reviewed by: tuexen
MFC after: 1 week
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D42393
show more ...
|
| #
4f337550 |
| 20-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: allow states to be killed by their pre-NAT address
If a connection is NAT-ed we could previously only terminate it by its
ID or the post-NAT IP address. Allow users to specify they want look for
pf: allow states to be killed by their pre-NAT address
If a connection is NAT-ed we could previously only terminate it by its
ID or the post-NAT IP address. Allow users to specify they want look for
the state by its pre-NAT address. Usage: `pfctl -k nat -k <address>`.
See also: https://redmine.pfsense.org/issues/11556
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D42312
show more ...
|
| #
ffbf2595 |
| 14-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert rule addition to netlink
The nvlist-based version will be removed in FreeBSD 16.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org
pf: convert rule addition to netlink
The nvlist-based version will be removed in FreeBSD 16.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D42279
show more ...
|
| #
81647eb6 |
| 10-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: implement start/stop calls via netlink
Implement equivalents to DIOCSTART and DIOCSTOP in netlink. Provide a
libpfctl implementation and add a basic test case, mostly to verify that
we still ret
pf: implement start/stop calls via netlink
Implement equivalents to DIOCSTART and DIOCSTOP in netlink. Provide a
libpfctl implementation and add a basic test case, mostly to verify that
we still return the same errors as before the conversion
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D42145
show more ...
|
| #
ebfd3b22 |
| 06-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: move DIOCGETSTATES(V2) to COMPAT_FREEBSD14
We now have an improved version (via netlink). The old-style ioctl will
be removed in FreeBSD 16.
Sponsored by: Rubicon Communications, LLC ("Netgate"
pf: move DIOCGETSTATES(V2) to COMPAT_FREEBSD14
We now have an improved version (via netlink). The old-style ioctl will
be removed in FreeBSD 16.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D42101
show more ...
|
| #
2cef6288 |
| 15-Sep-2023 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
pf: convert state retrieval to netlink
Use netlink to export pf's state table.
The primary motivation is to improve how we deal with very large state
stables. With the previous implementation we ha
pf: convert state retrieval to netlink
Use netlink to export pf's state table.
The primary motivation is to improve how we deal with very large state
stables. With the previous implementation we had to build the entire
list (both in the kernel and in userspace) before we could start
processing. With netlink we start to get data in userspace while the
kernel is still generating more. This reduces peak memory consumption
(which can get to the GB range once we hit millions of states).
Netlink also makes future extension easier, in that we can easily add
fields to the state export without breaking userspace. In that regard
it's similar to an nvlist-based approach, except that it also deals
with transport to userspace and that it performs significantly better
than nvlists. Testing has failed to measure a performance difference
between the previous struct-copy based ioctl and the netlink approach.
Differential Revision: https://reviews.freebsd.org/D38888
show more ...
|
| #
c531c1d1 |
| 22-Sep-2023 |
Zhenlei Huang <zlei@FreeBSD.org> |
pf: Convert PF_DEFAULT_TO_DROP into a vnet loader tunable 'net.pf.default_to_drop'
7f7ef494f11d introduced a compile time option PF_DEFAULT_TO_DROP to make
the pf(4) default rule to drop. While this
pf: Convert PF_DEFAULT_TO_DROP into a vnet loader tunable 'net.pf.default_to_drop'
7f7ef494f11d introduced a compile time option PF_DEFAULT_TO_DROP to make
the pf(4) default rule to drop. While this change exposes a vnet loader
tunable 'net.pf.default_to_drop' so that users can change the default
rule without re-compiling the pf(4) module.
This change is similiar to that for IPFW [1].
1. 5f17ebf94db5 Convert IPFW_DEFAULT_TO_ACCEPT into a loader tunable 'net.inet.ip.fw.default_to_accept'
Reviewed by: #network, kp
MFC after: 2 weeks
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D39866
show more ...
|