From nobody Mon Feb 27 12:59:16 2023 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PQLDY0mvRz3v5QJ for ; Mon, 27 Feb 2023 12:59:25 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smarthost1.sentex.ca", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PQLDX1R3mz4NZb for ; Mon, 27 Feb 2023 12:59:24 +0000 (UTC) (envelope-from mike@sentex.net) Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates 2607:f3e0:0:1::12 as permitted sender) smtp.mailfrom=mike@sentex.net; dmarc=none Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [199.212.134.19]) by smarthost1.sentex.ca (8.16.1/8.16.1) with ESMTPS id 31RCxGcX043527 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=FAIL); Mon, 27 Feb 2023 07:59:16 -0500 (EST) (envelope-from mike@sentex.net) Received: from [IPV6:2607:f3e0:0:4::29] ([IPv6:2607:f3e0:0:4:0:0:0:29]) by pyroxene2a.sentex.ca (8.16.1/8.15.2) with ESMTPS id 31RCxFZT056597 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Mon, 27 Feb 2023 07:59:15 -0500 (EST) (envelope-from mike@sentex.net) Content-Type: multipart/alternative; boundary="------------BRI7kI1uN6GUPTt1iPuK1h4w" Message-ID: <2a307fdd-e8de-7949-9f67-01b5833d6c3c@sentex.net> Date: Mon, 27 Feb 2023 07:59:16 -0500 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.8.0 Subject: Re: Where did "from <__automatic_43ce223_0> come from? Content-Language: en-US To: Dave Horsfall Cc: FreeBSD PF List References: <502D8886-DC95-4BC0-8681-7D117A430825@FreeBSD.org> From: mike tancsa In-Reply-To: <502D8886-DC95-4BC0-8681-7D117A430825@FreeBSD.org> X-Scanned-By: MIMEDefang 2.84 X-Spamd-Result: default: False [-2.40 / 15.00]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_SPF_ALLOW(-0.20)[+ip6:2607:f3e0::/32]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; RCVD_IN_DNSWL_LOW(-0.10)[199.212.134.19:received]; MLMMJ_DEST(0.00)[freebsd-pf@freebsd.org]; R_DKIM_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCPT_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_TLS_ALL(0.00)[]; FREEFALL_USER(0.00)[mike]; ARC_NA(0.00)[]; TO_DN_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DMARC_NA(0.00)[sentex.net]; MID_RHS_MATCH_FROM(0.00)[] X-Rspamd-Queue-Id: 4PQLDX1R3mz4NZb X-Spamd-Bar: -- X-ThisMailContainsUnwantedMimeParts: N This is a multi-part message in MIME format. --------------BRI7kI1uN6GUPTt1iPuK1h4w Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit On 2/25/2023 3:22 PM, Kristof Provost wrote: > > On 26 Feb 2023, at 9:09, Dave Horsfall wrote: > > FreeBSD aneurin.horsfall.org 10.4-RELEASE-p13 FreeBSD > 10.4-RELEASE-p13 #0: Thu Sep 27 09:21:23 UTC 2018 > root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 > > (Yeah, I'll update soon, when I find a newer box) > > Seen in my daily security run output: > > +block drop in quick inet from <__automatic_43ce223_0> to any [ > Evaluations: 7333 Packets: 4 Bytes: 240 States: 0 ] > > Obviously something created automatically (I don't have anything > faintly > resembling that in my pf.conf), but how? > > It can also show up if you use 'self' e.g eg block log quick from self to block log quick from to self and then view the rules with pfctl -sr it shows up as block drop log quick inet from <__automatic_d351946e_2> to block drop log quick inet from to <__automatic_d351946e_3>     ---Mike > |set ruleset-optimization none Disable the ruleset optimizer. basic > Enable basic ruleset optimization. This is the default behaviour. > Basic ruleset optimization does four things to improve the performance > of ruleset evaluations: 1. remove duplicate rules 2. remove rules that > are a subset of another rule 3. combine multiple rules into a table > when advantageous 4. re-order the rules to improve evaluation > performance profile Uses the currently loaded ruleset as a feedback > profile to tailor the ordering of quick rules to actual network > traffic. It is important to note that the ruleset optimizer will > modify the ruleset to improve performance. A side effect of the > ruleset modification is that per-rule accounting statistics will have > different meanings than before. If per-rule accounting is important > for billing purposes or whatnot, either the ruleset optimizer should > not be used or a label field should be added to all of the accounting > rules to act as optimization barriers. Optimization can also be set as > a command-line argument to pfctl(8), overriding the settings in pf.conf. | > > That’d be case 3. > > Kristof > --------------BRI7kI1uN6GUPTt1iPuK1h4w Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit
On 2/25/2023 3:22 PM, Kristof Provost wrote:

On 26 Feb 2023, at 9:09, Dave Horsfall wrote:

FreeBSD aneurin.horsfall.org 10.4-RELEASE-p13 FreeBSD 10.4-RELEASE-p13 #0: Thu Sep 27 09:21:23 UTC 2018 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386

(Yeah, I'll update soon, when I find a newer box)

Seen in my daily security run output:

+block drop in quick inet from <__automatic_43ce223_0> to any [ Evaluations: 7333 Packets: 4 Bytes: 240 States: 0 ]

Obviously something created automatically (I don't have anything faintly
resembling that in my pf.conf), but how?


It can also show up if you use 'self'

e.g

eg

block log quick from self to <rejects>
block log quick from <rejects> to self

and then view the rules with pfctl -sr it shows up as

block drop log quick inet from <__automatic_d351946e_2> to <rejects>
block drop log quick inet from <rejects> to <__automatic_d351946e_3>

    ---Mike


    

    

    


    

    

      

        

          
 set ruleset-optimization
       none      Disable the ruleset optimizer.
       basic     Enable basic ruleset optimization.  This is the default
                 behaviour.  Basic ruleset optimization does four things to
                 improve the performance of ruleset evaluations:

                 1.   remove duplicate rules
                 2.   remove rules that are a subset of another rule
                 3.   combine multiple rules into a table when advantageous
                 4.   re-order the rules to improve evaluation performance

       profile   Uses the currently loaded ruleset as a feedback profile to
                 tailor the ordering of quick rules to actual network
                 traffic.

       It is important to note that the ruleset optimizer will modify the
       ruleset to improve performance.  A side effect of the ruleset
       modification is that per-rule accounting statistics will have
       different meanings than before.  If per-rule accounting is important
       for billing purposes or whatnot, either the ruleset optimizer should
       not be used or a label field should be added to all of the accounting
       rules to act as optimization barriers.

       Optimization can also be set as a command-line argument to pfctl(8),
       overriding the settings in pf.conf.


          
That’d be case 3.

          
Kristof

        

      

    

  


--------------BRI7kI1uN6GUPTt1iPuK1h4w--

From nobody Thu Apr  6 14:21:44 2023
X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PskG449lHz44QCb;
	Thu,  6 Apr 2023 14:21:48 +0000 (UTC)
	(envelope-from kp@FreeBSD.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "smtp.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4PskG427bkz4Q4Z;
	Thu,  6 Apr 2023 14:21:47 +0000 (UTC)
	(envelope-from kp@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1680790908;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=00XNjHtCfllRvbaVyN0lRkV2jjTgZnyQjcOOEC5mnss=;
	b=gJT1ULcmXREo2sAnoK4mwXwR96b+evfkhGc7XYn8bEszM2wIRETP1RbdbeOqd8tzGED2r7
	R6jzc749TMAhifgUNW60fLJXSxosMYPcDupQrWfW2PMTvXwvxwrHJUHISGVScawOOSAR1z
	elS/drXGNiAuwhevgVRQUWsThBzVVMJdERJ+KfFLdn46vsrbKpvPag8p8HGslPhXWiGV8e
	7/Wuh7T1YJrmsPQagK2DXpoYC8xeltG/4p6zdWgZEOpiAcUXsI8u2B2W6y7Usr8I+xupkF
	avY8EDRgnS4con60ZGcWXPyQ4QSb61T5TDlMe7y56HDXmaWSxmfy/s1Ma6DIXg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1680790908;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=00XNjHtCfllRvbaVyN0lRkV2jjTgZnyQjcOOEC5mnss=;
	b=nZptRWC/fWJDEyezf7IPq3kidlFPVDZ+QpDQ7hhJZUUM90boAvisZRs4mxHCVSagiY0j1+
	GepY01vfggGtlzJ1ZA3kHj8WmnpzeGX860xCMqZt8raykVYYK3JoLH4Dr87ycoOX9QzFQK
	YZqaseOlqehfdXjrJmKd3RkPXBWQh4eu/RVIdo4JTFqDG4wQG1sD1rLdAlTP3HIMtzQg6D
	dzFAEtJ/pHdEgHtDcVwherNcF0eThjtqLnNj7Yqpm/ZQ7VBEvRLSNQQWzo+MC94u2jIiyh
	HxSBLZAKfShoaA1GMV/BNkYAXykFimYD3swI77PxAkga5/cJBgfJC3dFz37cfg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1680790908; a=rsa-sha256; cv=none;
	b=cGCDxF3Nlpz+YlVQ+zPf9YAWkrBA3bprRAdH3itE/qx7aXfsAvJHMr1cPITq9Dna+u0Ovr
	oB0dtwErl+F06vgqC2PKBN96U4R5xbk2TKxHDMI6ohCy6JIKGRQwXwiKHhMc57kaGLN9sC
	GZ0il/w+wYDxLBhHftFbO9AuPUmGcY1g64rHt1tz8d6GoaIilD/kI52kgxBoHwFx489KeF
	9ysQBRp8F5nSPPQRcIEU8mmoNLT2Yfk5rHeBVi2BNeaYgTaVknJBG5T1PZWwQ1qYho1Wuo
	nzoWNNlTnXilutTxEzctZZmiERyaaTKV7LlAKuGG+XYT6wXAYJapy7dIr/NiYw==
Received: from venus.codepro.be (venus.codepro.be [5.9.86.228])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "mx1.codepro.be", Issuer "R3" (verified OK))
	(Authenticated sender: kp)
	by smtp.freebsd.org (Postfix) with ESMTPSA id 4PskG34k91zdKT;
	Thu,  6 Apr 2023 14:21:47 +0000 (UTC)
	(envelope-from kp@FreeBSD.org)
Received: by venus.codepro.be (Postfix, authenticated sender kp)
 id 17FC925428;
	Thu,  6 Apr 2023 16:21:46 +0200 (CEST)
From: Kristof Provost 
To: FreeBSD PF List ,
 FreeBSD Ports ML 
Subject: pf userspace API changes
Date: Thu, 06 Apr 2023 16:21:44 +0200
X-Mailer: MailMate (1.14r5937)
Message-ID: <0E45DD6F-81E3-45DB-9FB2-E47B8F26FD00@FreeBSD.org>
List-Id: Technical discussion and general questions about packet filter (pf) 
List-Archive: https://lists.freebsd.org/archives/freebsd-pf
List-Help: 
List-Post: 
List-Subscribe: 
List-Unsubscribe: 
Sender: owner-freebsd-pf@freebsd.org
X-BeenThere: freebsd-pf@freebsd.org
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="=_MailMate_778328E2-0F61-4D1F-9B96-3408223FC9DB_="
Content-Transfer-Encoding: 8bit
X-ThisMailContainsUnwantedMimeParts: N


--=_MailMate_778328E2-0F61-4D1F-9B96-3408223FC9DB_=
Content-Type: text/plain; charset=UTF-8; format=flowed; markup=markdown
Content-Transfer-Encoding: 8bit

Hi,

Quick heads up that there are going to be breaking changes to the pf API 
towards userspace for 14.0. (That is, the ioctl interface presented by 
/dev/pf).

I’ve been rewriting several types of calls to start using nvlists, 
because otherwise it’s basically unmanageable to extend calls (which 
we pretty much have to do to add new features).
The old struct-based ioctls have been left in place so far, but as 
that’s a substantial amount of (now untested!) code I’m very keen to 
be able to remove.

To be very explicit: removal of old ioctls will only ever affect new 
major versions. That is, 14.0 at the earliest. I will not break 
stable/12 or stable/13 or 13.2 or …

The initial breaking change is https://reviews.freebsd.org/D30056 . That 
removes DIOCCLRSTATES and DIOCKILLSTATES, which are now DIOCCLRSTATESNV 
and DIOCKILLSTATESNV, based on nvlists.

To make that all easier for userspace to manage there’s libpfctl, 
which wraps all of the API details. That port will be available for all 
supported platforms (when https://reviews.freebsd.org/D39360 lands, 
soon).

There are likely to be more changes in the future, so I’d strongly 
encourage all API users to migrate to using libpfctl rather than trying 
to roll their own implementations.

Here’s an example of how security/snortsam needed to be changed to 
cope with the above:

	commit 1136cf1ef66dc93397455818dfce0794d4e65170 (HEAD -> 
freebsd_current/libpfctl)
	Author: Kristof Provost 
	Date:   Sun Apr 2 07:01:06 2023 +0200

	    security/snortsam: use libpfctl

	    FreeBSD main will remove DIOCKILLSTATES soon. We can use libpfctl 
to
	    accomplish the same task though.

	    Sponsored by:   Rubicon Communications, LLC ("Netgate")

	diff --git a/security/snortsam/Makefile b/security/snortsam/Makefile
	index fbd106774..18ad44448 100644
	--- a/security/snortsam/Makefile
	+++ b/security/snortsam/Makefile
	@@ -1,6 +1,6 @@
	 PORTNAME=      snortsam
	 PORTVERSION=   2.70
	-PORTREVISION=  1
	+PORTREVISION=  2
	 CATEGORIES=    security
	 MASTER_SITES=  http://www.snortsam.net/files/snortsam/
	 DISTNAME=      ${PORTNAME}-src-${PORTVERSION}
	@@ -16,6 +16,8 @@ SAMTOOL_DESC= install samtool

	 .include 

	+LIB_DEPENDS=   libpfctl.so:net/libpfctl
	+
	 USE_RC_SUBR=   snortsam
	 SUB_FILES=     pkg-message \
	                pkg-install
	diff --git a/security/snortsam/files/patch-src_Makefile 
b/security/snortsam/files/patch-src_Makefile
	new file mode 100644
	index 000000000..59936d3d1
	--- /dev/null
	+++ b/security/snortsam/files/patch-src_Makefile
	@@ -0,0 +1,12 @@
	+--- src/Makefile.orig  2010-03-29 20:57:55 UTC
	++++ src/Makefile
	+@@ -36,9 +36,9 @@ SAMTOOL = samtool
	+ PROG    = snortsam
	+ SAMTOOL = samtool
	+-CFLAGS  = -O2 -D$(SYSTYPE) $(DEBUG)
	+-LDFLAGS =
	++CFLAGS  = -O2 -D$(SYSTYPE) $(DEBUG) -I/usr/local/include
	++LDFLAGS = -L/usr/local/lib -lpfctl
	+ SYSTYPE = `uname`
	+
	+ # OS specific flags
	diff --git a/security/snortsam/files/patch-src__ssp_pf2.c 
b/security/snortsam/files/patch-src__ssp_pf2.c
	index 81ce7d93e..00327f19c 100644
	--- a/security/snortsam/files/patch-src__ssp_pf2.c
	+++ b/security/snortsam/files/patch-src__ssp_pf2.c
	@@ -1,6 +1,14 @@
	---- ./src/ssp_pf2.c.orig       2009-11-27 02:39:40.000000000 +0100
	-+++ ./src/ssp_pf2.c    2014-01-20 19:03:47.000000000 +0100
	-@@ -95,7 +95,7 @@
	+--- src/ssp_pf2.c.orig 2009-11-27 01:39:40 UTC
	++++ src/ssp_pf2.c
	+@@ -48,6 +48,7 @@
	+
	+ #include "snortsam.h"
	+ #include "ssp_pf2.h"
	++#include 
	+
	+ unsigned int PF2use_anchor = TRUE;
	+ unsigned int PF2val_count = 0;
	+@@ -95,7 +96,7 @@ int parse_opts(char *line, opt_pf2 *opt, char *sep, 
ch
	          }
	       }

	@@ -9,3 +17,79 @@
	  }


	+@@ -393,20 +394,21 @@ pf2_kill_states(int pfdev, const char *ipsrc, 
int tin,
	+ {
	+     char   msg[STRBUFSIZE + 2];
	+     struct pf_addr pfa;
	+-    struct pfioc_state_kill psk;
	++    struct pfctl_kill k;
	+     sa_family_t saf;        /* stafe AF_INET family */
	+     unsigned long killed=0, killed_src=0, killed_dst=0;
	++    unsigned int kcount;
	+
	+     bzero(&pfa, sizeof(pfa));
	+-    bzero(&psk, sizeof(psk));
	++    bzero(&k, sizeof(k));
	+
	+     if (ipsrc == NULL || !ipsrc[0])
	+       return (-1);
	+
	+     if (inet_pton(AF_INET, ipsrc, &pfa.v4) == 1)
	+-          psk.psk_af = saf = AF_INET;
	++          k.af = AF_INET;
	+     else if (inet_pton(AF_INET6, ipsrc, &pfa.v6) == 1)
	+-          psk.psk_af = saf = AF_INET6;
	++          k.af = AF_INET6;
	+     else {
	+       snprintf(msg, sizeof(msg) - 1, "invalid ipsrc");
	+       logmessage(3, msg, "pf2", 0);
	+@@ -415,40 +417,31 @@ pf2_kill_states(int pfdev, const char *ipsrc, 
int tin,
	+
	+     /* Kill all states from pfa */
	+     if (tin || PF2_KILL_STATE_ALL) {
	+-      memcpy(&psk.psk_src.addr.v.a.addr, &pfa, 
sizeof(psk.psk_src.addr.v.a.addr));
	+-      memset(&psk.psk_src.addr.v.a.mask, 0xff, 
sizeof(psk.psk_src.addr.v.a.mask));
	+-      if (ioctl(pfdev, DIOCKILLSTATES, &psk)) {
	++      memcpy(&k.src.addr.v.a.addr, &pfa, 
sizeof(k.src.addr.v.a.addr));
	++      memset(&k.src.addr.v.a.mask, 0xff, 
sizeof(k.src.addr.v.a.mask));
	++      if (pfctl_kill_states(pfdev, &k, &kcount)) {
	+           snprintf(msg, sizeof(msg) - 1, "Error: DIOCKILLSTATES 
failed (%s)", strerror(errno));
	+           logmessage(1, msg, "pf2", 0);
	+       }
	+       else {
	+-#if OpenBSD >= 200811 /* since OpenBSD4_4 killed states returned in 
psk_killed */
	+-          killed_src += psk.psk_killed;
	+-#else
	+-          killed_src += psk.psk_af;
	+-#endif
	++          killed_src += kcount;
	+ #ifdef FWSAMDEBUG
	+           printf("Debug: [pf2] killed %lu (tin) states for host 
%s\n", killed_src, ipsrc);
	+ #endif
	+       }
	+-    psk.psk_af = saf; /* restore AF_INET */
	+     }
	+
	+     /* Kill all states to pfa */
	+     if (tout || PF2_KILL_STATE_ALL) {
	+-      bzero(&psk.psk_src, sizeof(psk.psk_src));  /* clear source 
address field (set before for incomming) */
	+-      memcpy(&psk.psk_dst.addr.v.a.addr, &pfa, 
sizeof(psk.psk_dst.addr.v.a.addr));
	+-      memset(&psk.psk_dst.addr.v.a.mask, 0xff, 
sizeof(psk.psk_dst.addr.v.a.mask));
	+-      if (ioctl(pfdev, DIOCKILLSTATES, &psk)) {
	++      bzero(&k.src, sizeof(k.src));  /* clear source address field 
(set before for incomming) */
	++      memcpy(&k.dst.addr.v.a.addr, &pfa, 
sizeof(k.dst.addr.v.a.addr));
	++      memset(&k.dst.addr.v.a.mask, 0xff, 
sizeof(k.dst.addr.v.a.mask));
	++      if (pfctl_kill_states(pfdev, &k, &kcount)) {
	+           snprintf(msg, sizeof(msg) - 1, "Error: DIOCKILLSTATES 
failed (%s)", strerror(errno));
	+           logmessage(1, msg, "pf2", 0);
	+       }
	+       else {
	+-#if OpenBSD >= 200811 /* since OpenBSD4_4 killed states returned in 
psk_killed */
	+-          killed_dst += psk.psk_killed;
	+-#else
	+-          killed_dst += psk.psk_af;
	+-#endif
	++          killed_dst += kcount;
	+ #ifdef FWSAMDEBUG
	+           printf("Debug: [pf2] killed %lu (tout) states for host 
%s\n", killed_dst, ipsrc);
	+ #endif

Tl;dr If you maintain a port that uses /dev/pf you’re going to have to 
start using net/libpfctl.

Best regards,
Kristof
--=_MailMate_778328E2-0F61-4D1F-9B96-3408223FC9DB_=
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable









Hi,


Quick heads up that there are going to be breaking change=
s to the pf API towards userspace for 14.0. (That is, the ioctl interface=
 presented by /dev/pf).


I=E2=80=99ve been rewriting several types of calls to sta=
rt using nvlists, because otherwise it=E2=80=99s basically unmanageable t=
o extend calls (which we pretty much have to do to add new features).
=

The old struct-based ioctls have been left in place so far, but as that=E2=
=80=99s a substantial amount of (now untested!) code I=E2=80=99m very kee=
n to be able to remove.


To be very explicit: removal of old ioctls will only ever=
 affect new major versions. That is, 14.0 at the earliest. I will not bre=
ak stable/12 or stable/13 or 13.2 or =E2=80=A6


The initial breaking change is https://reviews.freebsd.org/D30056 . That remo=
ves DIOCCLRSTATES and DIOCKILLSTATES, which are now DIOCCLRSTATESNV and D=
IOCKILLSTATESNV, based on nvlists.


To make that all easier for userspace to manage there=E2=80=
=99s libpfctl, which wraps all of the API details. That port will be avai=
lable for all supported platforms (when https://reviews.freebsd.org/D39360 lands, soon).


There are likely to be more changes in the future, so I=E2=
=80=99d strongly encourage all API users to migrate to using libpfctl rat=
her than trying to roll their own implementations.


Here=E2=80=99s an example of how security/snortsam needed=
 to be changed to cope with the above:


co=
mmit 1136cf1ef66dc93397455818dfce0794d4e65170 (HEAD -> freebsd_current=
/libpfctl)
Author: Kristof Provost <kp@FreeBSD.org>
Date:   Sun Apr 2 07:01:06 2023 +0200

    security/snortsam: use libpfctl

    FreeBSD main will remove DIOCKILLSTATES soon. We can use libpfctl to
    accomplish the same task though.

    Sponsored by:   Rubicon Communications, LLC ("Netgate")

diff --git a/security/snortsam/Makefile b/security/snortsam/Makefile
index fbd106774..18ad44448 100644
--- a/security/snortsam/Makefile
+++ b/security/snortsam/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=3D      snortsam
 PORTVERSION=3D   2.70
-PORTREVISION=3D  1
+PORTREVISION=3D  2
 CATEGORIES=3D    security
 MASTER_SITES=3D  http://www.snortsam.net/files/snortsam/
 DISTNAME=3D      ${PORTNAME}-src-${PORTVERSION}
@@ -16,6 +16,8 @@ SAMTOOL_DESC=3D install samtool

 .include <bsd.port.pre.mk>

+LIB_DEPENDS=3D   libpfctl.so:net/libpfctl
+
 USE_RC_SUBR=3D   snortsam
 SUB_FILES=3D     pkg-message \
                pkg-install
diff --git a/security/snortsam/files/patch-src_Makefile b/security/snorts=
am/files/patch-src_Makefile
new file mode 100644
index 000000000..59936d3d1
--- /dev/null
+++ b/security/snortsam/files/patch-src_Makefile
@@ -0,0 +1,12 @@
+--- src/Makefile.orig  2010-03-29 20:57:55 UTC
++++ src/Makefile
+@@ -36,9 +36,9 @@ SAMTOOL =3D samtool
+ PROG    =3D snortsam
+ SAMTOOL =3D samtool
+-CFLAGS  =3D -O2 -D$(SYSTYPE) $(DEBUG)
+-LDFLAGS =3D
++CFLAGS  =3D -O2 -D$(SYSTYPE) $(DEBUG) -I/usr/local/include
++LDFLAGS =3D -L/usr/local/lib -lpfctl
+ SYSTYPE =3D `uname`
+
+ # OS specific flags
diff --git a/security/snortsam/files/patch-src__ssp_pf2.c b/security/snor=
tsam/files/patch-src__ssp_pf2.c
index 81ce7d93e..00327f19c 100644
--- a/security/snortsam/files/patch-src__ssp_pf2.c
+++ b/security/snortsam/files/patch-src__ssp_pf2.c
@@ -1,6 +1,14 @@
---- ./src/ssp_pf2.c.orig       2009-11-27 02:39:40.000000000 +0100
-+++ ./src/ssp_pf2.c    2014-01-20 19:03:47.000000000 +0100
-@@ -95,7 +95,7 @@
+--- src/ssp_pf2.c.orig 2009-11-27 01:39:40 UTC
++++ src/ssp_pf2.c
+@@ -48,6 +48,7 @@
+
+ #include "snortsam.h"
+ #include "ssp_pf2.h"
++#include <libpfctl.h>
+
+ unsigned int PF2use_anchor =3D TRUE;
+ unsigned int PF2val_count =3D 0;
+@@ -95,7 +96,7 @@ int parse_opts(char *line, opt_pf2 *opt, char *sep, ch=

          }
       }

@@ -9,3 +17,79 @@
  }


+@@ -393,20 +394,21 @@ pf2_kill_states(int pfdev, const char *ipsrc, int =
tin,
+ {
+     char   msg[STRBUFSIZE + 2];
+     struct pf_addr pfa;
+-    struct pfioc_state_kill psk;
++    struct pfctl_kill k;
+     sa_family_t saf;        /* stafe AF_INET family */
+     unsigned long killed=3D0, killed_src=3D0, killed_dst=3D0;
++    unsigned int kcount;
+
+     bzero(&pfa, sizeof(pfa));
+-    bzero(&psk, sizeof(psk));
++    bzero(&k, sizeof(k));
+
+     if (ipsrc =3D=3D NULL || !ipsrc[0])
+       return (-1);
+
+     if (inet_pton(AF_INET, ipsrc, &pfa.v4) =3D=3D 1)
+-          psk.psk_af =3D saf =3D AF_INET;
++          k.af =3D AF_INET;
+     else if (inet_pton(AF_INET6, ipsrc, &pfa.v6) =3D=3D 1)
+-          psk.psk_af =3D saf =3D AF_INET6;
++          k.af =3D AF_INET6;
+     else {
+       snprintf(msg, sizeof(msg) - 1, "invalid ipsrc");
+       logmessage(3, msg, "pf2", 0);
+@@ -415,40 +417,31 @@ pf2_kill_states(int pfdev, const char *ipsrc, int =
tin,
+
+     /* Kill all states from pfa */
+     if (tin || PF2_KILL_STATE_ALL) {
+-      memcpy(&psk.psk_src.addr.v.a.addr, &pfa, sizeof(psk.psk_s=
rc.addr.v.a.addr));
+-      memset(&psk.psk_src.addr.v.a.mask, 0xff, sizeof(psk.psk_src.a=
ddr.v.a.mask));
+-      if (ioctl(pfdev, DIOCKILLSTATES, &psk)) {
++      memcpy(&k.src.addr.v.a.addr, &pfa, sizeof(k.src.addr.v.a.=
addr));
++      memset(&k.src.addr.v.a.mask, 0xff, sizeof(k.src.addr.v.a.mask=
));
++      if (pfctl_kill_states(pfdev, &k, &kcount)) {
+           snprintf(msg, sizeof(msg) - 1, "Error: DIOCKILLSTATES fa=
iled (%s)", strerror(errno));
+           logmessage(1, msg, "pf2", 0);
+       }
+       else {
+-#if OpenBSD >=3D 200811 /* since OpenBSD4_4 killed states returned i=
n psk_killed */
+-          killed_src +=3D psk.psk_killed;
+-#else
+-          killed_src +=3D psk.psk_af;
+-#endif
++          killed_src +=3D kcount;
+ #ifdef FWSAMDEBUG
+           printf("Debug: [pf2] killed %lu (tin) states for host %s=
\n", killed_src, ipsrc);
+ #endif
+       }
+-    psk.psk_af =3D saf; /* restore AF_INET */
+     }
+
+     /* Kill all states to pfa */
+     if (tout || PF2_KILL_STATE_ALL) {
+-      bzero(&psk.psk_src, sizeof(psk.psk_src));  /* clear source ad=
dress field (set before for incomming) */
+-      memcpy(&psk.psk_dst.addr.v.a.addr, &pfa, sizeof(psk.psk_d=
st.addr.v.a.addr));
+-      memset(&psk.psk_dst.addr.v.a.mask, 0xff, sizeof(psk.psk_dst.a=
ddr.v.a.mask));
+-      if (ioctl(pfdev, DIOCKILLSTATES, &psk)) {
++      bzero(&k.src, sizeof(k.src));  /* clear source address field =
(set before for incomming) */
++      memcpy(&k.dst.addr.v.a.addr, &pfa, sizeof(k.dst.addr.v.a.=
addr));
++      memset(&k.dst.addr.v.a.mask, 0xff, sizeof(k.dst.addr.v.a.mask=
));
++      if (pfctl_kill_states(pfdev, &k, &kcount)) {
+           snprintf(msg, sizeof(msg) - 1, "Error: DIOCKILLSTATES fa=
iled (%s)", strerror(errno));
+           logmessage(1, msg, "pf2", 0);
+       }
+       else {
+-#if OpenBSD >=3D 200811 /* since OpenBSD4_4 killed states returned i=
n psk_killed */
+-          killed_dst +=3D psk.psk_killed;
+-#else
+-          killed_dst +=3D psk.psk_af;
+-#endif
++          killed_dst +=3D kcount;
+ #ifdef FWSAMDEBUG
+           printf("Debug: [pf2] killed %lu (tout) states for host %=
s\n", killed_dst, ipsrc);
+ #endif



Tl;dr If you maintain a port that uses /dev/pf you=E2=80=99=
re going to have to start using net/libpfctl.


Best regards,

Kristof










--=_MailMate_778328E2-0F61-4D1F-9B96-3408223FC9DB_=--