src/lib/libpfctl, branch release/14.4.0

libpfctl: ensure we return useful error codes

2024-09-29T18:29:50Z

Return errno rather than -1 on error. This allows pfctl to report much more useful errors. Reported by: Alexander Leidinger MFC after: 1 week (cherry picked from commit 93e96359c980ccf318fe089b30b863f7c910b622)

libpfctl: fix incorrect pcounters array size

2024-05-13T15:28:02Z

The array is 2 x 2 x 2, not 2 x 2 x 3. Sponsored by: Rubicon Communications, LLC ("Netgate") MFC after: 2 weeks (cherry picked from commit a3f7176523e8611b259cefd7431c01e24f446db7)

libpfctl: handle pfctl_do_ioctl() failures better

2023-11-24T09:19:13Z

Ensure that we free nvlists and other allocations if pfctl_do_ioctl() fails. MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 498934c5ff51e6b0d3199db5d27ed11b1e8b9582)

libpfctl: handle allocation failure

2023-11-24T09:19:08Z

While it's unlikely for userspace to fail to allocate memory it is still possible. Handle malloc() returning NULL. Reported by: Bill Meeks MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 33d55d0d0f33787e9e2796b5000be73af42573bc)

pf: expose more syncookie state information to userspace

2023-11-13T07:10:27Z

Allow userspace to retrieve low and high water marks, as well as the current number of half open states. MFC after: 1 week Sponsored by: Modirum MDPay (cherry picked from commit a6173e94635b03aa7aab90a67785c8c3e7c6247b)

libpfctl: be more tolerant of kernel extensions

2023-11-07T15:46:52Z

Allow the kernel to supply more array elements than expected, but cut off when we hit what we think the maximum is. This will improve forward compatibility (i.e. old userspace with newer kernel). Reviewed by: zlei MFC after: 1 week Sponsored by: Orange Business Services Differential Revision: https://reviews.freebsd.org/D42392 (cherry picked from commit 2b1eb63fc9c6d6f64baaac59b7ea7c2a3228c03f)

libpfctl: remove unused field from struct pfctl_states

2023-11-02T15:10:00Z

We never populate this, or use it, so remove it. MFC after: 3 days Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 87c5032353106764f324e82541662f448e68f38a)

libpfctl: add missing pfctl_status_lcounter() function

2023-11-02T15:10:00Z

We already had accessors for the other types of counters, but not this one. MFC after: 3 days Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 1c824f430a395cdc66e22406e72f20ebd300e47e)

libpfctl: fix Coverity issues

2023-11-01T09:05:49Z

- handle snl_finalize_msg() returning NULL - insert the correct data into the states list - add missing nvlist_destroy() - incorrect order for array bounds Coverity: 1522929, 1522925, 1522923, 1522921, 1522780, 1522770, 1522764, 1487785, 1471250 Reviewed by: emaste MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D42330 (cherry picked from commit 4abc3b482e0d246cd3518622223795c8de102130)

libpfctl: fix pfctl_do_ioctl()

2023-11-01T09:05:49Z

pfctl_do_ioctl() copies the packed request data into the request buffer and then frees it. However, it's possible for the buffer to be too small for the reply, causing us to allocate a new buffer. We then copied from the freed request, and freed it again. Do not free the request buffer until we're all the way done. PR: 274614 Reviewed by: emaste MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D42329 (cherry picked from commit 2cffb52514b070e716e700c7f58fdb8cd9b05335)