Commit Graph

216 Commits

Author SHA1 Message Date
Warner Losh
fa9896e082 Remove $FreeBSD$: two-line nroff pattern
Remove /^\.\\"\n\.\\"\s*\$FreeBSD\$$\n/
2023-08-16 11:55:10 -06:00
Warner Losh
d0b2dbfa0e Remove $FreeBSD$: one-line sh pattern
Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/
2023-08-16 11:55:03 -06:00
Warner Losh
1d386b48a5 Remove $FreeBSD$: one-line .c pattern
Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
2023-08-16 11:54:42 -06:00
Warner Losh
b3e7694832 Remove $FreeBSD$: two-line .h pattern
Remove /^\s*\*\n \*\s+\$FreeBSD\$$\n/
2023-08-16 11:54:16 -06:00
Kristof Provost
f8b4f9aab5 pfctl: optionally clarify which anchors are layer 3 and which are Ethernet
When listing anchors pfctl lists both 'regular' layer 3 anchors and
Ethernet anchors. It's possible to have the same anchor name in both,
which can be confusing.

Mitigate this a little by explicitly marking where the Ethernet anchors
start. Avoid breaking scripts by only doing this at the second level
of verbosity.

Sponsored by:	Rubicon Communications, LLC ("Netgate")
2023-08-07 19:59:50 +02:00
Kristof Provost
010ee43f56 pf: initial SCTP support
Basic state tracking for SCTP. This means we scan through the packet to
identify the different chunks (so we can identify state changes).

MFC after:	3 weeks
Sponsored by:	Orange Business Services
Differential Revision:	https://reviews.freebsd.org/D40862
2023-07-21 12:32:18 +02:00
Kristof Provost
0bd4a6837c pfctl: SCTP can have port numbers
MFC after:	3 weeks
Sponsored by:	Orange Business Services
Differential Revision:	https://reviews.freebsd.org/D40861
2023-07-21 12:32:18 +02:00
Kajetan Staszkiewicz
c45d6b0ec0 pfctl: Add missing state parameters in DIOCGETSTATESV2
Reviewed by:	kp
Sponsored by:	InnoGames GmbH
Different Revision:	https://reviews.freebsd.org/D40259
2023-05-30 14:28:57 +02:00
Kristof Provost
9ec48bc31e pfctl: match expand_label_addr() prototype to definition
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2023-04-26 17:09:46 +02:00
Christian McDonald
ef661d4a5b pf: introduce ridentifier and labels to ether rules
Make Ethernet rules more similar to the usual layer 3 rules by also
allowing ridentifier and labels to be set on them.

Reviewed by:	kp
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2023-04-26 11:14:41 +02:00
Kristof Provost
dbce131b8f pfctl: match geticmpcodeby*()/print_fromto() prototypes to definitions
The definitions use sa_family_t, not u_int8_t.

Sponsored by:	Rubicon Communications, LLC ("Netgate")
2023-04-22 19:43:56 +02:00
Kristof Provost
5e3bb05147 pfctl: remove unneeded includes
We don't use nvlists (directly) or sysctls, so there's no need to
include the headers.

Sponsored by:	Rubicon Communications, LLC ("Netgate")
2023-04-22 19:43:55 +02:00
Simon J. Gerraty
d9a4274795 Update/fix Makefile.depend for userland 2023-04-18 17:14:23 -07:00
Kajetan Staszkiewicz
39282ef356 pf: backport OpenBSD syntax of "scrub" option for "match" and "pass" rules
Introduce the OpenBSD syntax of "scrub" option for "match" and "pass"
rules and the "set reassemble" flag. The patch is backward-compatible,
pf.conf can be still written in FreeBSD-style.

Obtained from:	OpenBSD
MFC after:	never
Sponsored by:	InnoGames GmbH
Differential Revision:	https://reviews.freebsd.org/D38025
2023-04-14 09:04:06 +02:00
Kristof Provost
1be25bdb73 pfctl: remove set but unused variable
In pfctl_show_ifaces() `i` is set, but never used. Remove it.

Sponsored by:	Rubicon Communications, LLC ("Netgate")
2023-03-06 19:22:35 +01:00
Kajetan Staszkiewicz
9f1beeaed4 pfctl: fix superblock printf format mismatch
It is impossible to compile pfctl with OPT_DEBUG due to integer width mismatch:

	/usr/home/kajetan.staszkiewicz/freebsd.git/sbin/pfctl/pfctl_optimize.c:1479:9: error: format specifies type 'unsigned int' but the argument has type 'unsigned long' [-Werror,-Wformat]
					    i - pf_rule_desc[closest].prf_off--- pfctl_optimize.o ---
	^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	/usr/home/kajetan.staszkiewicz/freebsd.git/sbin/pfctl/pfctl_optimize.c:52:44: note: expanded from macro 'DEBUG'
		printf("%s: " str "\n", __FUNCTION__ , ## v)
			      ~~~                         ^
	1 error generated.

Reviewed by:	kp
Obtained from:	OpenBSD (pfctl_optimize.c 1.15)
Differential Revision:	https://reviews.freebsd.org/D38918
2023-03-06 19:22:35 +01:00
Kristof Provost
cd80c52cad pfctl: rule.label is a two-dimensional array
Fix checking for a non-empty first string.

PR:		269075
MFC after:	1 week
Reported by:	nreilly@blackberry.com
2023-01-24 07:46:46 +01:00
Kristof Provost
88e858e57c pf: drop support for fragment crop|drop-ovl
We removed the code for these modes back in 2015, but converted such
configurations to 'scrub fragment reassemble'. It's been long enough,
drop the backwards compatibility glue too.

Reviewed by:	mjg
MFC after:	never
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D37460
2022-11-28 20:19:12 +01:00
Kristof Provost
57e047e51c pf: allow scrub rules without fragment reassemble
scrub rules have defaulted to handling fragments for a long time, but
since we removed "fragment crop" and "fragment drop-ovl" in 64b3b4d611
this has become less obvious and more expensive ("reassemble" being the
more expensive option, even if it's the one the vast majority of users
should be using).

Extend the 'scrub' syntax to allow fragment reassembly to be disabled,
while retaining the other scrub behaviour (e.g. TTL changes, random-id,
..) using 'scrub fragment no reassemble'.

Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D37459
2022-11-28 20:19:05 +01:00
Kristof Provost
8a8af94240 pf: bridge-to
Allow pf (l2) to be used to redirect ethernet packets to a different
interface.

The intended use case is to send 802.1x challenges out to a side
interface, to enable AT&T links to function with pfSense as a gateway,
rather than the AT&T provided hardware.

Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D37193
2022-11-02 15:45:23 +01:00
Kristof Provost
444a77ca85 pf: expose syncookie active/inactive status
When syncookies are in adaptive mode they may be active or inactive.
Expose this status to users.

Suggested by:	Guido van Rooij
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2022-10-31 18:14:09 +01:00
Kristof Provost
1d090028d3 pf: use time_to for timestamps
Use time_t rather than uint32_t to represent the timestamps. That means
we have 64 bits rather than 32 on all platforms except i386, avoiding
the Y2K38 issues on most platforms.

Reviewed by:	Zhenlei Huang
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D36837
2022-10-05 17:52:27 +02:00
John Baldwin
d74024a490 pfctl: Fix mismatch in array bounds for pfr_next_token().
Reviewed by:	kp, emaste
Differential Revision:	https://reviews.freebsd.org/D36806
2022-10-03 16:10:41 -07:00
Kristof Provost
cfa1a13087 pfctl: fix recrusive printing of ethernet anchors
Similar to the preceding fix for layer three rules, ensure that we
recursively list wildcard anchors for ethernet rules.

MFC after:	3 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D36417
2022-09-06 13:19:10 +02:00
Kristof Provost
585a5ed0be pfctl: fix recrusive printing of anchors
Fix a couple of problems with printing of anchors, in particular recursive
printing, both of inline anchors and when requested explicitly with a '*'
in the anchor.
- Correct recursive printing of wildcard anchors (recurse into child anchors
rather than rules, which don't exist)
- Print multi-part anchor paths correctly (pr6065)
- Fix comments and prevent users from specifying multi-component names for
inline anchors.

tested by phessler
ok henning

Also fix the relevant pfctl test case to reflect the new (and now
correct) behaviour).

MFC after:	3 weeks
Obtained from:	OpenBSD (mcbride, f9a568a27c740528301ca3419316c85a9fc7f1de)
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D36416
2022-09-06 10:42:10 +02:00
Kristof Provost
ed5eb77e18 pfctl: fix printing anchors
Ensure that we pass the (base) anchorname to the kernel, not the '/*'
suffix.

MFC after:	3 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D36415
2022-09-06 10:42:09 +02:00
Franco Fichtner
28b64169ea pf: stop resolving hosts as dns that use ":" modifier
When the interface does not exist avoid passing host with special pf
modifiers to DNS resolution as they come up empty anyway.

Reviewed by:	kp
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D35429
2022-08-08 18:31:52 +02:00
Kristof Provost
63167eb48c pfctl tests: test case for the POM_STICKYADDRESS fix
In 1e73fbd8b we fixed an issue with POM_STICKYADDRESS being checked in
the wrong struct.
Add a basic test case for this fix.

MFC after:	2 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2022-08-08 09:30:42 +02:00
Franco Fichtner
1e73fbd8b2 pfctl: fix FOM_ICMP/POM_STICKYADDRESS clash
pass inet proto icmp icmp-type {unreach}
	pass route-to (if0 127.0.0.1/8) sticky-address inet

The wrong struct was being tested. The parser tries to prevent
"sticky-address sticky-address" syntax but was actually cross-rule
enforcing that ICMP filter cannot be before the use of "sticky-address"
in next rule.

MFC after:	2 weeks
Reviewed by:	kp
Differential Revision:	https://reviews.freebsd.org/D36050
2022-08-06 14:22:42 +02:00
Gordon Bergling
c9856c4ffb pfctl(8): Fix a typo in a source code comment
- s/bufer/buffer/

MFC after:	3 days
2022-07-16 13:48:30 +02:00
Kristof Provost
1f61367f8d pf: support matching on tags for Ethernet rules
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D35362
2022-06-20 10:16:20 +02:00
Jessica Clarke
2986638550 pfctl: fix out-of-bounds access
If pfctl is called with "pfctl -a ''" we read outside of the anchoropt
buffer. Check that the buffer is sufficiently long to avoid that.

Maintain the existing (and desired, because it's used as such in
/etc/periodic/security/520.pfdenied) behaviour of treating "-a ''" as a
request for the root anchor (or no anchor specified).

PR:		264128
Reviewed by:	kp
2022-05-22 10:31:42 +02:00
Reid Linnemann
0abcc1d2d3 pf: Add per-rule timestamps for rule and eth_rule
Similar to ipfw rule timestamps, these timestamps internally are
uint32_t snaps of the system time in seconds. The timestamp is CPU local
and updated each time a rule or a state associated with a rule or state
is matched.

Reviewed by:	kp
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D34970
2022-04-22 19:53:20 +02:00
Kristof Provost
c90f8cb899 pfctl tests: fix Ethernet output expectations
Since a16732d670 we always print the l3 src/destination for Ethernet
rules. Update the tests to account for this.

Sponsored by:	Rubicon Communications, LLC ("Netgate")
2022-04-21 10:26:00 +02:00
Kristof Provost
a16732d670 pfctl: always print 'l3' source/destination
While the kernel only performs the L3 check for
ETHERTYPE_IP/ETHERTYPE_IP6 we should always print the source and
destination addresses.

Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D34918
2022-04-20 13:01:12 +02:00
Kristof Provost
812839e5aa pf: allow the use of tables in ethernet rules
Allow tables to be used for the l3 source/destination matching.
This requires taking the PF_RULES read lock.

Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D34917
2022-04-20 13:01:12 +02:00
Matteo Riondato
d86cf44350 pfctl: fix recursive printing of rules
When asked to print rules recursively, correctly recurse for anchors
included in pf.conf with "anchorname/*".

PR:		262590
Reviewed by:	kp
MFC after:	3 weeks
2022-04-14 17:25:41 +02:00
Reid Linnemann
4823489ab6 libpfctl: relocate implementations of pfr_add/get/set_addrs
Reviewed by:	kp
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D34740
2022-04-04 19:14:23 +02:00
Mateusz Guzik
c4a08ef2af pf: handle duplicate rules gracefully
Reviewed by:	kp
Reported by:	dch
PR:		262971
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2022-04-01 18:01:48 +00:00
Kristof Provost
d27c9f5bc3 pf: fixup match rules
Ensure that we can set and print match rules in ethernet rules.

Sponsored by:	Rubicon Communications, LLC ("Netgate")
2022-03-30 10:28:19 +02:00
Kristof Provost
9bb06778f8 pf: support listing ethernet anchors
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2022-03-30 10:28:19 +02:00
Gordon Bergling
2fa6223aaa pfctl(8): Fix a typo in a comment
- s/steping/stepping/

MFC after:	3 days
2022-03-28 19:35:55 +02:00
Kristof Provost
3468cd95ca pf: ether l3 rules can only use addresses
Disallow the use of tables in ethernet rules. Using tables requires
taking the PF_RULES lock. Moreover, the current table code isn't ready
to deal with ethernet rules.

Disallow their use for now.

Sponsored by:	Rubicon Communications, LLC ("Netgate")
2022-03-25 11:13:47 +01:00
Kristof Provost
a632d9e360 pfctl: fix retrieving nested nat-anchors
When retrieving nat rules in anchors we need to set the path just like
we do for regular rules.

MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2022-03-17 22:37:06 +01:00
Matteo Riondato
cd8438e5a3 pfctl: fix retrieving nested anchors
PR:		262622
MFC after:	1 week
Reviewed by:	kp
2022-03-17 22:37:05 +01:00
Kristof Provost
8a42005d1e pf: support basic L3 filtering in the Ethernet rules
Allow filtering based on the source or destination IP/IPv6 address in
the Ethernet layer rules.

Reviewed by:	pauamma_gundo.com (man), debdrup (man)
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D34482
2022-03-14 22:42:37 +01:00
Kristof Provost
c4e49c3a65 pfctl: remove unused variable
MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2022-03-08 13:57:46 +01:00
Kristof Provost
8c1400b0a1 libpfct: factor out pfctl_get_rules_info()
Introduce pfctl_get_rules_info(), similar to pfctl_get_eth_rules_info()
to retrieve rules information (ticket and total number of rules).

Use the new function in pfctl.

MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D34443
2022-03-08 13:57:45 +01:00
Kristof Provost
f0c334e4de libpfctl: support flushing rules/nat/eth
Move the code to flush regular rules, nat rules and Ethernet rules into
libpfctl for easier re-use.

MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D34442
2022-03-08 13:57:45 +01:00
Kristof Provost
a20773c810 pfctl: support recursive printing of nat rules
PR:		252617
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D34455
2022-03-08 10:51:09 +01:00