pfctl(8): change default limiter action from no-match to block

pf(4) users who use limiters in current should update the rules
accordingly to reflect the change in default behavior. The existing
rul

pfctl(8): change default limiter action from no-match to block

pf(4) users who use limiters in current should update the rules
accordingly to reflect the change in default behavior. The existing
rule which reads as follows:

pass in from any to any state limiter test

needs to be changed to:

pass in from any to any state limiter test (no-match)

OK dlg@

Obtained from: OpenBSD, sashan <sashan@openbsd.org>, c600931321
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl: allow new page character (^L) in pf.conf

PF configuration files can contains many things.

Using the new page characters (i.e. ^L, \014) to mark the beginning
of parts is useful because many

pfctl: allow new page character (^L) in pf.conf

PF configuration files can contains many things.

Using the new page characters (i.e. ^L, \014) to mark the beginning
of parts is useful because many editors such as emacs and vim has
facilities to jump next/previous ones.

PR: 86635
MFC after: 2 weeks
Submitted by: MOROHOSHI Akihiko <moro@remus.dti.ne.jp>
Submitted by: Simon Wollwage <rootnode+freebsd@wollwage.com>
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: configurable action on limiter exceeded

This change extends pf(4) limiters so administrator
can specify action the rule executes when limit is
reached. By default when limit is reached the limit

pf: configurable action on limiter exceeded

This change extends pf(4) limiters so administrator
can specify action the rule executes when limit is
reached. By default when limit is reached the limiter
overrides action specified by rule to no-match.
If administrator wants to block packet instead then
rule with limiter should be changed to:

pass in from any to any state limiter test (block)

OK dlg@

Obtained from: OpenBSD, sashan <sashan@openbsd.org>, 04394254d9
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: introduce source and state limiters

both source and state limiters can provide constraints on the number
of states that a set of rules can create, and optionally the rate
at which they are creat

pf: introduce source and state limiters

both source and state limiters can provide constraints on the number
of states that a set of rules can create, and optionally the rate
at which they are created. state limiters have a single limit, but
source limiters apply limits against a source address (or network).
the source address entries are dynamically created and destroyed,
and are also limited.

this started out because i was struggling to understand the source and
state tracking options in pf.conf, and looking at the code made it
worse. it looked like some functionality was missing, and the code also
did some things that surprised me. taking a step back from it, even it
if did work, what is described doesn't work well outside very simple
environments.

the functionality i'm talking about is most of the stuff in the
Stateful Tracking Options section of pf.conf(4).

some of the problems are illustrated one of the simplest options:
the "max number" option that limits the number of states that a
rule is allowed to create:

- wiring limits up to rules is a problem because when you load a
new ruleset the limit is reset, allowing more states to be created
than you intended.
- a single "rule" in pf.conf can expand to multiple rules in the
kernel thanks to things like macro expansion for multiple ports.
"max 1000" on a line in pf.conf could end up being many times
that in effect.
- when a state limit on a rule is reached, the packet is dropped.
this makes it difficult to do other things with the packet, such a
redirect it to a tarpit or another server that replies with an
outage notices or such.

a state limiter solves these problems. the example from the pf.conf.5
change demonstrates this:

An example use case for a state limiter is to restrict the number of
connections allowed to a service that is accessible via multiple
protocols, e.g. a DNS server that can be accessed by both TCP and UDP on
port 53, DNS-over-TLS on TCP port 853, and DNS-over-HTTPS on TCP port 443
can be limited to 1000 concurrent connections:

state limiter "dns-server" id 1 limit 1000

pass in proto { tcp udp } to port domain state limiter "dns-server"
pass in proto tcp to port { 853 443 } state limiter "dns-server"

a single limit across all these protocols can't be implemented with
per rule state limits, and any limits that were applied are reset
if the ruleset is reloaded.

the existing source-track implementation appears to be incomplete,
i could only see code for "source-track global", but not "source-track
rule". source-track global is too heavy and unweildy a hammer, and
source-track rule would suffer the same issues around rule lifetimes
and expansions that the "max number" state tracking config above has.

a slightly expanded example from the pf.conf.5 change for source limiters:

An example use for a source limiter is the mitigation of denial of
service caused by the exhaustion of firewall resources by network or port
scans from outside the network. The states created by any one scanner
from any one source address can be limited to avoid impacting other
sources. Below, up to 10000 IPv4 hosts and IPv6 /64 networks from the
external network are each limited to a maximum of 1000 connections, and
are rate limited to creating 100 states over a 10 second interval:

source limiter "internet" id 1 entries 10000 \
limit 1000 rate 100/10 \
inet6 mask 64

block in on egress
pass in quick on egress source limiter "internet"
pass in on egress proto tcp probability 20% rdr-to $tarpit

the extra bit is if the source limiter doesn't have "space" for the
state, the rule doesn't match and you can fall through to tarpitting
20% of the tcp connections for fun.

i've been using this in anger in production for over 3 years now.

sashan@ has been poking me along (slowly) to get it in a good enough
shape for the tree for a long time. it's been one of those years.

bluhm@ says this doesnt break the regress tests.
ok sashan@

Obtained from: OpenBSD, dlg <dlg@openbsd.org>, 8463cae72e
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl: remove duplicate "va" entry

It turns out we'd already added this a few years ago, so didn't need to
add it again.

Fixes: 190c1f3d9326
Reported by: Seth Hoffert <seth.hoffert@gmail.com>
Spon

pfctl: remove duplicate "va" entry

It turns out we'd already added this a few years ago, so didn't need to
add it again.

Fixes: 190c1f3d9326
Reported by: Seth Hoffert <seth.hoffert@gmail.com>
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl: allow network programs select DSCP_VA for network ToS

OK stsp@

Obtained from: OpenBSD, phessler <phessler@openbsd.org>, f8a2f73b65
Sponsored by: Rubicon Communications, LLC ("Netgate")

pfctl(8): Fix a typo in an error message

- s/addresess/addresses/

MFC after: 1 week

pfctl: fix anchor handling for nat/rdr/binat anchors

After the refactoring in 'pfctl: fix once rules' we broke nat/rdr/binat rules.
These no longer exist on OpenBSD, so were not considered in that p

pfctl: fix anchor handling for nat/rdr/binat anchors

After the refactoring in 'pfctl: fix once rules' we broke nat/rdr/binat rules.
These no longer exist on OpenBSD, so were not considered in that patch. Factor
out the common code and call it from all anchor types.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl: fix once rules

parse.y revision 1.682 from 16.07.2018 errornously allowed `match once' and
`anchor "a" once'.

Fix both by checking for PF_DROP not PF_MATCH and creating anchors in the
parser

pfctl: fix once rules

parse.y revision 1.682 from 16.07.2018 errornously allowed `match once' and
`anchor "a" once'.

Fix both by checking for PF_DROP not PF_MATCH and creating anchors in the
parser already such that they can be used to distinguish anchor rules in
the same check as well.

Found and fixed by Petr Hoffmann <petr.hoffmann at oracle dot com>, thanks!

While here, remove an unneeded cast and make pfctl_add_rule() void as it
always returned 0.

OK sashan

Obtained from: OpenBSD, kn <kn@openbsd.org>, 6da84b37b3
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl: reduce duplicate code

* Merge `once' handling from `anchorrule' and `pfrule'
* Remove/shorten duplicate code block

OK sashan

Obtained from: OpenBSD, kn <kn@openbsd.org>, d114b77333
Sponsore

pfctl: reduce duplicate code

* Merge `once' handling from `anchorrule' and `pfrule'
* Remove/shorten duplicate code block

OK sashan

Obtained from: OpenBSD, kn <kn@openbsd.org>, d114b77333
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl: deny "once" flags for match rules

ok henning

Obtained from: OpenBSD, mikeb <mikeb@openbsd.org>, 47068a62ee
Sponsored by: Rubicon Communications, LLC ("Netgate")

pfctl: One shot rules can be used in pf.conf by specifying a "once" filter option.

ok henning, mcbride

Obtained from: OpenBSD, mikeb <mikeb@openbsd.org>, 44b1b5a8a9
Sponsored by: Rubicon Communicat

pfctl: One shot rules can be used in pf.conf by specifying a "once" filter option.

ok henning, mcbride

Obtained from: OpenBSD, mikeb <mikeb@openbsd.org>, 44b1b5a8a9
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl: allow tables to be defined inside anchors

This change allows user to define table inside the anchor like that:
anchor foo {
table <bar> { 192.168.1.1 }

pfctl: allow tables to be defined inside anchors

This change allows user to define table inside the anchor like that:
anchor foo {
table <bar> { 192.168.1.1 }
pass in from <bar> to <self>
}
Without this diff one must either create table <bar> in main
ruleset (root) or use 'pfctl -a foo -t bar -T add 192.168.1.1'
This glitch is hard to notice. Not many human admins try to attach
tables to non-global anchors. Deamons which configure pf(4) automatically
at run time such as relayd(8) and spamd(8) create tables attached to
thair anchors (for example 'relayd/*') but the deamons use way similar
to pfctl(8) to add and manage those tables.

The reason why I'd like to seal this gap is that my long term goal
is to turn global `pfr_ktable` in pf(4) into member of pf_anchor.
So each ruleset will get its own tree of tables.

feedback and OK bluhm@

Obtained from: OpenBSD, sashan <sashan@openbsd.org>, 30269bc362
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl: Use pfctl_fopen

Use pfctl_fopen (which checks to ensure the given file isn't a directory)
for pfctl -f /path/to/pf.conf. Otherwise, if you accidentally use a dir
instead of a file (e.g. if yo

pfctl: Use pfctl_fopen

Use pfctl_fopen (which checks to ensure the given file isn't a directory)
for pfctl -f /path/to/pf.conf. Otherwise, if you accidentally use a dir
instead of a file (e.g. if you have an /etc/pf directory and don't notice
the name when tab-completing), you successfully install an empty ruleset.
ok sashan@

Obtained from: OpenBSD, sthen <sthen@openbsd.org>, 2f48098846
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: fix ICMP type/code representation

internal representation of icmp type/code in pfctl(8)/pf(4) does not
fit into u_int8_t. Issue has been noticed and kindly reported by
amalinin _at_ bh0.amt.ru v

pf: fix ICMP type/code representation

internal representation of icmp type/code in pfctl(8)/pf(4) does not
fit into u_int8_t. Issue has been noticed and kindly reported by
amalinin _at_ bh0.amt.ru via bugs@.

OK bluhm@

Obtained from: OpenBSD, sashan <sashan@openbsd.org>, 1fdb608f55
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: Add prefer-ipv6-nexthop option for route-to pools

Now that pf is aware of address family of each pool address and source
tracking uses distinct address family for source and redirection
adddress

pf: Add prefer-ipv6-nexthop option for route-to pools

Now that pf is aware of address family of each pool address and source
tracking uses distinct address family for source and redirection
adddresses it is possible to add a new pool option prefer-ipv6-nexthop
which enables routing of IPv4 packets over IPv6 next hops for rules
with the route-to option.

Add a pool option flag PF_POOL_IPV6NH, apply it to pools with a keyword
prefer-ipv6-nexthop.

Modify pf_map_addr() to handle pools with addresses of different
families. Use *naf as a hint about what address family the forwarded
packet is, then pick from the pool addresses of family that can be used
as a next hop for the forwarded packet, controlled by the PF_POOL_IPV6NH
flag. For NAT pools this flag is never set and thus pf_map_addr()
will return an IP address of the same family as the forwarded packet.
For route-to pools when the flag is enabled IPv6 addresses can be
returned or IPv4 packets.

In pf_route() check rt_af, it is not guaranteed to be AF_INET anymore
because pf_map_addr() could have changed it (as *naf).

Add tests for behaviour of pf_map_addr() both with PF_POOL_IPV6NH and
without, for single IP addresses, prefixes and subnets.

Reviewed by: kp
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D50781

show more ...

pf: Use different address family for source and redirection address

The function pf_map_addr() and source tracking operate on a single
address family. This made sense before introducing address fami

pf: Use different address family for source and redirection address

The function pf_map_addr() and source tracking operate on a single
address family. This made sense before introducing address family
translation. When combining af-to with route-to or with sticky-address,
the next-hop or the NAT address are of different address family than
the source address. For example in NAT64 scenaro an IPv6 source address
is translated to an IPv4 address and routed over IPv4 gateway.

Make source nodes dual-AF, that is have a separate source AF and
redirection AF. Store route AF in struct pf_kstate, export it to pfctl.
When loading rules with redirection pools with pfctl store address
family of each address. When printing states don't deduce next-hop's
address family from af-to, use the one stored in state.

Reviewed by: kp
Approved by: kp
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D51659

show more ...

pfctl: Use sa_family_t for af instead of int

Reviewed by: kp
Approved by: kp
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D51658

pflog: improve uid logging

Sometimes a user ID was logged in pflog(4) although the logopt of
the rule did not specify it. Check the option again for the log
rule in case another rule has triggered

pflog: improve uid logging

Sometimes a user ID was logged in pflog(4) although the logopt of
the rule did not specify it. Check the option again for the log
rule in case another rule has triggered a socket lookup. Remove
logopt group, it is not documented and cannot work as struct pfloghdr
does not contain a gid. Rename PF_LOG_SOCKET_LOOKUP to PF_LOG_USER
to express what it does. The lookup involved is only an implemntation
detail.
OK kn@ sashan@ mvs@

Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, f6d3bf21b2
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl: Fail to parse rules with invalid ranges

This makes pfctl(8) detect bogus ranges (with and without `-n') before
loading the ruleset and completes the previous commit.

OK sashan sthen

Obtaine

pfctl: Fail to parse rules with invalid ranges

This makes pfctl(8) detect bogus ranges (with and without `-n') before
loading the ruleset and completes the previous commit.

OK sashan sthen

Obtained from: OpenBSD, kn <kn@openbsd.org>, 123a1e155c
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: synproxy should be processing incoming SYN packets only.

issue noticed by sthen@. fix discussed with bluhm@ and procter@

OK bluhm@, kn@, procter@

Obtained from: OpenBSD, sashan <sashan@openbsd

pf: synproxy should be processing incoming SYN packets only.

issue noticed by sthen@. fix discussed with bluhm@ and procter@

OK bluhm@, kn@, procter@

Obtained from: OpenBSD, sashan <sashan@openbsd.org>, 4e62cf09d9
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl: replace TAILQ concatenation loop with TAILQ_CONCAT

OK kn@, sashan@, florian@

Obtained from: OpenBSD, bket <bket@openbsd.org>, c8d5c2349e
Sponsored by: Rubicon Communications, LLC ("Netgate")

pfctl: Do the actual pfr_strerror() to pf_strerror() rename

Missed in previous

Obtained from: OpenBSD, kn <kn@openbsd.org>, c802a0d9d6
Sponsored by: Rubicon Communications, LLC ("Netgate")

pfctl: Use -1 to indicate an invalid uid/gid, not UID_MAX and GID_MAX.

This is the userland portion. OK deraadt@ sashan@

Obtained from: OpenBSD, millert <millert@openbsd.org>, b4de054894
Sponsored

pfctl: Use -1 to indicate an invalid uid/gid, not UID_MAX and GID_MAX.

This is the userland portion. OK deraadt@ sashan@

Obtained from: OpenBSD, millert <millert@openbsd.org>, b4de054894
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl: Fix file descriptor leak due to popfile() never closing the main config file.

The fix is the same as for other parse.y files in the tree (see bgpd(8) or
unwind(8))

ok bluhm@

Obtained from:

pfctl: Fix file descriptor leak due to popfile() never closing the main config file.

The fix is the same as for other parse.y files in the tree (see bgpd(8) or
unwind(8))

ok bluhm@

Obtained from: OpenBSD, tobhe <tobhe@openbsd.org>, da1e1ceac5
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...