pfctl: consistency

% pfctl -F ethernet
Ethernet rules cleared

% pfctl -s ethernet
pfctl: Unknown show modifier 'ethernet'

pfctl accepts 'ethernet' (or any prefix of it) in the -F flag but
accepts

pfctl: consistency

% pfctl -F ethernet
Ethernet rules cleared

% pfctl -s ethernet
pfctl: Unknown show modifier 'ethernet'

pfctl accepts 'ethernet' (or any prefix of it) in the -F flag but
accepts only 'ether' (or any prefix of it) in the -s flag, which seems
inconsistent. This change brings the two to parity while remaining
backwards compatible.

Reviewed by: kp
MFC after: 2 weeks
Signed-off-by: Seth Hoffert <seth.hoffert@gmail.com>

show more ...

pfctl.8: mention -k source -k <IP>

Sponsored by: Rubicon Communications, LLC ("Netgate")

pfctl: resolve '-s' ambiguity

The 'introduce source and state limiters' commit added source and state
limiters, and used Stlimiters and Srclimiters as show options. However,
FreeBSD had 'Sources' as

pfctl: resolve '-s' ambiguity

The 'introduce source and state limiters' commit added source and state
limiters, and used Stlimiters and Srclimiters as show options. However,
FreeBSD had 'Sources' as a show option already. This means that
'pfctl -sS' would now be ambiguous. Avoid this by renaming the new
options.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: introduce source and state limiters

both source and state limiters can provide constraints on the number
of states that a set of rules can create, and optionally the rate
at which they are creat

pf: introduce source and state limiters

both source and state limiters can provide constraints on the number
of states that a set of rules can create, and optionally the rate
at which they are created. state limiters have a single limit, but
source limiters apply limits against a source address (or network).
the source address entries are dynamically created and destroyed,
and are also limited.

this started out because i was struggling to understand the source and
state tracking options in pf.conf, and looking at the code made it
worse. it looked like some functionality was missing, and the code also
did some things that surprised me. taking a step back from it, even it
if did work, what is described doesn't work well outside very simple
environments.

the functionality i'm talking about is most of the stuff in the
Stateful Tracking Options section of pf.conf(4).

some of the problems are illustrated one of the simplest options:
the "max number" option that limits the number of states that a
rule is allowed to create:

- wiring limits up to rules is a problem because when you load a
new ruleset the limit is reset, allowing more states to be created
than you intended.
- a single "rule" in pf.conf can expand to multiple rules in the
kernel thanks to things like macro expansion for multiple ports.
"max 1000" on a line in pf.conf could end up being many times
that in effect.
- when a state limit on a rule is reached, the packet is dropped.
this makes it difficult to do other things with the packet, such a
redirect it to a tarpit or another server that replies with an
outage notices or such.

a state limiter solves these problems. the example from the pf.conf.5
change demonstrates this:

An example use case for a state limiter is to restrict the number of
connections allowed to a service that is accessible via multiple
protocols, e.g. a DNS server that can be accessed by both TCP and UDP on
port 53, DNS-over-TLS on TCP port 853, and DNS-over-HTTPS on TCP port 443
can be limited to 1000 concurrent connections:

state limiter "dns-server" id 1 limit 1000

pass in proto { tcp udp } to port domain state limiter "dns-server"
pass in proto tcp to port { 853 443 } state limiter "dns-server"

a single limit across all these protocols can't be implemented with
per rule state limits, and any limits that were applied are reset
if the ruleset is reloaded.

the existing source-track implementation appears to be incomplete,
i could only see code for "source-track global", but not "source-track
rule". source-track global is too heavy and unweildy a hammer, and
source-track rule would suffer the same issues around rule lifetimes
and expansions that the "max number" state tracking config above has.

a slightly expanded example from the pf.conf.5 change for source limiters:

An example use for a source limiter is the mitigation of denial of
service caused by the exhaustion of firewall resources by network or port
scans from outside the network. The states created by any one scanner
from any one source address can be limited to avoid impacting other
sources. Below, up to 10000 IPv4 hosts and IPv6 /64 networks from the
external network are each limited to a maximum of 1000 connections, and
are rate limited to creating 100 states over a 10 second interval:

source limiter "internet" id 1 entries 10000 \
limit 1000 rate 100/10 \
inet6 mask 64

block in on egress
pass in quick on egress source limiter "internet"
pass in on egress proto tcp probability 20% rdr-to $tarpit

the extra bit is if the source limiter doesn't have "space" for the
state, the rule doesn't match and you can fall through to tarpitting
20% of the tcp connections for fun.

i've been using this in anger in production for over 3 years now.

sashan@ has been poking me along (slowly) to get it in a good enough
shape for the tree for a long time. it's been one of those years.

bluhm@ says this doesnt break the regress tests.
ok sashan@

Obtained from: OpenBSD, dlg <dlg@openbsd.org>, 8463cae72e
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl.8/pf.conf.5: Improve "once" bits

- use imperative tense in the pf.conf(5) "once" part
- leave printing implementation details to pfctl(8)'s "-s rules" part
- use more markup
- debug mode also

pfctl.8/pf.conf.5: Improve "once" bits

- use imperative tense in the pf.conf(5) "once" part
- leave printing implementation details to pfctl(8)'s "-s rules" part
- use more markup
- debug mode also prints expired rules

OK jmc sashan

Obtained from: OpenBSD, kn <kn@openbsd.org>, 1f1797aba7
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl.8: -z honours -a (reset rule stats per anchor)

OK sashan henning deraadt

Obtained from: OpenBSD, kn <kn@openbsd.org>, 1ddc001403
Sponsored by: Rubicon Communications, LLC ("Netgate")

pfctl.8: omit preceding flag from command/modifier lists to get tags

reads odd to repeat, e.g. -F, when listing all its modifiers.
as a consequence, automatic tagging wouldn't work, e.g. no "zero"
t

pfctl.8: omit preceding flag from command/modifier lists to get tags

reads odd to repeat, e.g. -F, when listing all its modifiers.
as a consequence, automatic tagging wouldn't work, e.g. no "zero"
tag would exist to jump to that -F modifier's definition.

also add manual tags for -R and -T as get explained together with
-s and -t, respectively, where only the first flag gets tagged.

Obtained from: OpenBSD, kn <kn@openbsd.org>, e08605c7f2
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl.8: small cleanups

- show -R with -s in options list
- show -t with -T in options list
- sort the -T commands
- small text/formatting tweaks

ok sthen
ok kn on an earlier version

Obtained from

pfctl.8: small cleanups

- show -R with -s in options list
- show -t with -T in options list
- sort the -T commands
- small text/formatting tweaks

ok sthen
ok kn on an earlier version

Obtained from: OpenBSD, jmc <jmc@openbsd.org>, bc345da85f
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl.8: Mention hostid and checksum

Complete the description of "-s info -v" such that grepping for them
in the manual pager yields something.

Feedback jmc
OK sashan

Obtained from: OpenBSD, kn <k

pfctl.8: Mention hostid and checksum

Complete the description of "-s info -v" such that grepping for them
in the manual pager yields something.

Feedback jmc
OK sashan

Obtained from: OpenBSD, kn <kn@openbsd.org>, 0f5c867d7c
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl.8: Further document recursive flush behaviour

OK sashan

Obtained from: OpenBSD, kn <kn@openbsd.org>, 5bd1c2906f
Sponsored by: Rubicon Communications, LLC ("Netgate")

pfctl: recursively flush rules and tables

The recursive operation ("pfctl -a '*' ...") works for '-s' option already. This
change enables the same thing for '-F' option, so "pfctl -a '*' -Fa" will
f

pfctl: recursively flush rules and tables

The recursive operation ("pfctl -a '*' ...") works for '-s' option already. This
change enables the same thing for '-F' option, so "pfctl -a '*' -Fa" will
flush everything from PF driver.

The idea was discussed with many on tech@ in spring 2019.

OK kn@

Obtained from: OpenBSD, sashan <sashan@openbsd.org>, ae711728d4
Obtained from: OpenBSD, sashan <sashan@openbsd.org>, 7abd52e24a
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf.conf.5, pfctl.8: update to PF pfctl(8) and pf.conf(5) manpages

great input by Ingo, Jason and Klemens

OK schwarze@, OK kn@, OK jmc@

Obtained from: OpenBSD, sashan <sashan@openbsd.org>, acd7255d

pf.conf.5, pfctl.8: update to PF pfctl(8) and pf.conf(5) manpages

great input by Ingo, Jason and Klemens

OK schwarze@, OK kn@, OK jmc@

Obtained from: OpenBSD, sashan <sashan@openbsd.org>, acd7255d6a
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl: introduce 'pfctl -FR' to reset settings to defaults

(discussed with many at tech@)

OK deraadt@, kn@, sthen@, tedu@

Obtained from: OpenBSD, sashan <sashan@openbsd.org>, 22f3d0383c
Sponsored

pfctl: introduce 'pfctl -FR' to reset settings to defaults

(discussed with many at tech@)

OK deraadt@, kn@, sthen@, tedu@

Obtained from: OpenBSD, sashan <sashan@openbsd.org>, 22f3d0383c
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl: Make -N and -r mutually exclusive

Either disable DNS or enable additional reverse lookups, but not both.

OK benno

Obtained from: OpenBSD, kn <kn@openbsd.org>, b294e41e93
Sponsored by: Rubic

pfctl: Make -N and -r mutually exclusive

Either disable DNS or enable additional reverse lookups, but not both.

OK benno

Obtained from: OpenBSD, kn <kn@openbsd.org>, b294e41e93
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl.8: Mention that -r does reverse DNS lookups for tables as well

OK benno

Obtained from: OpenBSD, kn <kn@openbsd.org>, 3ba17eef64
Sponsored by: Rubicon Communications, LLC ("Netgate")

pfctl.8: Explicitly mention that tables created by -T{add,replace} are persistent

pf.conf(5)'s TABLE section explains it, but lets be clear about it in the
table command descriptions, too.

"go for

pfctl.8: Explicitly mention that tables created by -T{add,replace} are persistent

pf.conf(5)'s TABLE section explains it, but lets be clear about it in the
table command descriptions, too.

"go for it" jmc

Obtained from: OpenBSD, kn <kn@openbsd.org>, 8d4231551f
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf.4: DIOCIGETIFACES provides interfaces and groups, not drivers

"driver" is a left-over from earlier implementations.

Nowadays each driver such as lo(4) has it's respective interface group of
the

pf.4: DIOCIGETIFACES provides interfaces and groups, not drivers

"driver" is a left-over from earlier implementations.

Nowadays each driver such as lo(4) has it's respective interface group of
the same name ("lo"), but additional driver-independent groups exist, too:

# ifconfig lo0 group foo
# pfctl -s I -i foo
foo
lo0

OK henning

Obtained from: OpenBSD, kn <kn@openbsd.org>, 822e892650
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl: fix table commands under anchors

With r1.358 I simplified anchor handling but also broke semantics with
regard to tables:

# pfctl -a aname -t tname -T show
pfctl: anchors app

pfctl: fix table commands under anchors

With r1.358 I simplified anchor handling but also broke semantics with
regard to tables:

# pfctl -a aname -t tname -T show
pfctl: anchors apply to -f, -F and -s only

Unbreak this by checking for table commands as well.

OK bluhm

Obtained from: OpenBSD, kn <kn@openbsd.org>, 0e2b7406a2
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl: add option -S (no domain resolution)

manpage wording and reminder about usage() jmc@
ok florian@ henning@

Reviewed by: ziaee (manpages)
Obtained from: OpenBSD, benno <benno@openbsd.org>, 7c8

pfctl: add option -S (no domain resolution)

manpage wording and reminder about usage() jmc@
ok florian@ henning@

Reviewed by: ziaee (manpages)
Obtained from: OpenBSD, benno <benno@openbsd.org>, 7c8726d43b
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D50724

show more ...

pfctl: support killing states by key

Add "key" modifier for -k to make pfctl can kill a state by specifying
the key of the state.

ok sasha

Obtained from: OpenBSD, yasuoka <yasuoka@openbsd.org>, c4

pfctl: support killing states by key

Add "key" modifier for -k to make pfctl can kill a state by specifying
the key of the state.

ok sasha

Obtained from: OpenBSD, yasuoka <yasuoka@openbsd.org>, c42801d935
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl.8: fix typo in reference to rc.conf variable

Reviewed by: kp, @concussious, @ImAwsumm
Pull Request: https://github.com/freebsd/freebsd-src/pull/1630

pfctl.8: explicitly mention that at least one option is required

zap one redundant line, replacing it with a note that although
SYNOPSIS suggests no options are neccessary, in fact a minimum of one

pfctl.8: explicitly mention that at least one option is required

zap one redundant line, replacing it with a note that although
SYNOPSIS suggests no options are neccessary, in fact a minimum of one
is required;

ok henning

Obtained from: OpenBSD, jmc <jmc@openbsd.org>, 123a76b4bf
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl.8: describe the counters that "pfctl -s info" displays

Tweaks jmc@, ok deraadt@

Obtained from: OpenBSD, sthen <sthen@openbsd.org>, 83e508aa68
Sponsored by: Rubicon Communications, LLC ("Netga

pfctl.8: describe the counters that "pfctl -s info" displays

Tweaks jmc@, ok deraadt@

Obtained from: OpenBSD, sthen <sthen@openbsd.org>, 83e508aa68
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl: add -T `reset` to touch pfras_tzero only for non-zero entries

This will make it easier for scripts to detect idle hosts in tables.

PR: 282984
Reviewed by: kp
MFC after: 2 weeks

pfctl: clear statistic for specified addresses

The ioctl DIOCRCLRASTATS provides the functionality of clearing stats
not only for the whole table for for addresses stored in that table. The
function

pfctl: clear statistic for specified addresses

The ioctl DIOCRCLRASTATS provides the functionality of clearing stats
not only for the whole table for for addresses stored in that table. The
functionality was missing from pfctl, though. Add it now.

PR: 282877
Obtained from: OpenBSD, kirill <kirill@openbsd.org>, e496dff3a7
MFC after: 3 weeks

show more ...