libpfctl: ensure we return useful error codes

Return errno rather than -1 on error. This allows pfctl to report much
more useful errors.

Reported by: Alexander Leidinger <[email protected]>
M

libpfctl: ensure we return useful error codes

Return errno rather than -1 on error. This allows pfctl to report much
more useful errors.

Reported by: Alexander Leidinger <[email protected]>
MFC after: 1 week

(cherry picked from commit 93e96359c980ccf318fe089b30b863f7c910b622)

show more ...

libpfctl: fix incorrect pcounters array size

The array is 2 x 2 x 2, not 2 x 2 x 3.

Sponsored by: Rubicon Communications, LLC ("Netgate")
MFC after: 2 weeks

(cherry picked from commit a3f7176523e8

libpfctl: fix incorrect pcounters array size

The array is 2 x 2 x 2, not 2 x 2 x 3.

Sponsored by: Rubicon Communications, LLC ("Netgate")
MFC after: 2 weeks

(cherry picked from commit a3f7176523e8611b259cefd7431c01e24f446db7)

show more ...

libpfctl: handle pfctl_do_ioctl() failures better

Ensure that we free nvlists and other allocations if pfctl_do_ioctl()
fails.

MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate"

libpfctl: handle pfctl_do_ioctl() failures better

Ensure that we free nvlists and other allocations if pfctl_do_ioctl()
fails.

MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")

(cherry picked from commit 498934c5ff51e6b0d3199db5d27ed11b1e8b9582)

show more ...

libpfctl: handle allocation failure

While it's unlikely for userspace to fail to allocate memory it is still
possible. Handle malloc() returning NULL.

Reported by: Bill Meeks <[email protected]>
MF

libpfctl: handle allocation failure

While it's unlikely for userspace to fail to allocate memory it is still
possible. Handle malloc() returning NULL.

Reported by: Bill Meeks <[email protected]>
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")

(cherry picked from commit 33d55d0d0f33787e9e2796b5000be73af42573bc)

show more ...

pf: expose more syncookie state information to userspace

Allow userspace to retrieve low and high water marks, as well as the
current number of half open states.

MFC after: 1 week
Sponsored by: Mod

pf: expose more syncookie state information to userspace

Allow userspace to retrieve low and high water marks, as well as the
current number of half open states.

MFC after: 1 week
Sponsored by: Modirum MDPay

(cherry picked from commit a6173e94635b03aa7aab90a67785c8c3e7c6247b)

show more ...

libpfctl: be more tolerant of kernel extensions

Allow the kernel to supply more array elements than expected, but cut
off when we hit what we think the maximum is. This will improve forward
compatib

libpfctl: be more tolerant of kernel extensions

Allow the kernel to supply more array elements than expected, but cut
off when we hit what we think the maximum is. This will improve forward
compatibility (i.e. old userspace with newer kernel).

Reviewed by: zlei
MFC after: 1 week
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D42392

(cherry picked from commit 2b1eb63fc9c6d6f64baaac59b7ea7c2a3228c03f)

show more ...

libpfctl: add missing pfctl_status_lcounter() function

We already had accessors for the other types of counters, but not this
one.

MFC after: 3 days
Sponsored by: Rubicon Communications, LLC ("Netg

libpfctl: add missing pfctl_status_lcounter() function

We already had accessors for the other types of counters, but not this
one.

MFC after: 3 days
Sponsored by: Rubicon Communications, LLC ("Netgate")

(cherry picked from commit 1c824f430a395cdc66e22406e72f20ebd300e47e)

show more ...

libpfctl: fix Coverity issues

- handle snl_finalize_msg() returning NULL
- insert the correct data into the states list
- add missing nvlist_destroy()
- incorrect order for array bounds

Coverit

libpfctl: fix Coverity issues

- handle snl_finalize_msg() returning NULL
- insert the correct data into the states list
- add missing nvlist_destroy()
- incorrect order for array bounds

Coverity: 1522929, 1522925, 1522923, 1522921, 1522780, 1522770, 1522764, 1487785, 1471250
Reviewed by: emaste
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D42330

(cherry picked from commit 4abc3b482e0d246cd3518622223795c8de102130)

show more ...

libpfctl: fix pfctl_do_ioctl()

pfctl_do_ioctl() copies the packed request data into the request buffer
and then frees it. However, it's possible for the buffer to be too small
for the reply, causing

libpfctl: fix pfctl_do_ioctl()

pfctl_do_ioctl() copies the packed request data into the request buffer
and then frees it. However, it's possible for the buffer to be too small
for the reply, causing us to allocate a new buffer. We then copied from
the freed request, and freed it again.

Do not free the request buffer until we're all the way done.

PR: 274614
Reviewed by: emaste
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D42329

(cherry picked from commit 2cffb52514b070e716e700c7f58fdb8cd9b05335)

show more ...

libpfctl: implement status counter accessor functions

The new nvlist-based status call allows us to easily add new counters.
However, the libpfctl interface defines a TAILQ, so it's not quite
trivia

libpfctl: implement status counter accessor functions

The new nvlist-based status call allows us to easily add new counters.
However, the libpfctl interface defines a TAILQ, so it's not quite
trivial to find the counter consumers are interested in.

Provide convenience functions to access the counters.

MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D41649

(cherry picked from commit e3d3d61a7d94a4155ef70048a8b578985fca8383)

show more ...

libpfctl: allow pfctl_free_status(NULL)

Mimic free() and friends, and allow free()ing of NULL.

MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https:/

libpfctl: allow pfctl_free_status(NULL)

Mimic free() and friends, and allow free()ing of NULL.

MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D41648

(cherry picked from commit 0b01878fd00b128ce3dead119b37781048744d39)

show more ...

Remove $FreeBSD$: two-line .h pattern

Remove /^\s*\*\n \*\s+\$FreeBSD\$$\n/

libpfct: ensure the initial allocation is large enough

Ensure that we allocate enough memory for the packed nvlist, no matter
what size hint was provided.

MFC after: 1 week
Reported by: R. Christia

libpfct: ensure the initial allocation is large enough

Ensure that we allocate enough memory for the packed nvlist, no matter
what size hint was provided.

MFC after: 1 week
Reported by: R. Christian McDonald <[email protected]>
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl: Add missing state parameters in DIOCGETSTATESV2

Reviewed by: kp
Sponsored by: InnoGames GmbH
Different Revision: https://reviews.freebsd.org/D40259

pf: introduce ridentifier and labels to ether rules

Make Ethernet rules more similar to the usual layer 3 rules by also
allowing ridentifier and labels to be set on them.

Reviewed by: kp
Sponsored

pf: introduce ridentifier and labels to ether rules

Make Ethernet rules more similar to the usual layer 3 rules by also
allowing ridentifier and labels to be set on them.

Reviewed by: kp
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: backport OpenBSD syntax of "scrub" option for "match" and "pass" rules

Introduce the OpenBSD syntax of "scrub" option for "match" and "pass"
rules and the "set reassemble" flag. The patch is bac

pf: backport OpenBSD syntax of "scrub" option for "match" and "pass" rules

Introduce the OpenBSD syntax of "scrub" option for "match" and "pass"
rules and the "set reassemble" flag. The patch is backward-compatible,
pf.conf can be still written in FreeBSD-style.

Obtained from: OpenBSD
MFC after: never
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D38025

show more ...

libpfctl: Don't pass stack garbage to free.

GCC 9 on stable/12 reports a -Wmaybe-uninitialized error for the call
to free in _pfctl_clear_states.

Reviewed by: mjg
Differential Revision: https://rev

libpfctl: Don't pass stack garbage to free.

GCC 9 on stable/12 reports a -Wmaybe-uninitialized error for the call
to free in _pfctl_clear_states.

Reviewed by: mjg
Differential Revision: https://reviews.freebsd.org/D39198

show more ...

pf: bridge-to

Allow pf (l2) to be used to redirect ethernet packets to a different
interface.

The intended use case is to send 802.1x challenges out to a side
interface, to enable AT&T links to fun

pf: bridge-to

Allow pf (l2) to be used to redirect ethernet packets to a different
interface.

The intended use case is to send 802.1x challenges out to a side
interface, to enable AT&T links to function with pfSense as a gateway,
rather than the AT&T provided hardware.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D37193

show more ...

pf: expose syncookie active/inactive status

When syncookies are in adaptive mode they may be active or inactive.
Expose this status to users.

Suggested by: Guido van Rooij
Sponsored by: Rubicon Com

pf: expose syncookie active/inactive status

When syncookies are in adaptive mode they may be active or inactive.
Expose this status to users.

Suggested by: Guido van Rooij
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

libpfctl: improve syncookie watermark calculation

Ensure that we always pass sane limits for the high and low watermark
values.
This is especially important if users do something silly, like set the

libpfctl: improve syncookie watermark calculation

Ensure that we always pass sane limits for the high and low watermark
values.
This is especially important if users do something silly, like set the
state limit to 1. In that case we wound up calculating 0/0 as a limit,
which gets rejected by the kernel.

While here also shift the calculation to use uint64_t, so we don't end
up with overflows (and subsequently higher low than high values) with
very large state limits.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D36497

show more ...

pf: support matching on tags for Ethernet rules

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D35362

pf: Add per-rule timestamps for rule and eth_rule

Similar to ipfw rule timestamps, these timestamps internally are
uint32_t snaps of the system time in seconds. The timestamp is CPU local
and update

pf: Add per-rule timestamps for rule and eth_rule

Similar to ipfw rule timestamps, these timestamps internally are
uint32_t snaps of the system time in seconds. The timestamp is CPU local
and updated each time a rule or a state associated with a rule or state
is matched.

Reviewed by: kp
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D34970

show more ...

libpfctl: grow request buffer on ENOSPC

When we issue a request to pf and expect a serialised nvlist as a reply
we have to supply a suitable buffer to the kernel.
The required size for this buffer i

libpfctl: grow request buffer on ENOSPC

When we issue a request to pf and expect a serialised nvlist as a reply
we have to supply a suitable buffer to the kernel.
The required size for this buffer is difficult to predict, and may be
(slightly) different from request to request.
If it's insufficient the kernel will return ENOSPC. Teach libpfctl to
catch this and send the request again with a larger buffer.

MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D34908

show more ...

libpfctl: relocate implementations of pfr_add/get/set_addrs

Reviewed by: kp
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D34740

pf: handle duplicate rules gracefully

Reviewed by: kp
Reported by: dch
PR: 262971
Sponsored by: Rubicon Communications, LLC ("Netgate")