src/sys/modules/pf, branch main

pf: nat64

2024-12-17T10:07:12Z

Since the IPv6 madness is not enough introduce NAT64 -- which is actually "af-to" a generic IP version translator for pf(4). Not everything perfect yet but lets fix these things in the tree. Insane amount of work done by sperreault@, mikeb@ and reyk@. Looked over by mcbride@ henning@ and myself at eurobsdcon. OK mcbride@ and general put it in from deraadt@ Obtained from: OpenBSD, claudio , 97326e01c9 Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D47786

Remove residual blank line at start of Makefile

2024-07-15T22:43:39Z

This is a residual of the $FreeBSD$ removal. MFC After: 3 days (though I'll just run the command on the branches) Sponsored by: Netflix

pf: convert state retrieval to netlink

2023-10-10T09:48:21Z

Use netlink to export pf's state table. The primary motivation is to improve how we deal with very large state stables. With the previous implementation we had to build the entire list (both in the kernel and in userspace) before we could start processing. With netlink we start to get data in userspace while the kernel is still generating more. This reduces peak memory consumption (which can get to the GB range once we hit millions of states). Netlink also makes future extension easier, in that we can easily add fields to the state export without breaking userspace. In that regard it's similar to an nvlist-based approach, except that it also deals with transport to userspace and that it performs significantly better than nvlists. Testing has failed to measure a performance difference between the previous struct-copy based ioctl and the netlink approach. Differential Revision: https://reviews.freebsd.org/D38888

sys: Remove $FreeBSD$: one-line sh pattern

2023-08-16T17:54:58Z

Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/

Fix some modules to export more used symbols

2021-11-18T13:56:23Z

and remove non-present symbols that are now reported by kmod_syms.awk. Reviewed by: emaste Sponsored by: The FreeBSD Foundation MFC after: 1 week Differential revision: https://reviews.freebsd.org/D32878

modules: a lot: need opt_kern_tls.h

2021-09-30T04:10:31Z

This fixes the standalone build.

pf: syncookie support

2021-07-20T08:36:13Z

Import OpenBSD's syncookie support for pf. This feature help pf resist TCP SYN floods by only creating states once the remote host completes the TCP handshake rather than when the initial SYN packet is received. This is accomplished by using the initial sequence numbers to encode a cookie (hence the name) in the SYN+ACK response and verifying this on receipt of the client ACK. Reviewed by: kbowling Obtained from: OpenBSD MFC after: 1 week Sponsored by: Modirum MDPay Differential Revision: https://reviews.freebsd.org/D31138

pf: Introduce nvlist variant of DIOCADDRULE

2021-04-10T09:16:00Z

This will make future extensions of the API much easier. The intent is to remove support for DIOCADDRULE in FreeBSD 14. Reviewed by: markj (previous version), glebius (previous version) MFC after: 4 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D29557

Add a missing include of opt_sctp.h.

2019-10-12T23:01:16Z

MFC after: 1 week Sponsored by: The FreeBSD Foundation

sys/modules: normalize .CURDIR-relative paths to SRCTOP

2017-03-04T10:10:17Z

This simplifies make output/logic Tested with: `cd sys/modules; make ALL_MODULES=` on amd64 MFC after: 1 month Sponsored by: Dell EMC Isilon