pf: convert DIOCRCLRTSTATS to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: convert DIOCRGETTSTATS to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: Add support for multiple source node types

For every state pf creates up to two source nodes: a limiting one
struct pf_kstate -> src_node and a NAT one struct pf_kstate -> nat_src_node.
The limi

pf: Add support for multiple source node types

For every state pf creates up to two source nodes: a limiting one
struct pf_kstate -> src_node and a NAT one struct pf_kstate -> nat_src_node.
The limiting source node is tracking information needed for limits using
max-src-states and max-src-nodes and the NAT source node is tracking NAT
rules only.

On closer inspection some issues emerge:
- For route-to rules the redirection decision is stored in the limiting source
node. Thus sticky-address and source limiting can't be used separately.
- Global source tracking, as promised in the man page, is totally absent from
the code. Pfctl is capable of setting flags PFRULE_SRCTRACK (enable source
tracking) and PFRULE_RULESRCTRACK (make source tracking per rule). The kernel
code checks PFRULE_SRCTRACK but ignores PFRULE_RULESRCTRACK. That makes
source tracking work per-rule only.

This patch is based on OpenBSD approach where source nodes have a type and each
state has an array of source node pointers indexed by source node type
instead of just two pointers. The conditions for limiting are applied
only to source nodes of PF_SN_LIMIT type. For global limit tracking
source nodes are attached to the default rule.

Reviewed by: kp
Approved by: kp (mentor)
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D39880

show more ...

pf: support negated matches on the rcvif

ok dlg benno

Obtained from: OpenBSD, henning <henning@openbsd.org>, 08c03b768d
Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: convert DIOCRDELTABLES to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: convert DIOCRADDTABLES to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")

netlink: refactor KPI for generic Netlink modules

Now that the family and group are completely private to netlink_generic.c,
provide a simple and robust KPI, that would require very simple guarantee

netlink: refactor KPI for generic Netlink modules

Now that the family and group are completely private to netlink_generic.c,
provide a simple and robust KPI, that would require very simple guarantees
from both KPI and the module:

* Strings are used only for family and group registration, that return ID:
uint16_t genl_register_family(const char *name, ...
uint32_t genl_register_group(uint16_t family, const char *name, ...
* Once created families and groups are guaranteed to not disappear and
be addressable by their ID.
* All subsequent calls, including deregistration shall use ID.

Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D48845

show more ...

pf: add a dedicated pf pool for route options

As suggested by henning.
Which unbreaks ie route-to after the recent pf changes.

With much help debugging and pointing out of missing bits from claudio

pf: add a dedicated pf pool for route options

As suggested by henning.
Which unbreaks ie route-to after the recent pf changes.

With much help debugging and pointing out of missing bits from claudio@

ok claudio@ "looks good" henning@

Obtained from: OpenBSD, jsg <jsg@openbsd.org>, 7fa5c09028
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: convert DIOCRCLRTABLES to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: netlink KPI use cleanup

- use nlf_p_empty instead of declaring own empty array
- don't declare _IN() macro when we don't parse a header

Reviewed by: kp
Differential Revision: https://reviews.f

pf: netlink KPI use cleanup

- use nlf_p_empty instead of declaring own empty array
- don't declare _IN() macro when we don't parse a header

Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D48306

show more ...

pfctl: change for af-to / NAT64 support.

The general syntax is:
pass in inet from any to 192.168.1.1 af-to inet6 from 2001::1 to 2001::2
In the NAT64 case the "to" is not needed in af-to and the IP

pfctl: change for af-to / NAT64 support.

The general syntax is:
pass in inet from any to 192.168.1.1 af-to inet6 from 2001::1 to 2001::2
In the NAT64 case the "to" is not needed in af-to and the IP is extraced
from the IPv6 dst (assuming a /64 prefix).
Again most work by sperreault@, mikeb@ and reyk@
OK mcbride@, put it in deraadt@

Obtained from: OpenBSD, claudio <claudio@openbsd.org>, 0cde32ce3f
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D47790

show more ...

pf: fix state export in the face of NAT64

Now that we can NAT64 we can have states where the wire and stack address
families (and protocol) are different. Update the state export code to account
fo

pf: fix state export in the face of NAT64

Now that we can NAT64 we can have states where the wire and stack address
families (and protocol) are different. Update the state export code to account
for this.

We keep exporting address family and protocol outside of the key, for backwards
compatibility. This'll return misleading information to userspace in the NAT64
case, but it's assumed that userspace will either understand NAT64 (and thus
look for them in the correct place), or not configure it.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D47787

show more ...

pf: nat64

Since the IPv6 madness is not enough introduce NAT64 -- which is actually
"af-to" a generic IP version translator for pf(4).
Not everything perfect yet but lets fix these things in the tre

pf: nat64

Since the IPv6 madness is not enough introduce NAT64 -- which is actually
"af-to" a generic IP version translator for pf(4).
Not everything perfect yet but lets fix these things in the tree.
Insane amount of work done by sperreault@, mikeb@ and reyk@.
Looked over by mcbride@ henning@ and myself at eurobsdcon.
OK mcbride@ and general put it in from deraadt@

Obtained from: OpenBSD, claudio <claudio@openbsd.org>, 97326e01c9
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D47786

show more ...

pf: partially import OpenBSD's NAT rewrite

We won't follow this fully, because it involves breaking syntax changes
(removing nat/rdr rules and moving this functionality into regular rules) as
well a

pf: partially import OpenBSD's NAT rewrite

We won't follow this fully, because it involves breaking syntax changes
(removing nat/rdr rules and moving this functionality into regular rules) as
well as behaviour changes because NAT is now done after the rules evaluation,
rather than before it.

We import some related changes anyway, because it paves the way for nat64
support.
This change introduces a new pf_kpool in struct pf_krule, for nat. It is not yet
used (but will be for nat64) and renames the existing 'rpool' to 'rdr'.

Obtained from: OpenBSD, henning <henning@openbsd.org>, 0ef3d4febe
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D47783

show more ...

netlink: use nitems() and roundup(2) from param.h

While here style nested includes (kernel ones go first).

Reviewed by: melifaro
Differential Revision: https://reviews.freebsd.org/D47557

pf: Move route-to information to rule actions

Route-to redirection information (rt, rt_kif, rt_addr) can be considered an
action of a rule. This information is duplicated in struct pf_kstate which
m

pf: Move route-to information to rule actions

Route-to redirection information (rt, rt_kif, rt_addr) can be considered an
action of a rule. This information is duplicated in struct pf_kstate which
means that the pf_route() function must always figure out where to get this
information from: state for stateful forwarding, or rule for stateless.

Create the necessary members in struct pf_rule_action. Fill them in right after
parsing the ruleset, similar for how NAT redirection is applied right after
parsing the NAT ruleset. Remove the logic for finding the right source for
route-to redirection from pf_route().

As a bonus simplify pf_map_addr_sn() and source node handling. Both for the
NAT and the filter ruleset there is now only one path:
1. parse the rules
2. apply redirection either from an existing source node or by load balancing
for the last matching rule
3. create the source node using the redirection if the node does not yet exist

Reviewed by: kp
Approved by: kp (mentor)
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D47827

show more ...

pf: Fix timestamps and connection rate in source node export

When copying struct pf_ksrc_node into a netlink message some fields
change their meaning. In kernel creation and expire fields are storin

pf: Fix timestamps and connection rate in source node export

When copying struct pf_ksrc_node into a netlink message some fields
change their meaning. In kernel creation and expire fields are storing
number of seconds since boot.

Add conversion to number of seconds relative to moment of exporting the
source node via netlink, as this is what pfctl expects. Add conversion
of connection rate count.

Reviewed by: kp
Approved by: kp (mentor)
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D47321

show more ...

pf: fix cmd id for PFNL_CMD_GET_ADDR

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: Fix a use of an uninitialized variable

pf_find_state_all() expects the caller to initialize "*more" if it is
non-NULL, but pf_handle_natlook() didn't obey this protocol. Follow the
pattern from

pf: Fix a use of an uninitialized variable

pf_find_state_all() expects the caller to initialize "*more" if it is
non-NULL, but pf_handle_natlook() didn't obey this protocol. Follow the
pattern from OpenBSD and initialize it in the caller.

Also make pf_find_state_all() unconditionally initialize "*more" for
good measure.

Fixes: 71d3c7041d70 ("pf: convert DIOCNATLOOK to netlink")
Reported by: KMSAN
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D47405

show more ...

pf: convert DIOCGETSRCNODES to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: convert DIOCGETRULESET to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46938

pf: convert DIOCGETRULESETS to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46930

pf: replace union pf_krule_ptr with struct pf_krule in in-kernel structs

There is no need for the union pf_krule_ptr for kernel-only structs like
pf_kstate and pf_ksrc_node. The rules are always acc

pf: replace union pf_krule_ptr with struct pf_krule in in-kernel structs

There is no need for the union pf_krule_ptr for kernel-only structs like
pf_kstate and pf_ksrc_node. The rules are always accessed by pointer. The rule
numbers are a leftover from using the same structure for pfctl(8) and pf(4).

Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D46868

show more ...

pf: fix max-src-conn when rules are added via netlink

Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D46797

pf: fix incorrect parsing of state export filter

We saved the af parameter to the proto field.

Sponsored by: Rubicon Communications, LLC ("Netgate")