pf: convert DIOCRTSTADDRS to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: configurable action on limiter exceeded

This change extends pf(4) limiters so administrator
can specify action the rule executes when limit is
reached. By default when limit is reached the limit

pf: configurable action on limiter exceeded

This change extends pf(4) limiters so administrator
can specify action the rule executes when limit is
reached. By default when limit is reached the limiter
overrides action specified by rule to no-match.
If administrator wants to block packet instead then
rule with limiter should be changed to:

pass in from any to any state limiter test (block)

OK dlg@

Obtained from: OpenBSD, sashan <sashan@openbsd.org>, 04394254d9
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: convert state limiter interface to netlink

This is a new feature with new ioctl calls, so we can safely remove them
right now.

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: introduce source and state limiters

both source and state limiters can provide constraints on the number
of states that a set of rules can create, and optionally the rate
at which they are creat

pf: introduce source and state limiters

both source and state limiters can provide constraints on the number
of states that a set of rules can create, and optionally the rate
at which they are created. state limiters have a single limit, but
source limiters apply limits against a source address (or network).
the source address entries are dynamically created and destroyed,
and are also limited.

this started out because i was struggling to understand the source and
state tracking options in pf.conf, and looking at the code made it
worse. it looked like some functionality was missing, and the code also
did some things that surprised me. taking a step back from it, even it
if did work, what is described doesn't work well outside very simple
environments.

the functionality i'm talking about is most of the stuff in the
Stateful Tracking Options section of pf.conf(4).

some of the problems are illustrated one of the simplest options:
the "max number" option that limits the number of states that a
rule is allowed to create:

- wiring limits up to rules is a problem because when you load a
new ruleset the limit is reset, allowing more states to be created
than you intended.
- a single "rule" in pf.conf can expand to multiple rules in the
kernel thanks to things like macro expansion for multiple ports.
"max 1000" on a line in pf.conf could end up being many times
that in effect.
- when a state limit on a rule is reached, the packet is dropped.
this makes it difficult to do other things with the packet, such a
redirect it to a tarpit or another server that replies with an
outage notices or such.

a state limiter solves these problems. the example from the pf.conf.5
change demonstrates this:

An example use case for a state limiter is to restrict the number of
connections allowed to a service that is accessible via multiple
protocols, e.g. a DNS server that can be accessed by both TCP and UDP on
port 53, DNS-over-TLS on TCP port 853, and DNS-over-HTTPS on TCP port 443
can be limited to 1000 concurrent connections:

state limiter "dns-server" id 1 limit 1000

pass in proto { tcp udp } to port domain state limiter "dns-server"
pass in proto tcp to port { 853 443 } state limiter "dns-server"

a single limit across all these protocols can't be implemented with
per rule state limits, and any limits that were applied are reset
if the ruleset is reloaded.

the existing source-track implementation appears to be incomplete,
i could only see code for "source-track global", but not "source-track
rule". source-track global is too heavy and unweildy a hammer, and
source-track rule would suffer the same issues around rule lifetimes
and expansions that the "max number" state tracking config above has.

a slightly expanded example from the pf.conf.5 change for source limiters:

An example use for a source limiter is the mitigation of denial of
service caused by the exhaustion of firewall resources by network or port
scans from outside the network. The states created by any one scanner
from any one source address can be limited to avoid impacting other
sources. Below, up to 10000 IPv4 hosts and IPv6 /64 networks from the
external network are each limited to a maximum of 1000 connections, and
are rate limited to creating 100 states over a 10 second interval:

source limiter "internet" id 1 entries 10000 \
limit 1000 rate 100/10 \
inet6 mask 64

block in on egress
pass in quick on egress source limiter "internet"
pass in on egress proto tcp probability 20% rdr-to $tarpit

the extra bit is if the source limiter doesn't have "space" for the
state, the rule doesn't match and you can fall through to tarpitting
20% of the tcp connections for fun.

i've been using this in anger in production for over 3 years now.

sashan@ has been poking me along (slowly) to get it in a good enough
shape for the tree for a long time. it's been one of those years.

bluhm@ says this doesnt break the regress tests.
ok sashan@

Obtained from: OpenBSD, dlg <dlg@openbsd.org>, 8463cae72e
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: move DIOCRCLRASTATS into libpfctl

Sponsored by: Rubicon Communications, LLC ("Netgate")

libpfctl: export a get states variant that takes a pfctl_handle

Sponsored by: Rubicon Communications, LLC ("Netgate")

pfctl: move astats query into libpfctl

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: convert DIOCRGETADDRS to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: convert DIOCRSETADDRS to netlink

The list of addresses is potentially very large. Larger than we can fit in a
single netlink request, so we indicate via the PFR_FLAG_START/PFR_FLAG_DONE
flags wh

pf: convert DIOCRSETADDRS to netlink

The list of addresses is potentially very large. Larger than we can fit in a
single netlink request, so we indicate via the PFR_FLAG_START/PFR_FLAG_DONE
flags when we start and finish, so the kernel can work out which addresses need
to be removed.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: print 'once' rule expire time

Obtained from: OpenBSD, sashan <sashan@openbsd.org>, 8cf23eed7f
Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: Show pf fragment reassembly counters.

Framgent count and statistics are stored in struct pf_status. From
there pfctl(8) and systat(1) collect and show them. Note that pfctl
-s info needs the -

pf: Show pf fragment reassembly counters.

Framgent count and statistics are stored in struct pf_status. From
there pfctl(8) and systat(1) collect and show them. Note that pfctl
-s info needs the -v switch to show fragments.

input claudio@; OK henning@

Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, 19e99d0613
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: fix ICMP type/code representation

internal representation of icmp type/code in pfctl(8)/pf(4) does not
fit into u_int8_t. Issue has been noticed and kindly reported by
amalinin _at_ bh0.amt.ru v

pf: fix ICMP type/code representation

internal representation of icmp type/code in pfctl(8)/pf(4) does not
fit into u_int8_t. Issue has been noticed and kindly reported by
amalinin _at_ bh0.amt.ru via bugs@.

OK bluhm@

Obtained from: OpenBSD, sashan <sashan@openbsd.org>, 1fdb608f55
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: convert DIOCRDELADDRS to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: convert DIOCRADDADDRS to netlink

Add up to 64 addresses at once. We are limited by the netlink socket buffer, so
we can only add a limited number at once.

Sponsored by: Rubicon Communications,

pf: convert DIOCRADDADDRS to netlink

Add up to 64 addresses at once. We are limited by the netlink socket buffer, so
we can only add a limited number at once.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: Use different address family for source and redirection address

The function pf_map_addr() and source tracking operate on a single
address family. This made sense before introducing address fami

pf: Use different address family for source and redirection address

The function pf_map_addr() and source tracking operate on a single
address family. This made sense before introducing address family
translation. When combining af-to with route-to or with sticky-address,
the next-hop or the NAT address are of different address family than
the source address. For example in NAT64 scenaro an IPv6 source address
is translated to an IPv4 address and routed over IPv4 gateway.

Make source nodes dual-AF, that is have a separate source AF and
redirection AF. Store route AF in struct pf_kstate, export it to pfctl.
When loading rules with redirection pools with pfctl store address
family of each address. When printing states don't deduce next-hop's
address family from af-to, use the one stored in state.

Reviewed by: kp
Approved by: kp
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D51659

show more ...

pf: add 'max-pkt-size'

Allow pf to limit packets to a specified maximum size. This applies to all
packets, and if reassembly is enabled, looks at the reassembled size, not the
size of individual fra

pf: add 'max-pkt-size'

Allow pf to limit packets to a specified maximum size. This applies to all
packets, and if reassembly is enabled, looks at the reassembled size, not the
size of individual fragments.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: add a generic packet rate matching filter

allows things like
pass in proto icmp max-pkt-rate 100/10
all packets matching the rule in the direction the state was created are
taken into considerat

pf: add a generic packet rate matching filter

allows things like
pass in proto icmp max-pkt-rate 100/10
all packets matching the rule in the direction the state was created are
taken into consideration (typically: requests, but not replies).
Just like with the other max-*, the rule stops matching if the maximum is
reached, so in typical scenarios the default block rule would kick in then.
with input from Holger Mikolon
ok mikeb

Obtained from: OpenBSD, henning <henning@openbsd.org>, 5a4ae9a9cb
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D50798

show more ...

pf: convert DIOCRCLRADDRS to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: convert DIOCRCLRTSTATS to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: convert DIOCRGETTSTATS to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: Add support for multiple source node types

For every state pf creates up to two source nodes: a limiting one
struct pf_kstate -> src_node and a NAT one struct pf_kstate -> nat_src_node.
The limi

pf: Add support for multiple source node types

For every state pf creates up to two source nodes: a limiting one
struct pf_kstate -> src_node and a NAT one struct pf_kstate -> nat_src_node.
The limiting source node is tracking information needed for limits using
max-src-states and max-src-nodes and the NAT source node is tracking NAT
rules only.

On closer inspection some issues emerge:
- For route-to rules the redirection decision is stored in the limiting source
node. Thus sticky-address and source limiting can't be used separately.
- Global source tracking, as promised in the man page, is totally absent from
the code. Pfctl is capable of setting flags PFRULE_SRCTRACK (enable source
tracking) and PFRULE_RULESRCTRACK (make source tracking per rule). The kernel
code checks PFRULE_SRCTRACK but ignores PFRULE_RULESRCTRACK. That makes
source tracking work per-rule only.

This patch is based on OpenBSD approach where source nodes have a type and each
state has an array of source node pointers indexed by source node type
instead of just two pointers. The conditions for limiting are applied
only to source nodes of PF_SN_LIMIT type. For global limit tracking
source nodes are attached to the default rule.

Reviewed by: kp
Approved by: kp (mentor)
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D39880

show more ...

pf: support "!received-on <interface>"

ok dlg benno

Obtained from: OpenBSD, henning <henning@openbsd.org>, 7d0482a910
Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: convert DIOCRDELTABLES to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: convert DIOCRADDTABLES to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: add a dedicated pf pool for route options

As suggested by henning.
Which unbreaks ie route-to after the recent pf changes.

With much help debugging and pointing out of missing bits from claudio

pf: add a dedicated pf pool for route options

As suggested by henning.
Which unbreaks ie route-to after the recent pf changes.

With much help debugging and pointing out of missing bits from claudio@

ok claudio@ "looks good" henning@

Obtained from: OpenBSD, jsg <jsg@openbsd.org>, 7fa5c09028
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...