FreeBSD/src aeddee8 — sbin/pfctl parse.y pfctl.c, sbin/pfctl/tests pfctl_test.c pfctl_test_list.inc
pfctl: Split pool parsing into separate functions
The pf pools are used in NAT, route-to and af-to rules. Some parts of
code are duplicated between them. Create functions apply_redirspec(),
apply_nat_ports() and apply_rdr_ports() to handle the common tasks.
Simplify data structures used for pool parsing. Move the contents of
struct redirection to struct redirspec. Map all ways of parsing pools
directly onto struct redirspec. Name various forms of struct redirspect
to hint where they are used.
Remove struct redirspec *rroute from struct filter_opts, because
filter_opts is bzero()'ed after the route part of rule is parsed, and
thus can't be used.
Add tests to ensure that parsing and error messages behave as expected.
The tests have been written and tested with pfctl from before this
patch.
[6 lines not shown]pf: support source-hash and random with tables and dynifs, not just pools
This finally allows to use source-hash for dynamic loadbalancing, eg.
"rdr-to <hosts> source-hash", instead of just round-robin and least-states.
An older pre-siphash version of this diff was tested by many people.
OK tedu@ benno@
Obtained from: OpenBSD, reyk <reyk at openbsd.org>, 252a05523f
Sponsored by: Rubicon Communications, LLC ("Netgate")
pfctl: Don't allow embedded nul characters in strings.
Fixes a pfctl crash with an anchor name containing
an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
Obtained from: OpenBSD, jsg <jsg at openbsd.org>, 41eef22fad
Sponsored by: Rubicon Communications, LLC ("Netgate")
pfctl: relax the cfg file secrecy check slightly to allow group readability
default permissions and mtree NOT changed.
prodded by benno, ok phessler benno jmatthew theo pelikan florian
Obtained from: OpenBSD, henning <henning at openbsd.org>, 7140c133f0
Sponsored by: Rubicon Communications, LLC ("Netgate")
pfctl: if_item can be "any" now
Allows things like:
block out on $someif received-on any
to prevent packets to get forwarded to $someif.
Obtained from: OpenBSD, henning <henning at openbsd.org>, 5984d04852
Sponsored by: Rubicon Communications, LLC ("Netgate")
FreeBSD/src 71594e3 — lib/libpfctl libpfctl.c libpfctl.h, sbin/pfctl parse.y pfctl_parser.c
pf: support "!received-on <interface>"
ok dlg benno
Obtained from: OpenBSD, henning <henning at openbsd.org>, 7d0482a910
Sponsored by: Rubicon Communications, LLC ("Netgate")
pfctl: cache name/index mappings
Provide local implementations of if_nametoindex(3) and if_indextoname(3)
that make use of the cache of addresses populated by the ifa_load on
startup to save the trouble of calling expensive getaddrinfo(3) up to
four times per rule. Performance wise this change provides a speed up
factor of 20 with a 11k line ruleset on a machine with 150 VLANs and 250
IP addresses (20 seconds down to 1 in this case).
"wow!" henning, ok benno, florian
Obtained from: OpenBSD, mikeb <mikeb at openbsd.org>, 918dda8655
Sponsored by: Rubicon Communications, LLC ("Netgate")
pf: add 'allow-related' to always allow SCTP multihome extra connections
Allow users to choose to allow permitted SCTP connections to set up additional
multihomed connections regardless of the ruleset. That is, allow an already
established connection to set up flows that would otherwise be disallowed.
In case of if-bound connections we initially set the extra associations to
be floating, because we don't know what path they'll be taking when they're
created. Once we see the first traffic we can bind them.
MFC after: 2 weeks
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D48453
(cherry picked from commit e4f2733df8c9d2fd0c5e8fdc8bec002bf39811f3)
FreeBSD/src 7a372bd — sbin/pfctl parse.y pfctl_parser.c, sbin/pfctl/tests/files pf1027.ok pf1027.in
pf: make reply-to work with nat64
Just like route-to reply-to is problematic when used in combination with nat64.
In the normal (i.e. without nat64) flow we return immediately from pf_route().
However, with nat64 we need to continue and do a route lookup. In that case
we should not make the extra pf_test(PF_OUT) call to remain similar to the
non-nat64 flow.
We also have to fix the interface binding. We can only bind to the interface
after we've done the route lookup, not before.
Add a funcional test case, and a test for pfctl's rule printing.
Sponsored by: Rubicon Communications, LLC ("Netgate")
FreeBSD/src ca0e693 — sbin/pfctl parse.y pfctl_parser.c, sbin/pfctl/tests pfctl_test_list.inc
pf: cope with route-to on af-to rules
af-to uses pf_route() and pf_route6(), which caused issues when af-to and
route-to were combined in a single rule.
Extend the relevant functions to cope with this and add test cases.
Sponsored by: Rubicon Communications, LLC ("Netgate")
pf: add a dedicated pf pool for route options
As suggested by henning.
Which unbreaks ie route-to after the recent pf changes.
With much help debugging and pointing out of missing bits from claudio@
ok claudio@ "looks good" henning@
Obtained from: OpenBSD, jsg <jsg at openbsd.org>, 7fa5c09028
Sponsored by: Rubicon Communications, LLC ("Netgate")
pfctl: allow an implicit address family for af-to rules
If the address family can be determined by the "from" or "to" parameter in the
matching part, it is no longer necessary to specify "inet" or "inet6" there.
OK henning@ mikeb@
Obtained from: OpenBSD, bluhm <bluhm at openbsd.org>, ff33038bc1
Sponsored by: Rubicon Communications, LLC ("Netgate")
pfctl: improve NAT pool handling
Ensure we always free the NAT pool (as well as the rdr pool) and actually handle
it in the optimiser.
Sponsored by: Rubicon Communications, LLC ("Netgate")
pfctl: follow rpool -> rdr rename
In e11dacbf8484adc7bbb61b20fee3ab8385745925 the redirect pool was renamed from
rpool to rdr. It included backwards compatibility support for libpfctl users,
but didn't fully implement the rename in our own code.
Do so now. No functional change.
Sponsored by: Rubicon Communications, LLC ("Netgate")
pf: add 'allow-related' to always allow SCTP multihome extra connections
Allow users to choose to allow permitted SCTP connections to set up additional
multihomed connections regardless of the ruleset. That is, allow an already
established connection to set up flows that would otherwise be disallowed.
In case of if-bound connections we initially set the extra associations to
be floating, because we don't know what path they'll be taking when they're
created. Once we see the first traffic we can bind them.
MFC after: 2 weeks
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D48453
pfctl: unbreak rule optimizer
ok henning, looks
Obtained from: OpenBSD, mikeb <mikeb at openbsd.org>, 4a16887b1b
Sponsored by: Rubicon Communications, LLC ("Netgate")
pf: fixup af-to regression with match rules
pfctl should not infer the af-to behavior from the af/naf difference.
instead, we should be clear that this is an af-to rule. essentially
this change converts FOM_AFTO marker into a rule flag PFRULE_AFTO so
that we don't rely on ambiguous checks (like r->af != r->naf) when
setting things up.
positive review and comments from claudio, ok henning, sperreault
Obtained from: OpenBSD, mikeb <mikeb at openbsd.org>, fc302162c0
Sponsored by: Rubicon Communications, LLC ("Netgate")
pfctl: pfctl_set_hostid always returns 0
Don't pretend otherwise and make it a void function instead.
ok dlg
Obtained from: OpenBSD, mcbride <mcbride at openbsd.org>, 9ac6101ff7
Sponsored by: Rubicon Communications, LLC ("Netgate")
pfctl: do not allow af-to tables without round-robin
Tables can only be used as a redirspec (i.e. in pf_map_addr()) in round-robin mode.
Enforce this for af-to tables as well.
Add a test case to verify.
Sponsored by: Rubicon Communications, LLC ("Netgate")
pfctl: change for af-to / NAT64 support.
The general syntax is:
pass in inet from any to 192.168.1.1 af-to inet6 from 2001::1 to 2001::2
In the NAT64 case the "to" is not needed in af-to and the IP is extraced
from the IPv6 dst (assuming a /64 prefix).
Again most work by sperreault@, mikeb@ and reyk@
OK mcbride@, put it in deraadt@
Obtained from: OpenBSD, claudio <claudio at openbsd.org>, 0cde32ce3f
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D47790
pfctl: avoid possible SIGSEGV when wrong tos option
Obtained from: OpenBSD, haesbaert <haesbaert at openbsd.org>, 934eaac797
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46933
FreeBSD/src 288bec2 — sbin/pfctl parse.y pfctl_optimize.c, sbin/pfctl/tests/files pf0004.ok
pf: fold pf_test_fragment() into pf_test_rule()
Reduces code and fixes a bunch of bugs with fragment handling not being in sync
with the rest of the ruleset.
Much feedback from mpf, bluhm & markus
Thanks to Tony Sarendal for help with testing
ok bluhm; various previous versions ok henning, claudio, mpf, markus
Note that while this changes the order of src addr/src port/dst addr/dst port
skips this doesn't actually affect the kernel/userspace ABI. The kernel always
recalculates skip steps. As a result we have to fix one of the pfctl parser
tests. Note that this is an order change that does not affect what packets are
acceppted or dropped.
Obtained from: OpenBSD, mcbride <mcbride at openbsd.org>, 04c69899a7
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46705
pf: add a new log opt PF_LOG_MATCHES
forces logging on all subsequent matching rules
new log opt "matches"
awesome for debugging, a rule like
match log(matches) from $testbox
will show you exactly which subsequent rules match on that packet
real ok theo assumed oks ryan & dlg bikeshedding many
Obtained from: OpenBSD, henning <henning at openbsd.org>, 1603e01ae4
Obtained from: OpenBSD, henning <henning at openbsd.org>, f496e91672
Obtained from: OpenBSD, henning <henning at openbsd.org>, 07481a9fee
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46588
pfctl: lex <=, >=, and != into a single token
lex <=, >=, and != into a single token for correctness and to reduce the
lookahead in the parser
ok henning otto
Reviewed by: zlei
Obtained from: OpenBSD, deraadt <deraadt at openbsd.org>, e6e3ecf338
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46582
pfctl: fix incorrect optimization
In the non-optimized case, an address list containing "any" (ie. { any 10.0.0.1 })
should be folded in the parser to any, not to 10.0.0.1. How long this bug has
been with us is unclear.
ok guenther mcbride
Obtained from: OpenBSD, deraadt <deraadt at openbsd.org>, e3b4bc25a0
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46580
pf: allow filtering on the receive interface
add support to pf for filtering a packet by the interface it was received
on. use the received-on IFNAME filter option on a pf.conf rule to restrict
which packet the interface had to be received on. eg:
pass out on em0 from $foo to $bar received-on fxp0
ive been running this in production for a week now. i find it particularly
usefull with interface groups.
no objections, and a few "i like"s from henning, claudio, deraadt, mpf
Obtained from: OpenBSD, dlg <dlg at openbsd.org>, 95b4320893
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46577
pf: Add support for endpoint independent NAT bindings for UDP
With Endpoint Independent NAT bindings for UDP flows from a NATed source
address are always mapped to the same ip:port pair on the NAT router.
This allows a client to connect to multiple external servers while
appearing as the same host and enables NAT traversal without requiring
the client to use a middlebox traversal protocol such as STUN or TURN.
Introduce the 'endpoint-independent' option to NAT rules to allow
configuration of endpoint independent without effecting existing
deployments.
This change satisfies REQ 1 and 3 of RFC 4787 also known as 'full cone'
NAT.
Using Endpoint Independent NAT changes NAT exhaustion behaviour it does
not introduce any additional security considerations compared to other
forms of NAT.
[7 lines not shown]pf: 'sticky-address' requires 'keep state'
When route_to() processes a packet without state, pf_map_addr() is called for
each packet. Pf_map_addr() will search for a source node and will find none
since those are created only in pf_create_state(). Thus sticky address,
even though requested in rule definition, will never work.
Raise an error when a stateless filter rule uses sticky address to avoid
confusion and to keep ruleset limitations in sync with what the pf code
really does.
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D46310
pf: migrate DIOCGETLIMIT/DIOCSETLIMIT to netlink
Event: Kitchener-Waterloo Hackathon 202406
pf: convert DIOCGETTIMEOUT/DIOCSETTIMEOUT to netlink
