summaryrefslogtreecommitdiff
path: root/sbin/pfctl
AgeCommit message (Collapse)Author
2023-02-07internal representation of icmp type/code in pfctl(8)/pf(4) does notAlexandr Nedvedicky
fit into u_int8_t. Issue has been noticed and kindly reported by amalinin _at_ bh0.amt.ru via bugs@. OK bluhm@
2023-01-06PF_ANCHOR_STACK_MAX is insufficient protection against stack overflow.Alexandr Nedvedicky
On amd64 stack overflows for anchor rule with depth ~30. The tricky thing is the 'safe' depth varies depending on kind of packet processed by pf_match_rule(). For example for local outbound TCP packet stack overflows when recursion if pf_match_rule() reaches depth 24. Instead of lowering PF_ANCHOR_STACK_MAX to 20 and hoping it will be enough on all platforms and for all packets I'd like to stop calling pf_match_rule() recursively. This commit brings back pf_anchor_stackframe array we used to have back in 2017. It also revives patrick@'s idea to pre-allocate stack frame arrays from per-cpu. OK kn@
2022-11-21Fix DIOCIGETIFACES ioctl so all network interfacesAlexandr Nedvedicky
and interface groups are reported. The bug allowed to enumerate the first 64 interfaces only. The issue has been noticed and bug kindly reported by Olivier Croquin. OK kn@
2022-11-19Prettify expired rules printingKlemens Nanni
"pfctl -s rules" omits expired rules but print newlines for them. "pfctl -s rules -v" omits expired rules but print their stats. Add the existing skip check to those two missing print logic places such that expired rules won't cause any output at all, as expected, unless debug ("-g") or more verbose ("-vv") mode are given, as documented. OK sashan
2022-11-18Improve "once" bitsKlemens Nanni
- use imperative tense in the pf.conf(5) "once" part - leave printing implementation details to pfctl(8)'s "-s rules" part - use more markup - debug mode also prints expired rules OK jmc sashan
2022-11-14- show -R with -s in options listJason McIntyre
- show -t with -T in options list - sort the -T commands - small text/formatting tweaks ok sthen ok kn on an earlier version
2022-11-09simplify expiration of 'once' rules.Alexandr Nedvedicky
let packet to mark 'once' rule as expired. The rule will be removed by pfctl(8) when rules are updated. OK kn@
2022-09-23Fix detection of duplicate sticky-address in pf.conf parser.Alexander Bluhm
reported to FreeBSD by Franco Fichtner; from Kristof Provost
2022-07-27Remove redundant bzero, the pfctl struct memset later on.Moritz Buhl
Also memset the pfctl struct in pfctl_reset. OK jan@
2022-07-21Set the default pool size for the new anchors pool otherwise it's set to 0.Moritz Buhl
2022-07-20Add a pool for the allocation of the pf_anchor struct.Moritz Buhl
It was possible to exhaust kernel memory by repeatedly calling pfioctl DIOCXBEGIN with different anchor names. OK bluhm@ Reported-by: syzbot+9dd98cbce69e26f0fc11@syzkaller.appspotmail.com
2022-01-28When it's the possessive of 'it', it's spelled "its", without thePhilip Guenther
apostrophe.
2022-01-16pfctl: fix -Wunused-but-set-variable warningChristian Weisgerber
ok dlg@ guenther@
2021-11-11add tests to cover DIOCCHANGERULE ioctl(2)Alexandr Nedvedicky
OK bluhm@
2021-10-25- pfctl $nr incorrect macro expansionAlexandr Nedvedicky
Issue reported by Kristof Provost from FreeBSD. [ https://reviews.freebsd.org/D32488 ] In order to fix the issue we must delay '$nr' macro expansion after optimizer collapses ruleset. OK kn@
2021-10-15Don't declare variables as "unsigned char *" that are passed toChristian Weisgerber
functions that take "char *" arguments. Where such chars are assigned to int or passed to ctype functions, explicitly cast them to unsigned char. For OpenBSD's clang, -Wpointer-sign has been disabled by default, but when the parse.y code was built elsewhere, the compiler would complain. With help from millert@ ok benno@ deraadt@
2021-02-01change route-to so it sends packets to IPs instead of interfaces.David Gwynne
this is a significant (and breaking) reworking of the policy based routing that pf can do. the intention is to make it as easy as nat/rdr to use, and more robust when it's operating. the main reasons for this change are: - route-to, reply-to, and dup-to do not work with pfsync this is because the information about where to route-to is stored in rules, and it is hard to have a ruleset synced between firewalls, and impossible to have them synced 100% of the time. - i can make my boxes panic in certain situations using route-to yeah... - the configuration and syntax for route-to rules are confusing. the argument to route-to and co is an interace name with an optional ip address. there are several problems with this. one is that people tend to think about routing as sending packets to peers by their address, not by the interface they're reachable on. another is that we currently have no way to synchronise interface topology information between firewalls, so using an interface to say where packets go means we can't do failover of these states with pfsync. another is that a change in routing topology means a host may become reachable over a different interface. tying routing policy to interfaces gets in the way of failover and load balancing. this change does the following: - stores the route info in the state instead of the pf rule this allows route-to to keep working when the ruleset changes, and allows route-to info to be sent over pfsync. there's enough spare bits in pfsync messages that the protocol doesnt break. the caveat is that route-to becomes tied to pass rules that create state, like rdr-to and nat-to. - the argument to route-to etc is a destination ip address it's not limited to a next-hop address (thought a next-hop can be a destination address). this allows for the failover and load balancing referred to above. - deprecates the address@interface host syntax in pfctl because routing is done entirely by IPs, the interface is derived from the route lookup, not pf. any attempt to use the @interface syntax will fail now in all contexts. there's enthusiasm from proctor@ jmatthew@ and others ok sashan@ bluhm@
2021-01-12Sometimes a user ID was logged in pflog(4) although the logopt ofAlexander Bluhm
the rule did not specify it. Check the option again for the log rule in case another rule has triggered a socket lookup. Remove logopt group, it is not documented and cannot work as struct pfloghdr does not contain a gid. Rename PF_LOG_SOCKET_LOOKUP to PF_LOG_USER to express what it does. The lookup involved is only an implemntation detail. OK kn@ sashan@ mvs@
2020-12-29getifaddrs() can return entries where ifa_addr is NULL. Check for thisSebastian Benoit
before accessing anything in ifa_addr. ok claudio@
2020-12-16Fail to parse rules with invalid rangeskn
This makes pfctl(8) detect bogus ranges (with and without `-n') before loading the ruleset and completes the previous commit. OK sashan sthen
2020-12-16Reject rules with invalid port rangeskn
Ranges where the left boundary is bigger than the right one are always bogus as they work like `port any' (`port 34<>12' means "all ports") or in way that inverts the rule's action (`pass ... port 34:12' means "pass no port at all"). Add checks for all ranges and invalidate those that yield no or all ports. For this to work on redirections, make pfctl(8) pass the range's type, otherwise boundary including ranges are not detected as such; that is to say, `struct pf_pool's `port_op' member was unused in the kernel so far. `rdr-to' rules with invalid ranges could panic the kernel when hit. Reported-by: syzbot+9c309db201f06e39a8ba@syzkaller.appspotmail.com OK sashan
2020-12-07synproxy should be processing incoming SYN packets only.Alexandr Nedvedicky
issue noticed by sthen@. fix discussed with bluhm@ and procter@ OK bluhm@, kn@, procter@
2020-10-14Accommodate a basename(3) that takes a non-const parameter and mayChristian Weisgerber
in fact modify the string buffer. ok kn@ sashan@ cVS: ----------------------------------------------------------------------
2020-10-01rdomain IDs do not need to exist for "on rdomain N" to workkn
Unlike "... rtable N", pf.conf(5)'s "on rdomain N" does not alter packet state and will always work no matter if rdomain N currently exists or not, i.e. the rule "pass on rdomain 42" will simply match (and pass) packets if rdomain 42 exists, and it will simply not match (neither pass nor block) packets if 42 does not exist. There's no need to reload the ruleset whenever routing domains are created or deleted, which can already be observed now by creating an rdomain, loading rules referencing it and deleting the same rdomain immediately afterwards: pf will continue to work as expected. Relax both pfctl(8)'s parser check as well as pf(4)'s copyin routine to accept any valid routing domain ID without expecting it to exist at the time of ruleset creation - this lifts the requirement to create rdomains before referencing them in pf.conf while keeping pf behaviour unchanged. Prompted by yasuoka's recent pfctl parse.y r1.702 commit requiring an rtable to exist upon ruleset creation. Discussed with claudio and bluhm at k2k20. Feedback sashan OK sashan yasouka claudio
2020-09-17Fix the previous commit whose conditions were reversed.YASUOKA Masahiko
ok kn
2020-09-17Make pfctl(8) check if the rtable really exists when parsing theYASUOKA Masahiko
config. work with and diff from kn ok kn
2020-07-21rename PF_OPT_TABLE_PREFIX to PF_OPTIMIZER_TABLE_PFX and move it to pfvar.hHenning Brauer
OPT is misleading and usually refers to command line arguments to pfctl ok sashan kn
2020-07-20Mention hostid and checksumkn
Complete the description of "-s info -v" such that grepping for them in the manual pager yields something. Feedback jmc OK sashan
2020-05-15pf(4): use CLOCK_BOOTTIME to get time_uptime(9) in userspacecheloha
In pf(4), the pf_status.since timestamp is set with time_uptime(9). This is a low-res snapshot of nanouptime(9). nanouptime(9) is used to implement CLOCK_BOOTTIME for clock_gettime(2). It is not used to implement CLOCK_UPTIME, though. The names are misleading. Switch to CLOCK_BOOTTIME in places in userspace where we use pf_status.since so we are working with the right clock. Technically CLOCK_MONOTONIC is equivalent, but we shouldn't use that here. CLOCK_MONOTONIC is not necessarily the "time since boot": the standard says its absolute value is meaningless. ok patrick@ bluhm@
2020-01-28sbin/pfctl: replace TAILQ concatenation loop with TAILQ_CONCATbket
OK kn@, sashan@, florian@
2020-01-16Fail on missing anchorkn
There is no reason to continue on anchor specific paths if the given anchor does not exist. OK sashan
2020-01-15Do the actual pfr_strerror() to pf_strerror() renamekn
Missed in previous
2020-01-15Unify error message for nonexisting anchorskn
pf(4) returns EINVAL for DIOCGETRULE, DIOCGETRULES and DIOCGETRULESET if the specified anchor does not exist. Extend and rename {pfr -> pf}_strerror() to make error message more consistent. There are other occasions as well but those need additional tweaks; that's stuff for another diff. OK and rename from sashan
2020-01-15Refine error messagekn
While code in pf/pfctl confusingly uses either anchor or ruleset depending on the context, pfctl(8) (both manual and user interface) should be consistent. For users there are basically anchors only, so do not imply any difference between the two terminologies. OK sashan
2020-01-15Merge radix_perror() into simpler warnx()/errx() usagekn
Less nesting for clearer code. OK sashan
2020-01-15Further document recursive flush behaviourkn
OK sashan
2020-01-15Print the main ruleset/anchor as "/" not "<root>" for consistencykn
OK sashan
2020-01-15Recent change to pfctl(8) prompts for a minor update of manpage.Alexandr Nedvedicky
OK kn@
2020-01-15Enable pfctl(8) to recursively flush rules and tables from PF driver. TheAlexandr Nedvedicky
recursive operation ("pfctl -a '*' ...") works for '-s' option already. This change enables the same thing for '-F' option, so "pfctl -a '*' -Fa" will flush everything from PF driver. The idea was discussed with many on tech@ in spring 2019. OK kn@
2019-12-12Avoid optimizing empty rulesetskn
All optimizations work on actual rules; if there are none, return early. While here, tell which ruleset/anchor is being optimized to make the debug message actually useful. OK mikeb
2019-11-27Fix function name in error message (zap trailing s)kn
2019-10-17Use -1 to indicate an invalid uid/gid, not UID_MAX and GID_MAX.Todd C. Miller
This is the userland portion. OK deraadt@ sashan@
2019-08-26Fix file descriptor leak due to popfile() never closing the main config file.tobhe
The fix is the same as for other parse.y files in the tree (see bgpd(8) or unwind(8)) ok bluhm@
2019-08-15pfctl_reset() must set syncookies settings back to defaultAlexandr Nedvedicky
(bug found and fix tested by Jesper Wallin) OK deraadt OK kn
2019-07-09Add parentheses for readabilitykn
Prompted by and OK deraadt
2019-07-05Fix integer sizes in format strings and enable formatting warningsPatrick Wildt
for yyerror. From Moritz Buhl ok bluhm@ claudio@
2019-06-28When system calls indicate an error they return -1, not some arbitraryTheo de Raadt
value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
2019-05-08pfctl should check pfctl.astack is not overrunAlexandr Nedvedicky
(bug found and fixed by Petr Hoffmann _at_ oracle.com) OK kn@
2019-05-08update to PF pfctl(8) and pf.conf(5) manpagesAlexandr Nedvedicky
great input by Ingo, Jason and Klemens OK schwarze@, OK kn@, OK jmc@
2019-04-18Always check for namespace collisions on table commandskn
`-t table -T add|replace ...' would only check for duplicate tables in case addresses where actually to the table. Instead of using a positive number of added addresses as prove for successful table operations, rely on the fact that CREATE_TABLE() is guaranteed to be called only if pf(4) can be accessed, that is warn_duplicate_tables() will return. This improves duplicate detection rate as warnings are now also emitted even when table commands eventually leave tables unchanged. OK benno sashan