pfctl: allow tables to be defined inside anchors

This change allows user to define table inside the anchor like that:
anchor foo {
table <bar> { 192.168.1.1 }

pfctl: allow tables to be defined inside anchors

This change allows user to define table inside the anchor like that:
anchor foo {
table <bar> { 192.168.1.1 }
pass in from <bar> to <self>
}
Without this diff one must either create table <bar> in main
ruleset (root) or use 'pfctl -a foo -t bar -T add 192.168.1.1'
This glitch is hard to notice. Not many human admins try to attach
tables to non-global anchors. Deamons which configure pf(4) automatically
at run time such as relayd(8) and spamd(8) create tables attached to
thair anchors (for example 'relayd/*') but the deamons use way similar
to pfctl(8) to add and manage those tables.

The reason why I'd like to seal this gap is that my long term goal
is to turn global `pfr_ktable` in pf(4) into member of pf_anchor.
So each ruleset will get its own tree of tables.

feedback and OK bluhm@

Obtained from: OpenBSD, sashan <sashan@openbsd.org>, 30269bc362
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: rename PF_OPT_TABLE_PREFIX to PF_OPTIMIZER_TABLE_PFX

Move it to pf.h.
OPT is misleading and usually refers to command line arguments to pfctl

ok sashan kn

Obtained from: OpenBSD, henning <henn

pf: rename PF_OPT_TABLE_PREFIX to PF_OPTIMIZER_TABLE_PFX

Move it to pf.h.
OPT is misleading and usually refers to command line arguments to pfctl

ok sashan kn

Obtained from: OpenBSD, henning <henning@openbsd.org>, 9c6ad19ba4
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl: replace TAILQ concatenation loop with TAILQ_CONCAT

OK kn@, sashan@, florian@

Obtained from: OpenBSD, bket <bket@openbsd.org>, c8d5c2349e
Sponsored by: Rubicon Communications, LLC ("Netgate")

pfctl: Do the actual pfr_strerror() to pf_strerror() rename

Missed in previous

Obtained from: OpenBSD, kn <kn@openbsd.org>, c802a0d9d6
Sponsored by: Rubicon Communications, LLC ("Netgate")

pfctl: Unify error message for nonexisting anchors

pf(4) returns EINVAL for DIOCGETRULE, DIOCGETRULES and DIOCGETRULESET if
the specified anchor does not exist.

Extend and rename {pfr -> pf}_strerr

pfctl: Unify error message for nonexisting anchors

pf(4) returns EINVAL for DIOCGETRULE, DIOCGETRULES and DIOCGETRULESET if
the specified anchor does not exist.

Extend and rename {pfr -> pf}_strerror() to make error message more
consistent.

There are other occasions as well but those need additional tweaks;
that's stuff for another diff.

OK and rename from sashan

Obtained from: OpenBSD, kn <kn@openbsd.org>, e5c920154c
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl: Avoid optimizing empty rulesets

All optimizations work on actual rules; if there are none, return early.

While here, tell which ruleset/anchor is being optimized to make the debug
message a

pfctl: Avoid optimizing empty rulesets

All optimizations work on actual rules; if there are none, return early.

While here, tell which ruleset/anchor is being optimized to make the debug
message actually useful.

OK mikeb

Obtained from: OpenBSD, kn <kn@openbsd.org>, 757f1589f1
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl: Remove unused af argument from unmask()

This has been unused for years.

While here, zap the duplicate function signature from pfctl.h (already
present in pfctl_parser.h); spotted by sashan,

pfctl: Remove unused af argument from unmask()

This has been unused for years.

While here, zap the duplicate function signature from pfctl.h (already
present in pfctl_parser.h); spotted by sashan, thanks.

OK sashan

Obtained from: OpenBSD, kn <kn@openbsd.org>, f0bb6ca5dd
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl: plug some memory leaks

found by parfait, ok henning

Obtained from: OpenBSD, deraadt <deraadt@openbsd.org>, 2f2ceddc40
Sponsored by: Rubicon Communications, LLC ("Netgate")

pfctl: fix use-after-free and memory leak in pfctl_optimzie.c

OK bluhm@

Obtained from: OpenBSD, sashan <sashan@openbsd.org>, 43d70b8338
Sponsored by: Rubicon Communications, LLC ("Netgate")

pfctl: rule optimizer: anchor name vs. anchor path mix up

OK bluhm@

Obtained from: OpenBSD, sashan <sashan@openbsd.org>, a2fcc04574
Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: add a dedicated pf pool for route options

As suggested by henning.
Which unbreaks ie route-to after the recent pf changes.

With much help debugging and pointing out of missing bits from claudio

pf: add a dedicated pf pool for route options

As suggested by henning.
Which unbreaks ie route-to after the recent pf changes.

With much help debugging and pointing out of missing bits from claudio@

ok claudio@ "looks good" henning@

Obtained from: OpenBSD, jsg <jsg@openbsd.org>, 7fa5c09028
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl: improve NAT pool handling

Ensure we always free the NAT pool (as well as the rdr pool) and actually handle
it in the optimiser.

Sponsored by: Rubicon Communications, LLC ("Netgate")

pfctl: follow rpool -> rdr rename

In e11dacbf8484adc7bbb61b20fee3ab8385745925 the redirect pool was renamed from
rpool to rdr. It included backwards compatibility support for libpfctl users,
but did

pfctl: follow rpool -> rdr rename

In e11dacbf8484adc7bbb61b20fee3ab8385745925 the redirect pool was renamed from
rpool to rdr. It included backwards compatibility support for libpfctl users,
but didn't fully implement the rename in our own code.

Do so now. No functional change.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl: unbreak rule optimizer

ok henning, looks

Obtained from: OpenBSD, mikeb <mikeb@openbsd.org>, 4a16887b1b
Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: fold pf_test_fragment() into pf_test_rule()

Reduces code and fixes a bunch of bugs with fragment handling not being in sync
with the rest of the ruleset.

Much feedback from mpf, bluhm & markus

pf: fold pf_test_fragment() into pf_test_rule()

Reduces code and fixes a bunch of bugs with fragment handling not being in sync
with the rest of the ruleset.

Much feedback from mpf, bluhm & markus
Thanks to Tony Sarendal for help with testing

ok bluhm; various previous versions ok henning, claudio, mpf, markus

Note that while this changes the order of src addr/src port/dst addr/dst port
skips this doesn't actually affect the kernel/userspace ABI. The kernel always
recalculates skip steps. As a result we have to fix one of the pfctl parser
tests. Note that this is an order change that does not affect what packets are
acceppted or dropped.

Obtained from: OpenBSD, mcbride <mcbride@openbsd.org>, 04c69899a7
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46705

show more ...

libpfctl: add pfctl_get_rule_h()

Add a handle variant of pfctl_get_rule(). This converts us from using
the nvlist variant to the netlink variant, and also moves us closer to a
world where all libpfc

libpfctl: add pfctl_get_rule_h()

Add a handle variant of pfctl_get_rule(). This converts us from using
the nvlist variant to the netlink variant, and also moves us closer to a
world where all libpfctl functions take the handle.

While here have pfctl use the new function.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

libpfctl: fix file descriptor leak

pfctl_get_rules_info() opened a netlink socket, but failed to close it again.
Fix this by factoring out the netlink-based function into a _h variant that
takes str

libpfctl: fix file descriptor leak

pfctl_get_rules_info() opened a netlink socket, but failed to close it again.
Fix this by factoring out the netlink-based function into a _h variant that
takes struct pfctl_handle, and implement pfctl_get_rules_info() based on that,
remembering to close the fd.

While here migrate all in-tree consumers to the _h variant.

MFC after: 3 days
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl: use libpfctl instead of DIOCGETRULES directly

MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")

sbin: Automated cleanup of cdefs and other formatting

Apply the following automated changes to try to eliminate
no-longer-needed sys/cdefs.h includes as well as now-empty
blank lines in a row.

Remo

sbin: Automated cleanup of cdefs and other formatting

Apply the following automated changes to try to eliminate
no-longer-needed sys/cdefs.h includes as well as now-empty
blank lines in a row.

Remove /^#if.*\n#endif.*\n#include\s+<sys/cdefs.h>.*\n/
Remove /\n+#include\s+<sys/cdefs.h>.*\n+#if.*\n#endif.*\n+/
Remove /\n+#if.*\n#endif.*\n+/
Remove /^#if.*\n#endif.*\n/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/types.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/param.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/capsicum.h>/

Sponsored by: Netflix

show more ...

Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

pfctl: fix superblock printf format mismatch

It is impossible to compile pfctl with OPT_DEBUG due to integer width mismatch:

/usr/home/kajetan.staszkiewicz/freebsd.git/sbin/pfctl/pfctl_optimize.c:

pfctl: fix superblock printf format mismatch

It is impossible to compile pfctl with OPT_DEBUG due to integer width mismatch:

/usr/home/kajetan.staszkiewicz/freebsd.git/sbin/pfctl/pfctl_optimize.c:1479:9: error: format specifies type 'unsigned int' but the argument has type 'unsigned long' [-Werror,-Wformat]
i - pf_rule_desc[closest].prf_off--- pfctl_optimize.o ---
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/home/kajetan.staszkiewicz/freebsd.git/sbin/pfctl/pfctl_optimize.c:52:44: note: expanded from macro 'DEBUG'
printf("%s: " str "\n", __FUNCTION__ , ## v)
~~~ ^
1 error generated.

Reviewed by: kp
Obtained from: OpenBSD (pfctl_optimize.c 1.15)
Differential Revision: https://reviews.freebsd.org/D38918

show more ...

pfctl: remove unused variable

MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")

libpfctl: Switch to pfctl_rule

Stop using the kernel's struct pf_rule, switch to libpfctl's pfctl_rule.
Now that we use nvlists to communicate with the kernel these structures
can be fully decoupled

libpfctl: Switch to pfctl_rule

Stop using the kernel's struct pf_rule, switch to libpfctl's pfctl_rule.
Now that we use nvlists to communicate with the kernel these structures
can be fully decoupled.

Reviewed by: glebius
MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29644

show more ...

pfctl: Move ioctl abstraction functions into libpfctl

Introduce a library to wrap the pf ioctl interface.

MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revis

pfctl: Move ioctl abstraction functions into libpfctl

Introduce a library to wrap the pf ioctl interface.

MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29562

show more ...

pfctl: Use the new DIOCGETRULENV ioctl

Create wrapper functions to handle the parsing of the nvlist and move
that code into pfctl_ioctl.c.
At some point this should be moved into a libpfctl.

MFC af

pfctl: Use the new DIOCGETRULENV ioctl

Create wrapper functions to handle the parsing of the nvlist and move
that code into pfctl_ioctl.c.
At some point this should be moved into a libpfctl.

MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29560

show more ...