pf: also allocate ethernet anchors from a UMA zone

As per the previous commit, ensure we can't endlessly allocate ethernet
anchors.

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: allocate pf_kanchor from a pool

Add a pool for the allocation of the pf_anchor struct.
It was possible to exhaust kernel memory by repeatedly calling
pfioctl DIOCXBEGIN with different anchor nam

pf: allocate pf_kanchor from a pool

Add a pool for the allocation of the pf_anchor struct.
It was possible to exhaust kernel memory by repeatedly calling
pfioctl DIOCXBEGIN with different anchor names.
OK bluhm@
Reported-by: syzbot+9dd98cbce69e26f0fc11@syzkaller.appspotmail.com

Obtained from: OpenBSD, mbuhl <mbuhl@openbsd.org>, fa90ac5c78
Obtained from: OpenBSD, mbuhl <mbuhl@openbsd.org>, c259202341
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: unify DPFPRINTF definitions

We define DPFPRINTF() in a few different versions in most pf source files.
Move to one definition in pfvar.h and use that one everywhere.

While here change it to add

pf: unify DPFPRINTF definitions

We define DPFPRINTF() in a few different versions in most pf source files.
Move to one definition in pfvar.h and use that one everywhere.

While here change it to add an endline, as OpenBSD does, so we consistently end
all logs with an endline.
Also add a static probe point to ease future debugging. This way we can detect
log evens even when logging is disabled, and extract more information (e.g.
stack traces, frequency, ...).

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: Check for main ruleset explicitly

All rulesets reference their parent anchor, except for the special cased
main anchor containing the main ruleset, which's reference is always NULL
since initial

pf: Check for main ruleset explicitly

All rulesets reference their parent anchor, except for the special cased
main anchor containing the main ruleset, which's reference is always NULL
since initialization and never changes.

Replacing nullity tests with clearer equality checks makes the code less
ambigious and easier to understand.

OK sashan

Obtained from: OpenBSD, kn <kn@openbsd.org>, 55038654e1
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: Rename pf_anchor_remove() to pf_remove_anchor()

For semantic consistency with pf_{create,find,remove}_{anchor,ruleset}().

Simplify logic by squashing the if/else block while here.
No functional

pf: Rename pf_anchor_remove() to pf_remove_anchor()

For semantic consistency with pf_{create,find,remove}_{anchor,ruleset}().

Simplify logic by squashing the if/else block while here.
No functional change.

Feedback jca and mikeb, OK mikeb

Obtained from: OpenBSD, kn <kn@openbsd.org>, f6275afa61
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: pf_create_kanchor() can be static

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: replace hardcoded function names by __func__

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: split pf_find_or_create_ruleset() into smaller chunks

tested by Hrvoje
OK mpi@, OK bluhm@

Obtained from: OpenBSD, sashan <sashan@openbsd.org>, 0d5abfc5ba
Sponsored by: Rubicon Communications, L

pf: split pf_find_or_create_ruleset() into smaller chunks

tested by Hrvoje
OK mpi@, OK bluhm@

Obtained from: OpenBSD, sashan <sashan@openbsd.org>, 0d5abfc5ba
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D50725

show more ...

pf: use __func__ rather than hardcoded function names

Replace function names with __func__ in debug prints to make grep
happy.

Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, 68d5ab4417
Sponsore

pf: use __func__ rather than hardcoded function names

Replace function names with __func__ in debug prints to make grep
happy.

Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, 68d5ab4417
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: fix incorrect anchor_call to userspace

777a4702c changed how we copy out the anchor_call string, and
incorrectly limited it to 8 (4 on 32-bit systems) bytes. Fix that so we
get the full anchor p

pf: fix incorrect anchor_call to userspace

777a4702c changed how we copy out the anchor_call string, and
incorrectly limited it to 8 (4 on 32-bit systems) bytes. Fix that so we
get the full anchor path, rather than just the first few characters.

PR: 279225
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: implement addrule via netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")

sys: Automated cleanup of cdefs and other formatting

Apply the following automated changes to try to eliminate
no-longer-needed sys/cdefs.h includes as well as now-empty
blank lines in a row.

Remov

sys: Automated cleanup of cdefs and other formatting

Apply the following automated changes to try to eliminate
no-longer-needed sys/cdefs.h includes as well as now-empty
blank lines in a row.

Remove /^#if.*\n#endif.*\n#include\s+<sys/cdefs.h>.*\n/
Remove /\n+#include\s+<sys/cdefs.h>.*\n+#if.*\n#endif.*\n+/
Remove /\n+#if.*\n#endif.*\n+/
Remove /^#if.*\n#endif.*\n/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/types.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/param.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/capsicum.h>/

Sponsored by: Netflix

show more ...

sys: Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

pf: add anchor support for ether rules

Support anchors in ether rules.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D32482

pf: Do not hold PF_RULES_RLOCK while processing Ethernet rules

Avoid the overhead of acquiring a (read) RULES lock when processing the
Ethernet rules.
We can get away with that because when rules ar

pf: Do not hold PF_RULES_RLOCK while processing Ethernet rules

Avoid the overhead of acquiring a (read) RULES lock when processing the
Ethernet rules.
We can get away with that because when rules are modified they're staged
in V_pf_keth_inactive. We take care to ensure the swap to V_pf_keth is
atomic, so that pf_test_eth_rule() always sees either the old rules, or
the new ruleset.

We need to take care not to delete the old ruleset until we're sure no
pf_test_eth_rule() is still running with those. We accomplish that by
using NET_EPOCH_CALL() to actually free the old rules.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31739

show more ...

pf: Initial Ethernet level filtering code

This is the kernel side of stateless Ethernel level filtering for pf.

The primary use case for this is to enable captive portal functionality
to allow/deny

pf: Initial Ethernet level filtering code

This is the kernel side of stateless Ethernel level filtering for pf.

The primary use case for this is to enable captive portal functionality
to allow/deny access by MAC address, rather than per IP address.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31737

show more ...

pf: match keyword support

Support the 'match' keyword.
Note that support is limited to adding queuing information, so without
ALTQ support in the kernel setting match rules is pointless.

For the av

pf: match keyword support

Support the 'match' keyword.
Note that support is limited to adding queuing information, so without
ALTQ support in the kernel setting match rules is pointless.

For the avoidance of doubt: this is NOT full support for the match
keyword as found in OpenBSD's pf. That could potentially be built on top
of this, but this commit is NOT that.

MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31115

show more ...

pf: Implement nvlist variant of DIOCGETRULE

MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29559

pf: quiet debugging printfs

Only log these when debugging output is enabled.

pfctl: Stop sharing pf_ruleset.c with the kernel

Now that we've split up the datastructures used by the kernel and
userspace there's essentually no more overlap between the pf_ruleset.c
code used by

pfctl: Stop sharing pf_ruleset.c with the kernel

Now that we've split up the datastructures used by the kernel and
userspace there's essentually no more overlap between the pf_ruleset.c
code used by userspace and kernelspace.

Copy the userspace bits to the pfctl directory and stop using the kernel
file.

Reviewed by: philip
MFC after: 2 weeks
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D27764

show more ...

pf: Split pf_rule into kernel and user space versions

No functional change intended.

MFC after: 2 weeks
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D27

pf: Split pf_rule into kernel and user space versions

No functional change intended.

MFC after: 2 weeks
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D27758

show more ...

net: clean up empty lines in .c and .h files

sys: general adoption of SPDX licensing ID tags.

Mainly focus on files that use BSD 2-Clause license, however the tool I
was using misidentified many licenses so this was mostly a manual - error
pro

sys: general adoption of SPDX licensing ID tags.

Mainly focus on files that use BSD 2-Clause license, however the tool I
was using misidentified many licenses so this was mostly a manual - error
prone - task.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

No functional change intended.

show more ...

Merge head

IFC @264767