#
04932601 |
|
07-Dec-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: store state creation/expiration timestamps with milisecond precision The primary beneficiary is pflow(4), which expects milisecond precision in timestamps. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D43112
|
#
4f337550 |
|
19-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: allow states to be killed by their pre-NAT address If a connection is NAT-ed we could previously only terminate it by its ID or the post-NAT IP address. Allow users to specify they want look for the state by its pre-NAT address. Usage: `pfctl -k nat -k <address>`. See also: https://redmine.pfsense.org/issues/11556 Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D42312
|
#
685dc743 |
|
16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
sys: Remove $FreeBSD$: one-line .c pattern Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
|
#
76c8f202 |
|
15-May-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: fix pf_nv##_array() size check We want to set the maximum number of elements we'll accept, not the exact number we need. MFC after: 3 weeks Sponsored by: Orange Business Services
|
#
4d846d26 |
|
10-May-2023 |
Warner Losh <imp@FreeBSD.org> |
spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch up to that fact and revert to their recommended match of BSD-2-Clause. Discussed with: pfg MFC After: 3 days Sponsored by: Netflix
|
#
ef661d4a |
|
24-Apr-2023 |
Christian McDonald <cmcdonald@netgate.com> |
pf: introduce ridentifier and labels to ether rules Make Ethernet rules more similar to the usual layer 3 rules by also allowing ridentifier and labels to be set on them. Reviewed by: kp Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
8a8af942 |
|
22-Sep-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: bridge-to Allow pf (l2) to be used to redirect ethernet packets to a different interface. The intended use case is to send 802.1x challenges out to a side interface, to enable AT&T links to function with pfSense as a gateway, rather than the AT&T provided hardware. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D37193
|
#
0044bd90 |
|
27-Sep-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: fix memory leak retrieving Ethernet rules Remember to free the nvlist we've added to our main nvlist. Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
1f61367f |
|
31-May-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: support matching on tags for Ethernet rules Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D35362
|
#
0abcc1d2 |
|
22-Apr-2022 |
Reid Linnemann <rlinnemann@netgate.com> |
pf: Add per-rule timestamps for rule and eth_rule Similar to ipfw rule timestamps, these timestamps internally are uint32_t snaps of the system time in seconds. The timestamp is CPU local and updated each time a rule or a state associated with a rule or state is matched. Reviewed by: kp Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D34970
|
#
812839e5 |
|
12-Apr-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: allow the use of tables in ethernet rules Allow tables to be used for the l3 source/destination matching. This requires taking the PF_RULES read lock. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D34917
|
#
d27c9f5b |
|
29-Mar-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: fixup match rules Ensure that we can set and print match rules in ethernet rules. Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
3468cd95 |
|
25-Mar-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: ether l3 rules can only use addresses Disallow the use of tables in ethernet rules. Using tables requires taking the PF_RULES lock. Moreover, the current table code isn't ready to deal with ethernet rules. Disallow their use for now. Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
8a42005d |
|
08-Mar-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: support basic L3 filtering in the Ethernet rules Allow filtering based on the source or destination IP/IPv6 address in the Ethernet layer rules. Reviewed by: pauamma_gundo.com (man), debdrup (man) Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D34482
|
#
b590f17a |
|
20-Jan-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: support masking mac addresses When filtering Ethernet packets allow rules to specify a mac address with a mask. This indicates which bits of the specified address are significant. This allows users to do things like filter based on device manufacturer. Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
c5131afe |
|
01-Oct-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: add anchor support for ether rules Support anchors in ether rules. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D32482
|
#
fb330f39 |
|
27-Sep-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: support dummynet on L2 rules Allow packets to be tagged with dummynet information. Note that we do not apply dummynet shaping on the L2 traffic, but instead mark it for dummynet processing in the L3 code. This is the same approach as we take for ALTQ. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D32222
|
#
e732e742 |
|
03-Feb-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Initial Ethernet level filtering code This is the kernel side of stateless Ethernel level filtering for pf. The primary use case for this is to enable captive portal functionality to allow/deny access by MAC address, rather than per IP address. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D31737
|
#
0143a6bb |
|
14-Feb-2022 |
Franco Fichtner <franco@opnsense.org> |
pf: fix set_prio after nv conversion Reviewed by: kp MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D34266
|
#
773e3a71 |
|
31-Jan-2022 |
Mark Johnston <markj@FreeBSD.org> |
pf: Initialize pf_kpool mutexes earlier There are some error paths in ioctl handlers that will call pf_krule_free() before the rule's rpool.mtx field is initialized, causing a panic with INVARIANTS enabled. Fix the problem by introducing pf_krule_alloc() and initializing the mutex there. This does mean that the rule->krule and pool->kpool conversion functions need to stop zeroing the input structure, but I don't see a nicer way to handle this except perhaps by guarding the mtx_destroy() with a mtx_initialized() check. Constify some related functions while here and add a regression test based on a syzkaller reproducer. Reported by: syzbot+77cd12872691d219c158@syzkaller.appspotmail.com Reviewed by: kp MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D34115
|
#
218a8a49 |
|
08-Nov-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: ensure we populate dyncnt/tblcnt in struct pf_addr_wrap PR: 259689 MFC after: 3 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D32892
|
#
76c5eecc |
|
29-Oct-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Introduce ridentifier Allow users to set a number on rules which will be exposed as part of the pflog header. The intent behind this is to allow users to correlate rules across updates (remember that pf rules continue to exist and match existing states, even if they're removed from the active ruleset) and pflog. Obtained from: pfSense MFC after: 3 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D32750
|
#
776df104 |
|
13-Oct-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Introduce pf_nvbool() Similar to the existing functions for strings and ints, this lets us simplify some of the nvlist conversion code. MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
1c680e62 |
|
08-Oct-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: do not copy anchor_wildcard / anchor_relative from userspace We overwrite these fields again in pf_kanchor_setup() anyway. MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
63b3c1c7 |
|
15-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: support dummynet Allow pf to use dummynet pipes and queues. We re-use the currently unused IPFW_IS_DUMMYNET flag to allow dummynet to tell us that a packet is being re-injected after being delayed. This is needed to avoid endlessly looping the packet between pf and dummynet. MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D31904
|
#
02cf67cc |
|
22-Jul-2021 |
Mateusz Guzik <mjg@FreeBSD.org> |
pf: switch rule counters to pf_counter_u64 Reviewed by: kp Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
211cddf9 |
|
06-Jul-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: rename pf_state to pf_kstate Indicate that this is a kernel-only structure, and make it easier to distinguish from others used to communicate with userspace. Reviewed by: mjg MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D31096
|
#
34285eef |
|
29-Jun-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Reduce the data returned in DIOCGETSTATESNV This call is particularly slow due to the large amount of data it returns. Remove all fields pfctl does not use. There is no functional impact to pfctl, but it somewhat speeds up the call. It might affect other (i.e. non-FreeBSD) code that uses the new interface, but this call is very new, so there's unlikely to be any. No releases contained the previous version, so we choose to live with the ABI modification. Reviewed by: donner MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30944
|
#
55cc305d |
|
28-Jun-2021 |
Mateusz Guzik <mjg@FreeBSD.org> |
pf: revert: Use counter(9) for pf_state byte/packet tracking stats are not shared and consequently per-CPU counters only waste memory. No slowdown was measured when passing over 20M pps. Reviewed by: kp Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
0f86492b |
|
01-Jun-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Fix more ioctl memory leaks We must also remember to free nvlists added to a parent nvlist with nvlist_append_nvlist_array(). More importantly, when nvlist_pack() allocates memory for us it does so in the M_NVLIST zone, so we must free it with free(.., M_NVLIST). Using free(.., M_TEMP) as we did silently failed to free the memory. MFC after: 3 days Reported by: kib@ Tested by: kib@ Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30595
|
#
7c434289 |
|
15-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Convenience function for optional (numeric) arguments Add _opt() variants for the uint* functions. These functions set the provided default value if the nvlist doesn't contain the relevant value. This is helpful for optional values (e.g. when the API is extended to add new fields). While here simplify the header by also using macros to create the prototypes for the macro-generated function implementations. Reviewed by: scottl MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30510
|
#
3032c353 |
|
18-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Move nvlist conversion functions to pf_nv Separate the conversion functions (between kernel structs and nvlists) to pf_nv. This reduces the size of pf_ioctl.c, which is already quite large and complex, a good bit. It also keeps all the fairly straightforward conversion code together. MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30359
|
#
7606a45d |
|
29-Apr-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Introduce DIOCCLRSTATESNV Introduce an nvlist variant of DIOCCLRSTATES. MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30052
|
#
eaabed8a |
|
29-Apr-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Trivial typo fix PV -> PF MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
d710367d |
|
25-Mar-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Implement nvlist variant of DIOCGETRULE MFC after: 4 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D29559
|
#
5c62eded |
|
11-Mar-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Introduce nvlist variant of DIOCADDRULE This will make future extensions of the API much easier. The intent is to remove support for DIOCADDRULE in FreeBSD 14. Reviewed by: markj (previous version), glebius (previous version) MFC after: 4 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D29557
|