| #
9c125336 |
| 11-Oct-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCGETSRCNODES to netlink
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| #
48f5bf8b |
| 03-Oct-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCGETRULESET to netlink
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46938
|
| #
25e0f8f9 |
| 01-Oct-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCGETRULESETS to netlink
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46930
|
| #
7fe42038 |
| 27-Sep-2024 |
Kajetan Staszkiewicz <vegeta@tuxpowered.net> |
pf: fix max-src-conn when rules are added via netlink
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D46797
|
|
Revision tags: release/13.4.0 |
|
| #
2339ead6 |
| 29-Aug-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: allow filtering on the receive interface
add support to pf for filtering a packet by the interface it was received
on. use the received-on IFNAME filter option on a pf.conf rule to restrict
whic
pf: allow filtering on the receive interface
add support to pf for filtering a packet by the interface it was received
on. use the received-on IFNAME filter option on a pf.conf rule to restrict
which packet the interface had to be received on. eg:
pass out on em0 from $foo to $bar received-on fxp0
ive been running this in production for a week now. i find it particularly
usefull with interface groups.
no objections, and a few "i like"s from henning, claudio, deraadt, mpf
Obtained from: OpenBSD, dlg <dlg@openbsd.org>, 95b4320893
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46577
show more ...
|
| #
9ae91f59 |
| 19-Jul-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCGETADDR to netlink
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| #
644b7b5a |
| 19-Jul-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCGETADDRS to netlink
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| #
d909f06b |
| 16-Jul-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCADDADDR to netlink
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| #
ba2a9207 |
| 07-Jun-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCBEGINADDRS to netlink
|
| #
d9ab8999 |
| 07-Jun-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: migrate DIOCGETLIMIT/DIOCSETLIMIT to netlink
Event: Kitchener-Waterloo Hackathon 202406
|
| #
30bad751 |
| 05-Jun-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCGETTIMEOUT/DIOCSETTIMEOUT to netlink
|
| #
c36c90a2 |
| 01-Jun-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCSETDEBUG to netlink
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| #
71d3c704 |
| 31-May-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCNATLOOK to netlink
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
|
Revision tags: release/14.1.0 |
|
| #
9dbbe68b |
| 30-May-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCCLRSTATUS to netlink
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| #
5824df8d |
| 23-Mar-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCGETSTATUS to netlink
Introduce pfctl_get_status_h() because we need the pfctl_handle. In this variant
use netlink to obtain the information.
Sponsored by: Rubicon Communications, LL
pf: convert DIOCGETSTATUS to netlink
Introduce pfctl_get_status_h() because we need the pfctl_handle. In this variant
use netlink to obtain the information.
Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
| #
470a2b33 |
| 18-Mar-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCSETSTATUSIF to netlink
While here also add a basic test case for it.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D44368
|
|
Revision tags: release/13.3.0 |
|
| #
706d465d |
| 26-Feb-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert kill/clear state to use netlink
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D44090
|
| #
777a4702 |
| 12-Jan-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: implement addrule via netlink
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| #
881bf881 |
| 21-Dec-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: export missing state information
We did not export all of the information pfctl expected to print via the
new netlink code. This manifested as pfctl printing 'rtableid: 0', even
when there is no
pf: export missing state information
We did not export all of the information pfctl expected to print via the
new netlink code. This manifested as pfctl printing 'rtableid: 0', even
when there is no rtable set.
While we're addressing that also export other missing fields such as
dummynet, min_ttl, max_mss, ..
Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
| #
44f323ec |
| 25-Nov-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: implement DIOCGETRULES via netlink
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
|
Revision tags: release/14.0.0 |
|
| #
044eef6a |
| 16-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: support basic filters for state listing
Allow users(pace) to specify a protocol, interface, address family and/
or address and mask, allowing the state listing to be pre-filtered in
the kernel.
pf: support basic filters for state listing
Allow users(pace) to specify a protocol, interface, address family and/
or address and mask, allowing the state listing to be pre-filtered in
the kernel.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D42280
show more ...
|
| #
ffbf2595 |
| 14-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert rule addition to netlink
The nvlist-based version will be removed in FreeBSD 16.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org
pf: convert rule addition to netlink
The nvlist-based version will be removed in FreeBSD 16.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D42279
show more ...
|
| #
81647eb6 |
| 10-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: implement start/stop calls via netlink
Implement equivalents to DIOCSTART and DIOCSTOP in netlink. Provide a
libpfctl implementation and add a basic test case, mostly to verify that
we still ret
pf: implement start/stop calls via netlink
Implement equivalents to DIOCSTART and DIOCSTOP in netlink. Provide a
libpfctl implementation and add a basic test case, mostly to verify that
we still return the same errors as before the conversion
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D42145
show more ...
|
| #
a7191e5d |
| 04-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: add a way to list creator ids
Allow userspace to retrieve a list of distinct creator ids for the
current states.
This is used by pfSense, and used to require dumping all states to
userspace. It
pf: add a way to list creator ids
Allow userspace to retrieve a list of distinct creator ids for the
current states.
This is used by pfSense, and used to require dumping all states to
userspace. It's rather inefficient to export a (potentially extremely
large) state table to obtain a handful (typically 2) of 32-bit integers.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D42092
show more ...
|
| #
2cef6288 |
| 15-Sep-2023 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
pf: convert state retrieval to netlink
Use netlink to export pf's state table.
The primary motivation is to improve how we deal with very large state
stables. With the previous implementation we ha
pf: convert state retrieval to netlink
Use netlink to export pf's state table.
The primary motivation is to improve how we deal with very large state
stables. With the previous implementation we had to build the entire
list (both in the kernel and in userspace) before we could start
processing. With netlink we start to get data in userspace while the
kernel is still generating more. This reduces peak memory consumption
(which can get to the GB range once we hit millions of states).
Netlink also makes future extension easier, in that we can easily add
fields to the state export without breaking userspace. In that regard
it's similar to an nvlist-based approach, except that it also deals
with transport to userspace and that it performs significantly better
than nvlists. Testing has failed to measure a performance difference
between the previous struct-copy based ioctl and the netlink approach.
Differential Revision: https://reviews.freebsd.org/D38888
show more ...
|