FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=releng%2F14.3 2023-08-16T17:54:24Z 2023-08-16T17:54:24Z Warner Losh imp@FreeBSD.org 2023-08-16T17:54:24Z urn:sha1:71625ec9ad2a9bc8c09784fbd23b759830e0ee5f Remove /^/[*/]\s*\$FreeBSD\$.*\n/ 2023-03-16T09:59:04Z Kristof Provost kp@FreeBSD.org 2023-03-12T17:34:42Z urn:sha1:b52b61c0b6b1cb309461060f53cd5b7f5c3bb4ed Re-introduce PFIL_FWD, because pf's pf_refragment6() needs to know if we're ip6_forward()-ing or ip6_output()-ing. ip6_forward() relies on m->m_pkthdr.rcvif, at least for link-local traffic (for in6_get_unicast_scopeid()). rcvif is not set for locally generated traffic (e.g. from icmp6_reflect()), so we need to call the correct output function. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revisi: https://reviews.freebsd.org/D39061 2023-02-14T18:02:49Z Gleb Smirnoff glebius@FreeBSD.org 2023-02-14T18:02:49Z urn:sha1:caf32b260ad46b17a4c1a8ce6383e37ac489f023 The 0b70e3e78b0 changed the original design of a single entry point into pfil(9) chains providing separate functions for the filtering points that always provide mbufs and know the direction of a flow. The motivation was to reduce branching. The logical continuation would be to do the same for the filtering points that always provide a memory pointer and retire the single entry point. o Hooks now provide two functions: one for mbufs and optional for memory pointers. o pfil_hook_args() has a new member and pfil_add_hook() has a requirement to zero out uninitialized data. Bump PFIL_VERSION. o As it was before, a hook function for a memory pointer may realloc into an mbuf. Such mbuf would be returned via a pointer that must be provided in argument. o The only hook that supports memory pointers is ipfw:default-link. It is rewritten to provide two functions. o All remaining uses of pfil_run_hooks() are converted to pfil_mem_in(). o Transparent union of pfil_packet_t and tricks to fix pointer alignment are retired. Internal pfil_realloc() reduces down to m_devget() and thus is retired, too. Reviewed by: mjg, ocochard Differential revision: https://reviews.freebsd.org/D37977 2022-09-08T16:20:43Z Mateusz Guzik mjg@FreeBSD.org 2022-09-02T16:23:54Z urn:sha1:0b70e3e78b0279c66be06dea27bcdaf5eadf663d This shaves a lot of branching due to MEMPTR flag. Reviewed by: glebius Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D36454 2022-09-07T10:04:31Z Mateusz Guzik mjg@FreeBSD.org 2022-09-02T16:37:55Z urn:sha1:14c9a2dbfbb081c59d091001b7ddf75eef00da07 It is now unused and not having it allows further clean ups. Reviewed by: cy, glebius, kp Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D36452 2019-03-10T17:20:09Z Gleb Smirnoff glebius@FreeBSD.org 2019-03-10T17:20:09Z urn:sha1:c93410229ceb75d52da41e681f70f352141b7d97 PFIL_MEMPTR flag are intentionally providing a memory address that isn't aligned to pointer alignment. This is done to align an IPv4 or IPv6 header that is expected to follow Ethernet header. When we return PFIL_REALLOCED we store a pointer to allocated mbuf at this address. With this change the KPI changes to store the pointer at aligned address, which usually yields in +2 bytes. Provide two inlines: pfil_packet_align() to get aligned pfil_packet_t for a misaligned one pfil_mem2mbuf() to read out mbuf pointer from misaligned pfil_packet_t Provide function pfil_realloc(), not used yet, that would convert a memory pfil_packet_t to an mbuf one. Reported by: hps Reviewed by: hps, gallatin 2019-01-31T23:01:03Z Gleb Smirnoff glebius@FreeBSD.org 2019-01-31T23:01:03Z urn:sha1:b252313f0b3a4659c02e61d3a0bba471c89bcfa9 The KPI have been reviewed and cleansed of features that were planned back 20 years ago and never implemented. The pfil(9) internals have been made opaque to protocols with only returned types and function declarations exposed. The KPI is made more strict, but at the same time more extensible, as kernel uses same command structures that userland ioctl uses. In nutshell [KA]PI is about declaring filtering points, declaring filters and linking and unlinking them together. New [KA]PI makes it possible to reconfigure pfil(9) configuration: change order of hooks, rehook filter from one filtering point to a different one, disconnect a hook on output leaving it on input only, prepend/append a filter to existing list of filters. Now it possible for a single packet filter to provide multiple rulesets that may be linked to different points. Think of per-interface ACLs in Cisco or Juniper. None of existing packet filters yet support that, however limited usage is already possible, e.g. default ruleset can be moved to single interface, as soon as interface would pride their filtering points. Another future feature is possiblity to create pfil heads, that provide not an mbuf pointer but just a memory pointer with length. That would allow filtering at very early stages of a packet lifecycle, e.g. when packet has just been received by a NIC and no mbuf was yet allocated. Differential Revision: https://reviews.freebsd.org/D18951 2019-01-31T21:04:50Z Gleb Smirnoff glebius@FreeBSD.org 2019-01-31T21:04:50Z urn:sha1:f712b16127bdd9ff7c8f4d6c0d6a8b31fbbe32d5 The pfil(9) system is about to be converted to epoch(9) synchronization, so we need [temporarily] go back with ipfw internal locking. Discussed with: ae 2018-03-23T16:56:44Z Kristof Provost kp@FreeBSD.org 2018-03-23T16:56:44Z urn:sha1:effaab8861d675090f859b6e49d75381ec3ba6ca Forwarded packets passed through PFIL_OUT, which made it difficult for firewalls to figure out if they were forwarding or producing packets. This in turn is an issue for pf for IPv6 fragment handling: it needs to call ip6_output() or ip6_forward() to handle the fragments. Figuring out which was difficult (and until now, incorrect). Having pfil distinguish the two removes an ugly piece of code from pf. Introduce a new variant of the netpfil callbacks with a flags variable, which has PFIL_FWD set for forwarded packets. This allows pf to reliably work out if a packet is forwarded. Reviewed by: ae, kevans Differential Revision: https://reviews.freebsd.org/D13715 2017-11-27T15:23:17Z Pedro F. Giffuni pfg@FreeBSD.org 2017-11-27T15:23:17Z urn:sha1:fe267a559009cbf34f9341666fe4d88a92c02d5e Mainly focus on files that use BSD 2-Clause license, however the tool I was using misidentified many licenses so this was mostly a manual - error prone - task. The Software Package Data Exchange (SPDX) group provides a specification to make it easier for automated tools to detect and summarize well known opensource licenses. We are gradually adopting the specification, noting that the tags are considered only advisory and do not, in any way, superceed or replace the license texts. No functional change intended.