1. 24 Sep, 2021 1 commit
    • Kristof Provost's avatar
      pf: support dummynet · 63b3c1c7
      Kristof Provost authored
      Allow pf to use dummynet pipes and queues.
      
      We re-use the currently unused IPFW_IS_DUMMYNET flag to allow dummynet
      to tell us that a packet is being re-injected after being delayed. This
      is needed to avoid endlessly looping the packet between pf and dummynet.
      
      MFC after:	2 weeks
      Sponsored by:	Rubicon Communications, LLC ("Netgate")
      Differential Revision:	https://reviews.freebsd.org/D31904
      63b3c1c7
  2. 20 Jul, 2021 1 commit
  3. 17 Jul, 2021 1 commit
    • Kristof Provost's avatar
      pf: match keyword support · ef950daa
      Kristof Provost authored
      Support the 'match' keyword.
      Note that support is limited to adding queuing information, so without
      ALTQ support in the kernel setting match rules is pointless.
      
      For the avoidance of doubt: this is NOT full support for the match
      keyword as found in OpenBSD's pf. That could potentially be built on top
      of this, but this commit is NOT that.
      
      MFC after:	2 weeks
      Sponsored by:	Rubicon Communications, LLC ("Netgate")
      Differential Revision:	https://reviews.freebsd.org/D31115
      ef950daa
  4. 01 Jul, 2021 1 commit
    • Mateusz Guzik's avatar
      pfctl: cache getprotobynumber results · 858937be
      Mateusz Guzik authored
      As for example pfctl -ss keeps calling it, it saves a lot of overhead
      from elided parsing of /etc/nsswitch.conf and /etc/protocols.
      
      Sample result when running a pre-nvlist binary with nfs root and dumping
      7 mln states:
      before: 24.817u 62.993s 1:28.52 99.1%
      after:	8.064u 1.117s 0:18.87 48.5%
      
      Idea by Jim Thompson
      
      Reviewed by:	kp
      Sponsored by:	Rubicon Communications, LLC ("Netgate")
      858937be
  5. 20 May, 2021 1 commit
  6. 26 Apr, 2021 1 commit
  7. 19 Apr, 2021 1 commit
  8. 13 Apr, 2021 1 commit
  9. 10 Apr, 2021 2 commits
  10. 06 Mar, 2021 1 commit
  11. 28 Jan, 2019 1 commit
    • Kristof Provost's avatar
      pfctl: Point users to net.pf.request_maxcount if large requests are rejected · 542feeff
      Kristof Provost authored
      The kernel will reject very large tables to avoid resource exhaustion
      attacks. Some users run into this limit with legitimate table
      configurations.
      
      The error message in this case was not very clear:
      
          pf.conf:1: cannot define table nets: Invalid argument
          pfctl: Syntax error in config file: pf rules not loaded
      
      If a table definition fails we now check the request_maxcount sysctl,
      and if we've tried to create more than that point the user at
      net.pf.request_maxcount:
      
          pf.conf:1: cannot define table nets: too many elements.
          Consider increasing net.pf.request_maxcount.
          pfctl: Syntax error in config file: pf rules not loaded
      
      PR:		235076
      MFC after:	2 weeks
      Differential Revision:	https://reviews.freebsd.org/D18909
      542feeff
  12. 28 Oct, 2018 1 commit
  13. 22 Oct, 2018 1 commit
  14. 20 Oct, 2018 1 commit
  15. 22 Aug, 2018 1 commit
    • Patrick Kelsey's avatar
      Extended pf(4) ioctl interface and pfctl(8) to allow bandwidths of · 249cc75f
      Patrick Kelsey authored
      2^32 bps or greater to be used.  Prior to this, bandwidth parameters
      would simply wrap at the 2^32 boundary.  The computations in the HFSC
      scheduler and token bucket regulator have been modified to operate
      correctly up to at least 100 Gbps.  No other algorithms have been
      examined or modified for correct operation above 2^32 bps (some may
      have existing computation resolution or overflow issues at rates below
      that threshold).  pfctl(8) will now limit non-HFSC bandwidth
      parameters to 2^32 - 1 before passing them to the kernel.
      
      The extensions to the pf(4) ioctl interface have been made in a
      backwards-compatible way by versioning affected data structures,
      supporting all versions in the kernel, and implementing macros that
      will cause existing code that consumes that interface to use version 0
      without source modifications.  If version 0 consumers of the interface
      are used against a new kernel that has had bandwidth parameters of
      2^32 or greater configured by updated tools, such bandwidth parameters
      will be reported as 2^32 - 1 bps by those old consumers.
      
      All in-tree consumers of the pf(4) interface have been updated.  To
      update out-of-tree consumers to the latest version of the interface,
      define PFIOC_USE_LATEST ahead of any includes and use the code of
      pfctl(8) as a guide for the ioctls of interest.
      
      PR:	211730
      Reviewed by:	jmallett, kp, loos
      MFC after:	2 weeks
      Relnotes:	yes
      Sponsored by:	RG Nets
      Differential Revision:	https://reviews.freebsd.org/D16782
      249cc75f
  16. 22 Jun, 2018 1 commit
    • Kristof Provost's avatar
      pf: Support "return" statements in passing rules when they fail. · 150182e3
      Kristof Provost authored
      Normally pf rules are expected to do one of two things: pass the traffic or
      block it. Blocking can be silent - "drop", or loud - "return", "return-rst",
      "return-icmp". Yet there is a 3rd category of traffic passing through pf:
      Packets matching a "pass" rule but when applying the rule fails. This happens
      when redirection table is empty or when src node or state creation fails. Such
      rules always fail silently without notifying the sender.
      
      Allow users to configure this behaviour too, so that pf returns an error packet
      in these cases.
      
      PR:		226850
      Submitted by:	Kajetan Staszkiewicz <vegeta tuxpowered.net>
      MFC after:	1 week
      Sponsored by:	InnoGames GmbH
      150182e3
  17. 27 Nov, 2017 1 commit
    • Pedro F. Giffuni's avatar
      various: general adoption of SPDX licensing ID tags. · 1de7b4b8
      Pedro F. Giffuni authored
      Mainly focus on files that use BSD 2-Clause license, however the tool I
      was using misidentified many licenses so this was mostly a manual - error
      prone - task.
      
      The Software Package Data Exchange (SPDX) group provides a specification
      to make it easier for automated tools to detect and summarize well known
      opensource licenses. We are gradually adopting the specification, noting
      that the tags are considered only advisory and do not, in any way,
      superceed or replace the license texts.
      
      No functional change intended.
      1de7b4b8
  18. 15 Nov, 2017 1 commit
    • Kristof Provost's avatar
      pfctl: teach route-to to deal with interfaces with multiple addresses · 58c8430a
      Kristof Provost authored
      The route_host parsing code set the interface name, but only for the first
      node_host in the list. If that one happened to be the inet6 address and the
      rule wanted an inet address it'd get removed by remove_invalid_hosts() later
      on, and we'd have no interface name.
      
      We must set the interface name for all node_host entries in the list, not just
      the first one.
      
      PR:		223208
      MFC after:	2 weeks
      58c8430a
  19. 28 Dec, 2016 1 commit
  20. 13 Oct, 2016 1 commit
  21. 04 Oct, 2016 1 commit
    • Kristof Provost's avatar
      pf: remove fastroute tag · 813196a1
      Kristof Provost authored
      The tag fastroute came from ipf and was removed in OpenBSD in 2011. The code
      allows to skip the in pfil hooks and completely removes the out pfil invoke,
      albeit looking up a route that the IP stack will likely find on its own.
      The code between IPv4 and IPv6 is also inconsistent and marked as "XXX"
      for years.
      
      Submitted by:	Franco Fichtner <franco@opnsense.org>
      Differential Revision:	https://reviews.freebsd.org/D8058
      813196a1
  22. 05 Aug, 2016 1 commit
  23. 04 Aug, 2016 1 commit
  24. 02 Aug, 2016 1 commit
    • Kristof Provost's avatar
      pfctl: Allow TOS bits to be cleared · 0cd7a91a
      Kristof Provost authored
      TOS value 0 is valid, so use 256 as an invalid value rather than zero.
      This allows users to enforce TOS == 0 with pf.
      
      Reported by:	Radek Krejča <radek.krejca@starnet.cz>
      0cd7a91a
  25. 17 Jun, 2016 1 commit
  26. 30 Apr, 2016 1 commit
  27. 14 Apr, 2016 1 commit
  28. 27 Aug, 2015 1 commit
    • Kristof Provost's avatar
      pf: Remove support for 'scrub fragment crop|drop-ovl' · 64b3b4d6
      Kristof Provost authored
      The crop/drop-ovl fragment scrub modes are not very useful and likely to confuse
      users into making poor choices.
      It's also a fairly large amount of complex code, so just remove the support
      altogether.
      
      Users who have 'scrub fragment crop|drop-ovl' in their pf configuration will be
      implicitly converted to 'scrub fragment reassemble'.
      
      Reviewed by:	gnn, eri
      Relnotes:	yes
      Differential Revision:	https://reviews.freebsd.org/D3466
      64b3b4d6
  29. 21 Aug, 2015 1 commit
    • Luiz Otavio O Souza's avatar
      Add ALTQ(9) support for the CoDel algorithm. · 0a70aaf8
      Luiz Otavio O Souza authored
      CoDel is a parameterless queue discipline that handles variable bandwidth
      and RTT.
      
      It can be used as the single queue discipline on an interface or as a sub
      discipline of existing queue disciplines such as PRIQ, CBQ, HFSC, FAIRQ.
      
      Differential Revision:	https://reviews.freebsd.org/D3272
      Reviewd by:	rpaulo, gnn (previous version)
      Obtained from:	pfSense
      Sponsored by:	Rubicon Communications (Netgate)
      0a70aaf8
  30. 24 Jun, 2015 1 commit
  31. 16 Apr, 2015 1 commit
  32. 14 Sep, 2012 1 commit
    • Gleb Smirnoff's avatar
      o Create directory sys/netpfil, where all packet filters should · 3b3a8eb9
      Gleb Smirnoff authored
        reside, and move there ipfw(4) and pf(4).
      
      o Move most modified parts of pf out of contrib.
      
      Actual movements:
      
      sys/contrib/pf/net/*.c		-> sys/netpfil/pf/
      sys/contrib/pf/net/*.h		-> sys/net/
      contrib/pf/pfctl/*.c		-> sbin/pfctl
      contrib/pf/pfctl/*.h		-> sbin/pfctl
      contrib/pf/pfctl/pfctl.8	-> sbin/pfctl
      contrib/pf/pfctl/*.4		-> share/man/man4
      contrib/pf/pfctl/*.5		-> share/man/man5
      
      sys/netinet/ipfw		-> sys/netpfil/ipfw
      
      The arguable movement is pf/net/*.h -> sys/net. There are
      future plans to refactor pf includes, so I decided not to
      break things twice.
      
      Not modified bits of pf left in contrib: authpf, ftp-proxy,
      tftp-proxy, pflogd.
      
      The ipfw(4) movement is planned to be merged to stable/9,
      to make head and stable match.
      
      Discussed with:		bz, luigi
      3b3a8eb9
  33. 08 Sep, 2012 1 commit
    • Gleb Smirnoff's avatar
      Merge the projects/pf/head branch, that was worked on for last six months, · d6d3f01e
      Gleb Smirnoff authored
      into head. The most significant achievements in the new code:
      
       o Fine grained locking, thus much better performance.
       o Fixes to many problems in pf, that were specific to FreeBSD port.
      
      New code doesn't have that many ifdefs and much less OpenBSDisms, thus
      is more attractive to our developers.
      
        Those interested in details, can browse through SVN log of the
      projects/pf/head branch. And for reference, here is exact list of
      revisions merged:
      
      r232043, r232044, r232062, r232148, r232149, r232150, r232298, r232330,
      r232332, r232340, r232386, r232390, r232391, r232605, r232655, r232656,
      r232661, r232662, r232663, r232664, r232673, r232691, r233309, r233782,
      r233829, r233830, r233834, r233835, r233836, r233865, r233866, r233868,
      r233873, r234056, r234096, r234100, r234108, r234175, r234187, r234223,
      r234271, r234272, r234282, r234307, r234309, r234382, r234384, r234456,
      r234486, r234606, r234640, r234641, r234642, r234644, r234651, r235505,
      r235506, r235535, r235605, r235606, r235826, r235991, r235993, r236168,
      r236173, r236179, r236180, r236181, r236186, r236223, r236227, r236230,
      r236252, r236254, r236298, r236299, r236300, r236301, r236397, r236398,
      r236399, r236499, r236512, r236513, r236525, r236526, r236545, r236548,
      r236553, r236554, r236556, r236557, r236561, r236570, r236630, r236672,
      r236673, r236679, r236706, r236710, r236718, r237154, r237155, r237169,
      r237314, r237363, r237364, r237368, r237369, r237376, r237440, r237442,
      r237751, r237783, r237784, r237785, r237788, r237791, r238421, r238522,
      r238523, r238524, r238525, r239173, r239186, r239644, r239652, r239661,
      r239773, r240125, r240130, r240131, r240136, r240186, r240196, r240212.
      
      I'd like to thank people who participated in early testing:
      
      Tested by:	Florian Smeets <flo freebsd.org>
      Tested by:	Chekaluk Vitaly <artemrts ukr.net>
      Tested by:	Ben Wilber <ben desync.com>
      Tested by:	Ian FREISLICH <ianf cloudseed.co.za>
      d6d3f01e
  34. 05 Sep, 2012 1 commit
  35. 28 May, 2012 1 commit
  36. 03 Feb, 2012 1 commit
  37. 19 Oct, 2010 1 commit
  38. 10 Mar, 2010 1 commit
  39. 23 Jan, 2010 1 commit
    • Xin LI's avatar
      MFC r200930: · bd277cec
      Xin LI authored
      Adapt OpenBSD pf's "sloopy" TCP state machine which is useful for Direct
      Server Return mode, where not all packets would be visible to the load
      balancer or gateway.
      
      This commit should be reverted when we merge future pf versions.  The
      benefit it would provide is that this version does not break any existing
      public interface and thus won't be a problem if we want to MFC it to
      earlier FreeBSD releases.
      
      Discussed with:	mlaier
      Obtained from:	OpenBSD
      Sponsored by:	iXsystems, Inc.
      bd277cec