When syncookies are in adaptive mode they may be active or inactive.
Expose this status to users.
Suggested by: Guido van Rooij
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 444a77ca85)
Basic state tracking for SCTP. This means we scan through the packet to
identify the different chunks (so we can identify state changes).
MFC after: 3 weeks
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D40862
(cherry picked from commit 010ee43f56)
Fix a couple of problems with printing of anchors, in particular recursive
printing, both of inline anchors and when requested explicitly with a '*'
in the anchor.
- Correct recursive printing of wildcard anchors (recurse into child anchors
rather than rules, which don't exist)
- Print multi-part anchor paths correctly (pr6065)
- Fix comments and prevent users from specifying multi-component names for
inline anchors.
tested by phessler
ok henning
Also fix the relevant pfctl test case to reflect the new (and now
correct) behaviour).
MFC after: 3 weeks
Obtained from: OpenBSD (mcbride, f9a568a27c740528301ca3419316c85a9fc7f1de)
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D36416
(cherry picked from commit 585a5ed0be)
In 1e73fbd8b we fixed an issue with POM_STICKYADDRESS being checked in
the wrong struct.
Add a basic test case for this fix.
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 63167eb48c)
When the interface does not exist avoid passing host with special pf
modifiers to DNS resolution as they come up empty anyway.
Reviewed by: kp
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D35429
(cherry picked from commit 28b64169ea)
pass inet proto icmp icmp-type {unreach}
pass route-to (if0 127.0.0.1/8) sticky-address inet
The wrong struct was being tested. The parser tries to prevent
"sticky-address sticky-address" syntax but was actually cross-rule
enforcing that ICMP filter cannot be before the use of "sticky-address"
in next rule.
MFC after: 2 weeks
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D36050
(cherry picked from commit 1e73fbd8b2)
When asked to print rules recursively, correctly recurse for anchors
included in pf.conf with "anchorname/*".
PR: 262590
Reviewed by: kp
MFC after: 3 weeks
(cherry picked from commit d86cf44350)
When retrieving nat rules in anchors we need to set the path just like
we do for regular rules.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit a632d9e360)
Introduce pfctl_get_rules_info(), similar to pfctl_get_eth_rules_info()
to retrieve rules information (ticket and total number of rules).
Use the new function in pfctl.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D34443
(cherry picked from commit 8c1400b0a1)
We provide the hostid (which is the state creatorid) to the kernel as a
big endian number (see pfctl/pfctl.c pfctl_set_hostid()), so convert it
back to system endianness when we get it from the kernel.
This avoids a confusing mismatch between the value the user configures
and the value displayed in the state.
MFC after: 3 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D33989
(cherry picked from commit 735748f30a)
If an invalid (i.e. overly long) interface name is specified error out
immediately, rather than in expand_rule() so we point at the incorrect
line.
PR: 260958
MFC after: 3 weeks
Differential Revision: https://reviews.freebsd.org/D34008
(cherry picked from commit e68de66943)
Allow users to set a number on rules which will be exposed as part of
the pflog header.
The intent behind this is to allow users to correlate rules across
updates (remember that pf rules continue to exist and match existing
states, even if they're removed from the active ruleset) and pflog.
Obtained from: pfSense
MFC after: 3 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D32750
(cherry picked from commit 76c5eecc34)
We used to expand the $nr macro in labels into the rule number prior to
the optimisation step. This would occasionally produce incorrect rule
numbers in the labels.
Delay all macro expansion until after the optimisation step to ensure
that we expand the correct values.
MFC after: 1 week
Reported by: Özkan KIRIK <ozkan.kirik@gmail.com>
Differential Revision: https://reviews.freebsd.org/D32488
(cherry picked from commit 09c7f23869)
795d78a467 pfctl: Don't use PRIu64 mistakenly changed these to be
printed as hexadecimal numbers.
Reported by: Florian Smeets
MFC after: 4 days
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 846a6e8f9a)
Rather than PRIu64 we can just treat the data as uintmax_t, and use %jx
instead.
MFC after: 1 week
Suggested by: kib
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 795d78a467)
Use PRIu64 to printf(3) uint64_t quantities, otherwise this will result
in "error: format specifies type 'unsigned long' but the argument has
type 'uint64_t' (aka 'unsigned long long') [-Werror,-Wformat]" on 32-bit
architectures.
Fixes: 80078d9d38
MFC after: 1 week
(cherry picked from commit 5b8f07b12f)
Rather than call DIOCGETSTATUS ourselves use the new libpfctl functions.
MFC after: 1 week
Sponsored by: Modirum MDPay
Differential Revision: https://reviews.freebsd.org/D31697
(cherry picked from commit 80078d9d38)
Since the conversion to the new DIOCKILLSTATESNV the kernel no longer
exists the id and creatorid to be big-endian.
As a result killing states by id (i.e. `pfctl -k id -k 12345`) no longer
worked.
Reported by: Özkan KIRIK
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit e59eff9ad3)
Support the 'match' keyword.
Note that support is limited to adding queuing information, so without
ALTQ support in the kernel setting match rules is pointless.
For the avoidance of doubt: this is NOT full support for the match
keyword as found in OpenBSD's pf. That could potentially be built on top
of this, but this commit is NOT that.
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31115
(cherry picked from commit ef950daa35)
As for example pfctl -ss keeps calling it, it saves a lot of overhead
from elided parsing of /etc/nsswitch.conf and /etc/protocols.
Sample result when running a pre-nvlist binary with nfs root and dumping
7 mln states:
before: 24.817u 62.993s 1:28.52 99.1%
after: 8.064u 1.117s 0:18.87 48.5%
Idea by Jim Thompson
Reviewed by: kp
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 858937bea4)
We used to have a bug where pfctl could crash setting fairq queues. Test
this case and ensure it does not crash pfctl.
Reviewed by: donner
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30348
(cherry picked from commit 9938fcaa65)
The following config could crash pfctl:
altq on igb0 fairq bandwidth 1Gb queue { qLink }
queue qLink fairq(default)
That happens because when we're parsing the parent queue (on igb0) it
doesn't have a parent, and the check in eval_pfqueue_fairq() checks
pa->parent rather than parent.
This was changed in eval_pfqueue_hfsc() in
1d34c9dac8, but not for fairq.
Reviewed by: pkelsey
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30346
(cherry picked from commit 26705a39e5)
Track (and display) the interface that created a state, even if it's a
floating state (and thus uses virtual interface 'all').
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30245
(cherry picked from commit d0fdf2b28f)
Migrate to using the new nvlist-based DIOCGETSTATESNV call to obtain the
states list.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30244
(cherry picked from commit bc94129147)
We failed to account for the FAIRQ scheduler in expand_altq(), which led
it to be set up without its parent queue.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30347
(cherry picked from commit dc78428796)
This allows us to kill states created from a rule with route-to/reply-to
set. This is particularly useful in multi-wan setups, where one of the
WAN links goes down.
Submitted by: Steven Brown
Obtained from: https://github.com/pfsense/FreeBSD-src/pull/11/
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30058
(cherry picked from commit abbcba9cf5)
When showing the states, in very verbose mode, also display the gateway
(i.e. the target for route-to/reply-to).
Submitted by: Steven Brown
Reviewed by: donner
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30051
(cherry picked from commit cc948296e6)
Usually rule counters are reset to zero on every update of the ruleset.
With keepcounters set pf will attempt to find matching rules between old
and new rulesets and preserve the rule counters.
MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29780
(cherry picked from commit 42ec75f83a)
