Commit Graph

786 Commits

Author SHA1 Message Date
Kristof Provost
93abcf17e6 pf: Support killing 'matching' states
Optionally also kill states that match (i.e. are the NATed state or
opposite direction state entry for) the state we're killing.

See also https://redmine.pfsense.org/issues/8555

Submitted by:	Steven Brown
Reviewed by:	bcr (man page)
Obtained from:	https://github.com/pfsense/FreeBSD-src/pull/11/
MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D30092
2021-05-07 22:13:31 +02:00
Kristof Provost
abbcba9cf5 pf: Allow states to by killed per 'gateway'
This allows us to kill states created from a rule with route-to/reply-to
set.  This is particularly useful in multi-wan setups, where one of the
WAN links goes down.

Submitted by:	Steven Brown
Obtained from:	https://github.com/pfsense/FreeBSD-src/pull/11/
MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D30058
2021-05-07 22:13:31 +02:00
Kristof Provost
e989530a09 pf: Introduce DIOCKILLSTATESNV
Introduce an nvlist based alternative to DIOCKILLSTATES.

MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D30054
2021-05-07 22:13:30 +02:00
Kristof Provost
7606a45dcc pf: Introduce DIOCCLRSTATESNV
Introduce an nvlist variant of DIOCCLRSTATES.

MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D30052
2021-05-07 22:13:30 +02:00
Kristof Provost
055c55abef pf: Fix IP checksum on reassembly
If we reassemble a packet we modify the IP header (to set the length and
remove the fragment offset information), but we failed to update the
checksum. On certain setups (mostly where we did not re-fragment again
afterwards) this could lead to us sending out packets with incorrect
checksums.

PR:		255432
MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D30026
2021-04-30 08:19:46 +02:00
Kristof Provost
eaabed8ac4 pf: Trivial typo fix
PV -> PF

MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2021-04-29 15:25:07 +02:00
Kristof Provost
6b146f3b9b pf: Error tracing SDTs
Add additional DTrace static trace points to facilitate debugging
failing pf ioctl calls.

MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2021-04-28 17:19:10 +02:00
Kristof Provost
402dfb0a8d pf: Fix parsing of long table names
When parsing the nvlist for a struct pf_addr_wrap we unconditionally
tried to parse "ifname". This broke for PF_ADDR_TABLE when the table
name was longer than IFNAMSIZ. PF_TABLE_NAME_SIZE is longer than
IFNAMSIZ, so this is a valid configuration.

Only parse (or return) ifname or tblname for the corresponding
pf_addr_wrap type.

This manifested as a failure to set rules such as these, where the pfctl
optimiser generated an automatic table:

	pass in proto tcp to 192.168.0.1 port ssh
	pass in proto tcp to 192.168.0.2 port ssh
	pass in proto tcp to 192.168.0.3 port ssh
	pass in proto tcp to 192.168.0.4 port ssh
	pass in proto tcp to 192.168.0.5 port ssh
	pass in proto tcp to 192.168.0.6 port ssh
	pass in proto tcp to 192.168.0.7 port ssh

Reported by:	Florian Smeets
Tested by:	Florian Smeets
Reviewed by:	donner
X-MFC-With:	5c11c5a365
MFC after:	2 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D29962
2021-04-26 18:08:15 +02:00
Kristof Provost
5f5bf88949 pfsync: Expose PFSYNCF_OK flag to userspace
Add 'syncok' field to ifconfig's pfsync interface output. This allows
userspace to figure out when pfsync has completed the initial bulk
import.

Reviewed by:	donner
MFC after:	2 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D29948
2021-04-26 14:31:17 +02:00
Kristof Provost
6fcc8e042a pf: Allow multiple labels to be set on a rule
Allow up to 5 labels to be set on each rule.
This offers more flexibility in using labels. For example, it replaces
the customer 'schedule' keyword used by pfSense to terminate states
according to a schedule.

Reviewed by:	glebius
MFC after:	2 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D29936
2021-04-26 14:14:21 +02:00
Mark Johnston
652908599b Add required checks for unmapped mbufs in ipdivert and ipfw
Also add an M_ASSERTMAPPED() macro to verify that all mbufs in the chain
are mapped.  Use it in ipfw_nat, which operates on a chain returned by
m_megapullup().

PR:		255164
Reviewed by:	ae, gallatin
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D29838
2021-04-21 15:47:05 -04:00
Kristof Provost
586aab9e0a pf: Refactor state killing
Extract the state killing code from pfioctl() and rephrase the filtering
conditions for readability.

No functional change intended.

MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D29795
2021-04-20 09:30:23 +02:00
Kristof Provost
42ec75f83a pf: Optionally attempt to preserve rule counter values across ruleset updates
Usually rule counters are reset to zero on every update of the ruleset.
With keepcounters set pf will attempt to find matching rules between old
and new rulesets and preserve the rule counters.

MFC after:	4 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D29780
2021-04-19 14:31:47 +02:00
Kristof Provost
8bb0f1b87b pf: Remove PFRULE_REFS from userspace
PFRULE_REFS should never be used by userspace, so hide it behind #ifdef
_KERNEL.

MFC after:	never
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D29779
2021-04-19 14:31:47 +02:00
Kristof Provost
4f1f67e888 pf: PFRULE_REFS should not be user-visible
Split the PFRULE_REFS flag from the rule_flag field. PFRULE_REFS is a
kernel-internal flag and should not be exposed to or read from
userspace.

MFC after:	4 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D29778
2021-04-19 14:31:47 +02:00
Andrey V. Elsukov
9bacbf1ae2 ipfw: do not use sleepable malloc in callout context.
Use M_NOWAIT flag when hash growing is called from callout.

PR:             255041
Reviewed by:	kevans
MFC after:	10 days
Differential Revision: https://reviews.freebsd.org/D29772
2021-04-16 10:22:44 +03:00
Kurosawa Takahiro
2aa21096c7 pf: Implement the NAT source port selection of MAP-E Customer Edge
MAP-E (RFC 7597) requires special care for selecting source ports
in NAT operation on the Customer Edge because a part of bits of the port
numbers are used by the Border Relay to distinguish another side of the
IPv4-over-IPv6 tunnel.

PR:		254577
Reviewed by:	kp
Differential Revision:	https://reviews.freebsd.org/D29468
2021-04-13 10:53:18 +02:00
Kristof Provost
5e98cae661 pf: Ensure that we don't use kif passed to pfi_kkif_attach()
Once a kif is passed to pfi_kkif_attach() we must ensure we never re-use
it for anything else.
Set the kif to NULL afterwards to guarantee this.

Reported-by: syzbot+be5d4f4a7a4c295e659a@syzkaller.appspotmail.com
MFC after:	4 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2021-04-12 11:55:21 +02:00
Kristof Provost
a9b338b260 pf: Move prototypes for userspace functions to userspace header
These functions no longer exist in the kernel, so there's no reason to
keep the prototypes in a kernel header. Move them to pfctl where they're
actually implemented.

Reviewed by:	glebius
MFC after:	4 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D29643
2021-04-10 11:16:02 +02:00
Kristof Provost
d710367d11 pf: Implement nvlist variant of DIOCGETRULE
MFC after:	4 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D29559
2021-04-10 11:16:01 +02:00
Kristof Provost
5c62eded5a pf: Introduce nvlist variant of DIOCADDRULE
This will make future extensions of the API much easier.
The intent is to remove support for DIOCADDRULE in FreeBSD 14.

Reviewed by:	markj (previous version), glebius (previous version)
MFC after:	4 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D29557
2021-04-10 11:16:00 +02:00
Kristof Provost
4967f672ef pf: Remove unused variable rt_listid from struct pf_krule
Reviewed by:	donner
MFC after:	4 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D29639
2021-04-08 13:24:35 +02:00
Kristof Provost
6d786845cf pf: Do not short-circuit processing for REPLY_TO
When we find a state for packets that was created by a reply-to rule we
still need to process the packet. The state may require us to modify the
packet (e.g. in rdr or nat cases), which we won't do with the shortcut.

MFC after:	2 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2021-04-07 17:03:17 +02:00
Kristof Provost
f4c0290916 pf: Add static DTrace probe points
These two have proven to be useful during debugging. We may as well keep
them permanently.
Others will be added as their utility becomes clear.

Reviewed by:	gnn
MFC after:	2 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D29555
2021-04-05 09:57:06 +02:00
Kristof Provost
829a69db85 pf: change pf_route so pf only runs when packets enter and leave the stack.
before this change pf_route operated on the semantic that pf runs
when packets go over an interface, so when pf_route changed which
interface the packet was on it would run pf_test again. this change
changes (restores) the semantic that pf is only supposed to run
when packets go in or out of the network stack, even if route-to
is responsibly for short circuiting past the network stack.

just to be clear, for normal packets (ie, those not touched by
route-to/reply-to/dup-to), there isn't a difference between running
pf when packets enter or leave the stack, or having pf run when a
packet goes over an interface.

the main reason for this change is that running the same packet
through pf multiple times creates confusion for the state table.
by default, pf states are floating, meaning that packets are matched
to states regardless of which interface they're going over. if a
packet leaving on em0 is rerouted out em1, both traversals will end
up using the same state, which at best will make the accounting
look weird, or at worst fail some checks in the state and get
dropped.

another reason for this commit is is to make handling of the changes
that route-to makes consistent with other changes that are made to
packet. eg, when nat is applied to a packet, we don't run pf_test
again with the new addresses.

the main caveat with this diff is you can't have one rule that
pushes a packet out a different interface, and then have a rule on
that second interface that NATs the packet. i'm not convinced this
ever worked reliably or was used much anyway, so we don't think
it's a big concern.

discussed with many, with special thanks to bluhm@, sashan@ and
sthen@ for weathering most of that pain.
ok claudio@ sashan@ jmatthew@

Obtained from:	OpenBSD
MFC after:	2 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D29554
2021-04-05 09:57:06 +02:00
Ed Maste
92d1463e02 pf: remove obsolete reference to ndis(4) in a comment 2021-03-25 14:44:30 -04:00
Kristof Provost
320bed3c00 dummynet: Move timekeeping information into dn_cfg
Just like with the packet counters move the timekeeping information into
dn_cfg. This reduces the global name space use for dummynet and will
make subsequent work to add vnet support and re-use in pf easier.

Reviewed by:	donner
MFC after:	2 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Different Revision:	https://reviews.freebsd.org/D29246
2021-03-23 18:01:58 +01:00
Kristof Provost
cd5671efc0 dummynet: Move packet counters into dn_cfg
Move the packets counters into the dn_cfg struct. This reduces the
global name space use for dummynet and will make future work for things
like vnet support and re-use in pf easier.

Reviewed by:	donner
MFC after:	2 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D29245
2021-03-23 18:01:58 +01:00
Mark Johnston
b93a796b06 pf: Handle unmapped mbufs when computing checksums
PR:		254419
Reviewed by:	gallatin, kp
Tested by:	Igor A. Valkov <viaprog@gmail.com>
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D29378
2021-03-23 10:04:31 -04:00
Thomas Kurschel
9f2e518417 pfsync: Unconditionally push packets when requesting state updates
When we request a bulk sync we need to ensure we actually send out that
request, not just buffer it until we have enough data to send a full
packet.

PR:		254236
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D29271
2021-03-17 19:18:14 +01:00
Kristof Provost
15b82e00a1 pf: pool/kpool conversion code
stuct pf_pool and struct pf_kpool are different. We should not simply
bcopy() them.

Happily it turns out that their differences were all pointers, and the
userspace provided pointers were overwritten by the kernel, so this did
actually work correctly, but we should fix it anyway.

Reviewed by:	glebius
MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D29216
2021-03-16 10:30:28 +01:00
Gordon Bergling
183502d162 Fix a few typos in comments
- trough -> through

MFC after:	1 week
2021-03-13 16:37:28 +01:00
Kristof Provost
cecfaf9bed pf: Fully remove interrupt events on vnet cleanup
swi_remove() removes the software interrupt handler but does not remove
the associated interrupt event.
This is visible when creating and remove a vnet jail in `procstat -t
12`.

We can remove it manually with intr_event_destroy().

PR:		254171
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D29211
2021-03-12 12:12:43 +01:00
Kristof Provost
28dc2c954f pf: Simplify cleanup
We can now counter_u64_free(NULL), so remove the checks.

MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D29190
2021-03-12 12:12:35 +01:00
Kristof Provost
913e7dc3e0 pf: Remove redundant kif != NULL checks
pf_kkif_free() already checks for NULL, so we don't have to check before
we call it.

Reviewed by:	melifaro@
MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D29195
2021-03-11 10:39:43 +01:00
Kristof Provost
5e9dae8e14 pf: Factor out pf_krule_free()
Reviewed by:	melifaro@
MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D29194
2021-03-11 10:39:43 +01:00
Kristof Provost
bb4a7d94b9 net: Introduce IPV6_DSCP(), IPV6_ECN() and IPV6_TRAFFIC_CLASS() macros
Introduce convenience macros to retrieve the DSCP, ECN or traffic class
bits from an IPv6 header.

Use them where appropriate.

Reviewed by:	ae (previous version), rscheff, tuexen, rgrimes
MFC after:	2 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D29056
2021-03-04 20:56:48 +01:00
Kristof Provost
f19323847c pf: Retrieve DSCP value from the IPv6 header
Teach pf to read the DSCP value from the IPv6 header so that we can
match on them.

Reviewed by:	donner
MFC after:	2 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D29048
2021-03-04 20:56:48 +01:00
Andrey V. Elsukov
a9f7eba959 ipfw: add IPv6 support for sockarg opcode.
MFC after:	1 week
Sponsored by:	Yandex LLC
2021-03-02 12:45:59 +03:00
Kristof Provost
5f1b1f184b pf: Fix incorrect fragment handling
A sequence of overlapping IPv4 fragments could crash the kernel in
pf due to an assertion.

Reported by:	Alexander Bluhm
Obtained from:	OpenBSD
MFC after:	3 days
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2021-02-25 21:51:08 +01:00
Kristof Provost
2ed689a674 pf: Fix osfp configuration
pf_rule_to_krule() incorrectly converted the rule osfp configuration to
the krule structure.

Reported by:	delphij@
MFC after:	3 days
2021-02-18 08:38:28 +01:00
Kristof Provost
c4e0f7aa1a pf: Assert that pfil_link() calls succeed
These should only fail if we use them incorrectly, so assert that they
succeed.

MFC after:      1 week
Sponsored by:   Rubicon Communications, LLC (“Netgate”’)
2021-02-17 14:04:20 +01:00
Kristof Provost
8a439f324e pf: Remove unused return value from (de)hook_pf()
These functions always return 0, which is good, because the code calling
them doesn't handle this error gracefully.

As the functions always succeed remove their return value, and the code
handling their errors (because it was never executed anyway).

MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC (“Netgate”’)
2021-02-17 09:15:40 +01:00
Kristof Provost
5e42cb139f pf: Slightly relax pf_rule_addr validation
Ensure we don't reject no-route / urpf-failed addresses.

PR:		253479
Reported by:	michal AT microwave.sk
Revied by:	donner@
MFC after:	3 days
Differential Revision:	https://reviews.freebsd.org/D28650
2021-02-14 12:07:31 +01:00
Neel Chauhan
a08cdb6cfb Allow setting alias port ranges in libalias and ipfw. This will allow a system
to be a true RFC 6598 NAT444 setup, where each network segment (e.g. user,
subnet) can have their own dedicated port aliasing ranges.

Reviewed by:		donner, kp
Approved by:		0mp (mentor), donner, kp
Differential Revision:	https://reviews.freebsd.org/D23450
2021-02-02 13:24:17 -08:00
Yannis Planus
0c458752ce pf: duplicate frames only once when using dup-to pf rule
When using DUP-TO rule, frames are duplicated 3 times on both output
interfaces and duplication interface. Add a flag to not duplicate a
duplicated frame.

Inspired by a patch from Miłosz Kaniewski milosz.kaniewski at gmail.com
https://lists.freebsd.org/pipermail/freebsd-pf/2015-November/007886.html

Reviewed by:		kp@
Differential Revision:	https://reviews.freebsd.org/D27018
2021-01-28 16:46:44 +01:00
Kristof Provost
7a808c5ee3 pf: Improve pf_rule input validation
Move the validation checks to pf_rule_to_krule() to reduce duplication.
This also makes the checks consistent across different ioctls.

Reported-by:	syzbot+e9632d7ad17398f0bd8f@syzkaller.appspotmail.com
Reviewed by:	tuexen@, donner@
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D28362
2021-01-27 16:42:14 +01:00
Kristof Provost
ea36212bf5 pf: Don't hold PF_RULES_WLOCK during copyin() on DIOCRCLRTSTATS
We cannot hold a non-sleepable lock during copyin(). This means we can't
safely count the table, so instead we fall back to the pf_ioctl_maxcount
used in other ioctls to protect against overly large requests.

Reported by:	syzbot+81e380344d4a6c37d78a@syzkaller.appspotmail.com
MFC after:	1 week
2021-01-13 19:49:42 +01:00
Kristof Provost
86b653ed7e pf: quiet debugging printfs
Only log these when debugging output is enabled.
2021-01-11 22:30:44 +01:00
Kristof Provost
0fcb03fbac pf: Copy kif flags to userspace
This was overlooked in the pfi_kkif/pfi_kif splitup and as a result
userspace could no longer tell which interfaces had the skip flag
applied.

MFC after:	2 weeks
2021-01-07 22:26:05 +01:00