| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
this is a significant (and breaking) reworking of the policy based
routing that pf can do. the intention is to make it as easy as
nat/rdr to use, and more robust when it's operating.
the main reasons for this change are:
- route-to, reply-to, and dup-to do not work with pfsync
this is because the information about where to route-to is stored in
rules, and it is hard to have a ruleset synced between firewalls,
and impossible to have them synced 100% of the time.
- i can make my boxes panic in certain situations using route-to
yeah...
- the configuration and syntax for route-to rules are confusing.
the argument to route-to and co is an interace name with an optional
ip address. there are several problems with this. one is that people
tend to think about routing as sending packets to peers by their
address, not by the interface they're reachable on. another is that
we currently have no way to synchronise interface topology information
between firewalls, so using an interface to say where packets go
means we can't do failover of these states with pfsync. another
is that a change in routing topology means a host may become
reachable over a different interface. tying routing policy to
interfaces gets in the way of failover and load balancing.
this change does the following:
- stores the route info in the state instead of the pf rule
this allows route-to to keep working when the ruleset changes, and
allows route-to info to be sent over pfsync. there's enough spare bits
in pfsync messages that the protocol doesnt break.
the caveat is that route-to becomes tied to pass rules that create
state, like rdr-to and nat-to.
- the argument to route-to etc is a destination ip address
it's not limited to a next-hop address (thought a next-hop can be a
destination address). this allows for the failover and load balancing
referred to above.
- deprecates the address@interface host syntax in pfctl
because routing is done entirely by IPs, the interface is derived from
the route lookup, not pf. any attempt to use the @interface syntax
will fail now in all contexts.
there's enthusiasm from proctor@ jmatthew@ and others
ok sashan@ bluhm@
|
| |
|
|
|
|
|
|
|
|
| |
the rule did not specify it. Check the option again for the log
rule in case another rule has triggered a socket lookup. Remove
logopt group, it is not documented and cannot work as struct pfloghdr
does not contain a gid. Rename PF_LOG_SOCKET_LOOKUP to PF_LOG_USER
to express what it does. The lookup involved is only an implemntation
detail.
OK kn@ sashan@ mvs@
|
| |
|
|
|
| |
before accessing anything in ifa_addr.
ok claudio@
|
| |
|
|
|
|
|
| |
This makes pfctl(8) detect bogus ranges (with and without `-n') before
loading the ruleset and completes the previous commit.
OK sashan sthen
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ranges where the left boundary is bigger than the right one are always bogus
as they work like `port any' (`port 34<>12' means "all ports") or in way
that inverts the rule's action (`pass ... port 34:12' means "pass no port at
all").
Add checks for all ranges and invalidate those that yield no or all ports.
For this to work on redirections, make pfctl(8) pass the range's type,
otherwise boundary including ranges are not detected as such; that is to
say, `struct pf_pool's `port_op' member was unused in the kernel so far.
`rdr-to' rules with invalid ranges could panic the kernel when hit.
Reported-by: syzbot+9c309db201f06e39a8ba@syzkaller.appspotmail.com
OK sashan
|
| |
|
|
|
|
| |
issue noticed by sthen@. fix discussed with bluhm@ and procter@
OK bluhm@, kn@, procter@
|
| |
|
|
|
|
| |
in fact modify the string buffer.
ok kn@ sashan@
cVS: ----------------------------------------------------------------------
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Unlike "... rtable N", pf.conf(5)'s "on rdomain N" does not alter packet
state and will always work no matter if rdomain N currently exists or not,
i.e. the rule "pass on rdomain 42" will simply match (and pass) packets if
rdomain 42 exists, and it will simply not match (neither pass nor block)
packets if 42 does not exist.
There's no need to reload the ruleset whenever routing domains are created
or deleted, which can already be observed now by creating an rdomain,
loading rules referencing it and deleting the same rdomain immediately
afterwards: pf will continue to work as expected.
Relax both pfctl(8)'s parser check as well as pf(4)'s copyin routine to
accept any valid routing domain ID without expecting it to exist at the time
of ruleset creation - this lifts the requirement to create rdomains before
referencing them in pf.conf while keeping pf behaviour unchanged.
Prompted by yasuoka's recent pfctl parse.y r1.702 commit requiring an rtable
to exist upon ruleset creation.
Discussed with claudio and bluhm at k2k20.
Feedback sashan
OK sashan yasouka claudio
|
| |
|
|
| |
ok kn
|
| |
|
|
|
|
| |
config. work with and diff from kn
ok kn
|
| |
|
|
|
| |
OPT is misleading and usually refers to command line arguments to pfctl
ok sashan kn
|
| |
|
|
|
|
|
|
| |
Complete the description of "-s info -v" such that grepping for them
in the manual pager yields something.
Feedback jmc
OK sashan
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In pf(4), the pf_status.since timestamp is set with time_uptime(9).
This is a low-res snapshot of nanouptime(9). nanouptime(9) is used to
implement CLOCK_BOOTTIME for clock_gettime(2). It is not used to
implement CLOCK_UPTIME, though. The names are misleading.
Switch to CLOCK_BOOTTIME in places in userspace where we use
pf_status.since so we are working with the right clock.
Technically CLOCK_MONOTONIC is equivalent, but we shouldn't use that
here. CLOCK_MONOTONIC is not necessarily the "time since boot": the
standard says its absolute value is meaningless.
ok patrick@ bluhm@
|
| |
|
|
| |
OK kn@, sashan@, florian@
|
| |
|
|
|
|
|
| |
There is no reason to continue on anchor specific paths if the given
anchor does not exist.
OK sashan
|
| |
|
|
| |
Missed in previous
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
pf(4) returns EINVAL for DIOCGETRULE, DIOCGETRULES and DIOCGETRULESET if
the specified anchor does not exist.
Extend and rename {pfr -> pf}_strerror() to make error message more
consistent.
There are other occasions as well but those need additional tweaks;
that's stuff for another diff.
OK and rename from sashan
|
| |
|
|
|
|
|
|
|
|
|
| |
While code in pf/pfctl confusingly uses either anchor or ruleset
depending on the context, pfctl(8) (both manual and user interface)
should be consistent.
For users there are basically anchors only, so do not imply any
difference between the two terminologies.
OK sashan
|
| |
|
|
|
|
| |
Less nesting for clearer code.
OK sashan
|
| |
|
|
| |
OK sashan
|
| |
|
|
| |
OK sashan
|
| |
|
|
| |
OK kn@
|
| |
|
|
|
|
|
|
|
|
| |
recursive operation ("pfctl -a '*' ...") works for '-s' option already. This
change enables the same thing for '-F' option, so "pfctl -a '*' -Fa" will flush
everything from PF driver.
The idea was discussed with many on tech@ in spring 2019.
OK kn@
|
| |
|
|
|
|
|
|
|
| |
All optimizations work on actual rules; if there are none, return early.
While here, tell which ruleset/anchor is being optimized to make the debug
message actually useful.
OK mikeb
|
| | |
|
| |
|
|
| |
This is the userland portion. OK deraadt@ sashan@
|
| |
|
|
|
|
|
| |
The fix is the same as for other parse.y files in the tree (see bgpd(8) or
unwind(8))
ok bluhm@
|
| |
|
|
|
|
| |
(bug found and fix tested by Jesper Wallin)
OK deraadt OK kn
|
| |
|
|
| |
Prompted by and OK deraadt
|
| |
|
|
|
|
|
| |
for yyerror.
From Moritz Buhl
ok bluhm@ claudio@
|
| |
|
|
|
|
| |
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.
|
| |
|
|
|
|
| |
(bug found and fixed by Petr Hoffmann _at_ oracle.com)
OK kn@
|
| |
|
|
|
|
| |
great input by Ingo, Jason and Klemens
OK schwarze@, OK kn@, OK jmc@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`-t table -T add|replace ...' would only check for duplicate tables in case
addresses where actually to the table.
Instead of using a positive number of added addresses as prove for
successful table operations, rely on the fact that CREATE_TABLE() is
guaranteed to be called only if pf(4) can be accessed, that is
warn_duplicate_tables() will return.
This improves duplicate detection rate as warnings are now also emitted
even when table commands eventually leave tables unchanged.
OK benno sashan
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
revision 1.689 introduced warn_duplicate_tables() unconditionally, breaking
the parser on tables withs insufficient permissions to open pf(4):
$ echo 'table <t>' | pfctl -nf-
pfctl: pfr_get_tables: Bad file descriptor
So simply check whether pfctl is able to get the table list first. If not,
instead of silently avoiding namespace collision checks, print a brief
notice iff `-v' is given to help finding duplicate definitions by hand:
$ echo 'table <t>' | ./obj/pfctl -vnf-
table <t>
stdin:1: skipping duplicate table checks for <t>
Reported by Rivo Nurges, thanks!
OK benno sashan
|
| |
|
|
|
|
| |
(discussed with many at tech@)
OK deraadt@, kn@, sthen@, tedu@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix a regression of revision 1.326 "Zap v4mask and v6mask in host()" which
allowed CIDR networks with more than one "/" to be loaded into tables.
I took care of this code path with regard to rules coming the ruleset
parser, which aborts earlier on such invalid specifications, but missed
`-T add 1/2/3' and the like.
Analyzed and fixed by Petr Hoffmann <petr dot hoffmann at oracle dot com>,
thanks!
OK deraadt
|
| |
|
|
|
|
|
|
|
| |
Left behind in pfctl_parser.h revision 1.91
"First pass at removing the 'pf_pool' mechanism [...]"
These functions don't exist anymore, no object change.
OK procter
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
parse.y revision 1.682 from 16.07.2018 errornously allowed `match once' and
`anchor "a" once'.
Fix both by checking for PF_DROP not PF_MATCH and creating anchors in the
parser already such that they can be used to distinguish anchor rules in
the same check as well.
Found and fixed by Petr Hoffmann <petr.hoffmann at oracle dot com>, thanks!
While here, remove an unneeded cast and make pfctl_add_rule() void as it
always returned 0.
OK sashan
|
| |
|
|
|
|
|
|
|
| |
pfioc_src_nodes to size_t. This avoids integer truncation by casts
to unsigned. As the types of DIOCGETSTATES and DIOCGETSRCNODES
ioctl(2) arguments change, pfctl(8) and systat(1) should be updated
together with the kernel. Calculate number of pf(4) states as
size_t in userland.
OK sashan@ deraadt@
|
| |
|
|
|
|
| |
larger types really is a range reduction...
Almost any cast to (unsigned) is a bug.
ok millert tb benno
|
| |
|
|
|
|
|
| |
The parser would allow bogus input and sometimes even produce invalid rules
on empty anchor names, so error out immediately.
OK sashan
|
| |
|
|
|
|
|
|
| |
For anchor names, make `load anchor' use the same grammar as `anchor' and
merge unique checks from both places so that anchor names are validated
regardless of the specific rule at hand.
OK sashan
|
| |
|
|
| |
ok sthen
|
| |
|
|
|
|
|
|
|
|
| |
Contrary to other rules accepting a single port, this one only works with
numerical values. Fix it by simply using the proper grammar.
Port ranges are not accepted, but an error message on a range without start
was missing in general, so add it while here.
OK bluhm
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Recently introduced in pfctl_parser.c r1.333, this helper nicely
simplifies code when copying IPs based on their address family, so use
it in five other places when killing state or source node entries.
All addresses copied in these code paths result from either
pfctl_parse_host() or pfctl_addrprefix() which guarantee the address
family set to AF_INET or AF_INET6. Therefore, effectively relaxing the
case of unhandled families from errx(3) in callers to warnx(3) in
copy_satopfaddr() is safe since it's never reached.
OK sashan
|
| |
|
|
|
|
| |
Either disable DNS or enable additional reverse lookups, but not both.
OK benno
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Killing source tracking or state entries by hostname or CIDR would pass
given keys twice to getaddrinfo(3): once to resolve/parse and again to
parse the numerical address in case a prefix was specified.
Avoid this overhead by making pfctl_addrprefix() resolve, pass and mask
in one go and return the list of IPs to the callers. This notably
simplifies both logic and sanity checks around prefix length and address
family.
While here, also pass -N along such that -k and -K can be restricted to
not use DNS.
Discussed with procter sashan, OK sashan
|
| |
|
|
| |
OK benno
|
| |
|
|
|
|
| |
Tweak spacing while here, no object change.
Feedback and OK procter, OK sceloha
|
dlg
bluhm
benno
kn
sashan
naddy
yasuoka
henning
cheloha
bket
millert
tobhe
patrick
deraadt