From nobody Mon Aug 28 07:15:44 2023 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RZ2043Y3Dz4qxcV; Mon, 28 Aug 2023 07:15:48 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RZ2043KNCz4fKN; Mon, 28 Aug 2023 07:15:48 +0000 (UTC) (envelope-from kp@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1693206948; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=9vuVuqgPanK0S4L/nyHXolt1zhYUcBUY6JXv0EDkv9c=; b=yhaQb/yNNvkAPG4zM+lANMq43Aa9VPHf15ATXw0Mb2v/pVR8xH13Np+GYb+OLOSPP/Un1I gWRt49STkc5p89mraP/lrbjMVl9Hxa9hS3UuAn+zXWnO9oc1mUMzGylbg1avMtf6Rh4K3Z 1QjxDO1Naaoi+l8YGg0Q8pAn3X4K2jui1iIxXngXi2kXDapA67zCcjwZS2li+efEAtqaxt 7CLJWrA+MhvJ9iCCGrvK7oXlO38VNpHFx0bUufoHJYgsSCfDPy+iipESBUCxuYpkkQWuvB /L/8W04QgAztcqiLaqTfMrRF1O2RGWahpfxtGyVpUSiPyV3RTbI8tplox7zP9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1693206948; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=9vuVuqgPanK0S4L/nyHXolt1zhYUcBUY6JXv0EDkv9c=; b=kAWKHP81dRMZV5u1wC/nCR/I++FDUQXwXsyiNbJlnbZSgHuqdDE09F/RA+1+3q9gVSp6Up msex96D2Z55ol7excF0QnwrkOEhbFHRBfuBLSSA/FDMipZP6Ny47xHz5v9zPkHcqmqJHz6 gaI/JJLCZ0Kj64OHm80GYeo6LbG75EUAWPleuJ5rtb8Ln5XJjhfpnMrJgCaO04o8fAqMJy WfGYVjDPiuR6vE3orIPXVgp+5D16N8sffBQeNh1RPgNpAZBKoOIEnbUsJxumIdqirlgFjc J5wP3YQQB40l1AE7FJBWIaCznjf88XmQ2PvElLBZY4AGv31Ft6AHCU9cF0uNiw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1693206948; a=rsa-sha256; cv=none; b=e/hLe2nu0qb8Ziirf/wLgjHNbRns3fjt2wKbxfFc+UGNbhgyDOpaNaojFH1s6yfYxYGpJi 6oc8kckWBBBRG01kZ/Vxq8toHaDHpLNN4PqecQ3Ox7dMDiZumLyUehGtelPRO/ovi3iwFw 4MuyRjG465hrginooepjXoJliE5rPLyVsKGv+J7oSMw18MvBdGvc3Sow+IOwHxKmAoBOVl 9xCIwmOWVAEYoP5dZs8NyZFc0xQA7khdb11FPovRN8WF18RVIKuHWycaTKX/Upr4Rkwy+v TCqJcszz4G0GhbhcMf9FJdMO8H+sCyB+jbe2gMj7D8+lfC22YN0QOxfsYWt5YA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mx1.codepro.be", Issuer "R3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 4RZ20413Mbz1hnb; Mon, 28 Aug 2023 07:15:48 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id 02634EDCC; Mon, 28 Aug 2023 09:15:44 +0200 (CEST) From: Kristof Provost To: FreeBSD PF List , FreeBSD Ports ML Subject: Re: pf userspace API changes Date: Mon, 28 Aug 2023 09:15:44 +0200 X-Mailer: MailMate (1.14r5937) Message-ID: In-Reply-To: <0E45DD6F-81E3-45DB-9FB2-E47B8F26FD00@FreeBSD.org> References: <0E45DD6F-81E3-45DB-9FB2-E47B8F26FD00@FreeBSD.org> List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_MailMate_1767B026-9A02-4D14-939B-D23767FA7B10_=" Content-Transfer-Encoding: 8bit --=_MailMate_1767B026-9A02-4D14-939B-D23767FA7B10_= Content-Type: text/plain; charset=UTF-8; format=flowed; markup=markdown Content-Transfer-Encoding: 8bit This is going to land soon, in 15. So 14 will keep the old ioctls, but they’ll disappear in 15. Best regards, Kristof On 6 Apr 2023, at 16:21, Kristof Provost wrote: > Hi, > > Quick heads up that there are going to be breaking changes to the pf > API towards userspace for 14.0. (That is, the ioctl interface > presented by /dev/pf). > > I’ve been rewriting several types of calls to start using nvlists, > because otherwise it’s basically unmanageable to extend calls (which > we pretty much have to do to add new features). > The old struct-based ioctls have been left in place so far, but as > that’s a substantial amount of (now untested!) code I’m very keen > to be able to remove. > > To be very explicit: removal of old ioctls will only ever affect new > major versions. That is, 14.0 at the earliest. I will not break > stable/12 or stable/13 or 13.2 or … > > The initial breaking change is https://reviews.freebsd.org/D30056 . > That removes DIOCCLRSTATES and DIOCKILLSTATES, which are now > DIOCCLRSTATESNV and DIOCKILLSTATESNV, based on nvlists. > > To make that all easier for userspace to manage there’s libpfctl, > which wraps all of the API details. That port will be available for > all supported platforms (when https://reviews.freebsd.org/D39360 > lands, soon). > > There are likely to be more changes in the future, so I’d strongly > encourage all API users to migrate to using libpfctl rather than > trying to roll their own implementations. > > Here’s an example of how security/snortsam needed to be changed to > cope with the above: > > commit 1136cf1ef66dc93397455818dfce0794d4e65170 (HEAD -> > freebsd_current/libpfctl) > Author: Kristof Provost > Date: Sun Apr 2 07:01:06 2023 +0200 > > security/snortsam: use libpfctl > > FreeBSD main will remove DIOCKILLSTATES soon. We can use > libpfctl to > accomplish the same task though. > > Sponsored by: Rubicon Communications, LLC ("Netgate") > > diff --git a/security/snortsam/Makefile > b/security/snortsam/Makefile > index fbd106774..18ad44448 100644 > --- a/security/snortsam/Makefile > +++ b/security/snortsam/Makefile > @@ -1,6 +1,6 @@ > PORTNAME= snortsam > PORTVERSION= 2.70 > -PORTREVISION= 1 > +PORTREVISION= 2 > CATEGORIES= security > MASTER_SITES= http://www.snortsam.net/files/snortsam/ > DISTNAME= ${PORTNAME}-src-${PORTVERSION} > @@ -16,6 +16,8 @@ SAMTOOL_DESC= install samtool > > .include > > +LIB_DEPENDS= libpfctl.so:net/libpfctl > + > USE_RC_SUBR= snortsam > SUB_FILES= pkg-message \ > pkg-install > diff --git a/security/snortsam/files/patch-src_Makefile > b/security/snortsam/files/patch-src_Makefile > new file mode 100644 > index 000000000..59936d3d1 > --- /dev/null > +++ b/security/snortsam/files/patch-src_Makefile > @@ -0,0 +1,12 @@ > +--- src/Makefile.orig 2010-03-29 20:57:55 UTC > ++++ src/Makefile > +@@ -36,9 +36,9 @@ SAMTOOL = samtool > + PROG = snortsam > + SAMTOOL = samtool > +-CFLAGS = -O2 -D$(SYSTYPE) $(DEBUG) > +-LDFLAGS = > ++CFLAGS = -O2 -D$(SYSTYPE) $(DEBUG) -I/usr/local/include > ++LDFLAGS = -L/usr/local/lib -lpfctl > + SYSTYPE = `uname` > + > + # OS specific flags > diff --git a/security/snortsam/files/patch-src__ssp_pf2.c > b/security/snortsam/files/patch-src__ssp_pf2.c > index 81ce7d93e..00327f19c 100644 > --- a/security/snortsam/files/patch-src__ssp_pf2.c > +++ b/security/snortsam/files/patch-src__ssp_pf2.c > @@ -1,6 +1,14 @@ > ---- ./src/ssp_pf2.c.orig 2009-11-27 02:39:40.000000000 > +0100 > -+++ ./src/ssp_pf2.c 2014-01-20 19:03:47.000000000 +0100 > -@@ -95,7 +95,7 @@ > +--- src/ssp_pf2.c.orig 2009-11-27 01:39:40 UTC > ++++ src/ssp_pf2.c > +@@ -48,6 +48,7 @@ > + > + #include "snortsam.h" > + #include "ssp_pf2.h" > ++#include > + > + unsigned int PF2use_anchor = TRUE; > + unsigned int PF2val_count = 0; > +@@ -95,7 +96,7 @@ int parse_opts(char *line, opt_pf2 *opt, char > *sep, ch > } > } > > @@ -9,3 +17,79 @@ > } > > > +@@ -393,20 +394,21 @@ pf2_kill_states(int pfdev, const char > *ipsrc, int tin, > + { > + char msg[STRBUFSIZE + 2]; > + struct pf_addr pfa; > +- struct pfioc_state_kill psk; > ++ struct pfctl_kill k; > + sa_family_t saf; /* stafe AF_INET family */ > + unsigned long killed=0, killed_src=0, killed_dst=0; > ++ unsigned int kcount; > + > + bzero(&pfa, sizeof(pfa)); > +- bzero(&psk, sizeof(psk)); > ++ bzero(&k, sizeof(k)); > + > + if (ipsrc == NULL || !ipsrc[0]) > + return (-1); > + > + if (inet_pton(AF_INET, ipsrc, &pfa.v4) == 1) > +- psk.psk_af = saf = AF_INET; > ++ k.af = AF_INET; > + else if (inet_pton(AF_INET6, ipsrc, &pfa.v6) == 1) > +- psk.psk_af = saf = AF_INET6; > ++ k.af = AF_INET6; > + else { > + snprintf(msg, sizeof(msg) - 1, "invalid ipsrc"); > + logmessage(3, msg, "pf2", 0); > +@@ -415,40 +417,31 @@ pf2_kill_states(int pfdev, const char > *ipsrc, int tin, > + > + /* Kill all states from pfa */ > + if (tin || PF2_KILL_STATE_ALL) { > +- memcpy(&psk.psk_src.addr.v.a.addr, &pfa, > sizeof(psk.psk_src.addr.v.a.addr)); > +- memset(&psk.psk_src.addr.v.a.mask, 0xff, > sizeof(psk.psk_src.addr.v.a.mask)); > +- if (ioctl(pfdev, DIOCKILLSTATES, &psk)) { > ++ memcpy(&k.src.addr.v.a.addr, &pfa, > sizeof(k.src.addr.v.a.addr)); > ++ memset(&k.src.addr.v.a.mask, 0xff, > sizeof(k.src.addr.v.a.mask)); > ++ if (pfctl_kill_states(pfdev, &k, &kcount)) { > + snprintf(msg, sizeof(msg) - 1, "Error: DIOCKILLSTATES > failed (%s)", strerror(errno)); > + logmessage(1, msg, "pf2", 0); > + } > + else { > +-#if OpenBSD >= 200811 /* since OpenBSD4_4 killed states returned > in psk_killed */ > +- killed_src += psk.psk_killed; > +-#else > +- killed_src += psk.psk_af; > +-#endif > ++ killed_src += kcount; > + #ifdef FWSAMDEBUG > + printf("Debug: [pf2] killed %lu (tin) states for host > %s\n", killed_src, ipsrc); > + #endif > + } > +- psk.psk_af = saf; /* restore AF_INET */ > + } > + > + /* Kill all states to pfa */ > + if (tout || PF2_KILL_STATE_ALL) { > +- bzero(&psk.psk_src, sizeof(psk.psk_src)); /* clear source > address field (set before for incomming) */ > +- memcpy(&psk.psk_dst.addr.v.a.addr, &pfa, > sizeof(psk.psk_dst.addr.v.a.addr)); > +- memset(&psk.psk_dst.addr.v.a.mask, 0xff, > sizeof(psk.psk_dst.addr.v.a.mask)); > +- if (ioctl(pfdev, DIOCKILLSTATES, &psk)) { > ++ bzero(&k.src, sizeof(k.src)); /* clear source address > field (set before for incomming) */ > ++ memcpy(&k.dst.addr.v.a.addr, &pfa, > sizeof(k.dst.addr.v.a.addr)); > ++ memset(&k.dst.addr.v.a.mask, 0xff, > sizeof(k.dst.addr.v.a.mask)); > ++ if (pfctl_kill_states(pfdev, &k, &kcount)) { > + snprintf(msg, sizeof(msg) - 1, "Error: DIOCKILLSTATES > failed (%s)", strerror(errno)); > + logmessage(1, msg, "pf2", 0); > + } > + else { > +-#if OpenBSD >= 200811 /* since OpenBSD4_4 killed states returned > in psk_killed */ > +- killed_dst += psk.psk_killed; > +-#else > +- killed_dst += psk.psk_af; > +-#endif > ++ killed_dst += kcount; > + #ifdef FWSAMDEBUG > + printf("Debug: [pf2] killed %lu (tout) states for host > %s\n", killed_dst, ipsrc); > + #endif > > Tl;dr If you maintain a port that uses /dev/pf you’re going to have > to start using net/libpfctl. > > Best regards, > Kristof --=_MailMate_1767B026-9A02-4D14-939B-D23767FA7B10_= Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

This is going to land soon, in 15. So 14 will keep the ol= d ioctls, but they=E2=80=99ll disappear in 15.

Best regards,
Kristof

On 6 Apr 2023, at 16:21, Kristof Provost wrote:

Hi,

Quick heads up that there are going to be breaking change= s to the pf API towards userspace for 14.0. (That is, the ioctl interface= presented by /dev/pf).

I=E2=80=99ve been rewriting several types of calls to sta= rt using nvlists, because otherwise it=E2=80=99s basically unmanageable t= o extend calls (which we pretty much have to do to add new features).
= The old struct-based ioctls have been left in place so far, but as that=E2= =80=99s a substantial amount of (now untested!) code I=E2=80=99m very kee= n to be able to remove.

To be very explicit: removal of old ioctls will only ever= affect new major versions. That is, 14.0 at the earliest. I will not bre= ak stable/12 or stable/13 or 13.2 or =E2=80=A6

The initial breaking change is https://reviews.freebsd.org/D30056 . That remo= ves DIOCCLRSTATES and DIOCKILLSTATES, which are now DIOCCLRSTATESNV and D= IOCKILLSTATESNV, based on nvlists.

To make that all easier for userspace to manage there=E2=80= =99s libpfctl, which wraps all of the API details. That port will be avai= lable for all supported platforms (when https://reviews.freebsd.org/D39360 lands, soon).

There are likely to be more changes in the future, so I=E2= =80=99d strongly encourage all API users to migrate to using libpfctl rat= her than trying to roll their own implementations.

Here=E2=80=99s an example of how security/snortsam needed= to be changed to cope with the above:

co=
mmit 1136cf1ef66dc93397455818dfce0794d4e65170 (HEAD -> freebsd_current=
/libpfctl)
Author: Kristof Provost <kp@FreeBSD.org>
Date:   Sun Apr 2 07:01:06 2023 +0200

    security/snortsam: use libpfctl

    FreeBSD main will remove DIOCKILLSTATES soon. We can use libpfctl to
    accomplish the same task though.

    Sponsored by:   Rubicon Communications, LLC ("Netgate")

diff --git a/security/snortsam/Makefile b/security/snortsam/Makefile
index fbd106774..18ad44448 100644
--- a/security/snortsam/Makefile
+++ b/security/snortsam/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=3D      snortsam
 PORTVERSION=3D   2.70
-PORTREVISION=3D  1
+PORTREVISION=3D  2
 CATEGORIES=3D    security
 MASTER_SITES=3D  http://www.snortsam.net/files/snortsam/
 DISTNAME=3D      ${PORTNAME}-src-${PORTVERSION}
@@ -16,6 +16,8 @@ SAMTOOL_DESC=3D install samtool

 .include <bsd.port.pre.mk>

+LIB_DEPENDS=3D   libpfctl.so:net/libpfctl
+
 USE_RC_SUBR=3D   snortsam
 SUB_FILES=3D     pkg-message \
                pkg-install
diff --git a/security/snortsam/files/patch-src_Makefile b/security/snorts=
am/files/patch-src_Makefile
new file mode 100644
index 000000000..59936d3d1
--- /dev/null
+++ b/security/snortsam/files/patch-src_Makefile
@@ -0,0 +1,12 @@
+--- src/Makefile.orig  2010-03-29 20:57:55 UTC
++++ src/Makefile
+@@ -36,9 +36,9 @@ SAMTOOL =3D samtool
+ PROG    =3D snortsam
+ SAMTOOL =3D samtool
+-CFLAGS  =3D -O2 -D$(SYSTYPE) $(DEBUG)
+-LDFLAGS =3D
++CFLAGS  =3D -O2 -D$(SYSTYPE) $(DEBUG) -I/usr/local/include
++LDFLAGS =3D -L/usr/local/lib -lpfctl
+ SYSTYPE =3D `uname`
+
+ # OS specific flags
diff --git a/security/snortsam/files/patch-src__ssp_pf2.c b/security/snor=
tsam/files/patch-src__ssp_pf2.c
index 81ce7d93e..00327f19c 100644
--- a/security/snortsam/files/patch-src__ssp_pf2.c
+++ b/security/snortsam/files/patch-src__ssp_pf2.c
@@ -1,6 +1,14 @@
---- ./src/ssp_pf2.c.orig       2009-11-27 02:39:40.000000000 +0100
-+++ ./src/ssp_pf2.c    2014-01-20 19:03:47.000000000 +0100
-@@ -95,7 +95,7 @@
+--- src/ssp_pf2.c.orig 2009-11-27 01:39:40 UTC
++++ src/ssp_pf2.c
+@@ -48,6 +48,7 @@
+
+ #include "snortsam.h"
+ #include "ssp_pf2.h"
++#include <libpfctl.h>
+
+ unsigned int PF2use_anchor =3D TRUE;
+ unsigned int PF2val_count =3D 0;
+@@ -95,7 +96,7 @@ int parse_opts(char *line, opt_pf2 *opt, char *sep, ch=

          }
       }

@@ -9,3 +17,79 @@
  }


+@@ -393,20 +394,21 @@ pf2_kill_states(int pfdev, const char *ipsrc, int =
tin,
+ {
+     char   msg[STRBUFSIZE + 2];
+     struct pf_addr pfa;
+-    struct pfioc_state_kill psk;
++    struct pfctl_kill k;
+     sa_family_t saf;        /* stafe AF_INET family */
+     unsigned long killed=3D0, killed_src=3D0, killed_dst=3D0;
++    unsigned int kcount;
+
+     bzero(&pfa, sizeof(pfa));
+-    bzero(&psk, sizeof(psk));
++    bzero(&k, sizeof(k));
+
+     if (ipsrc =3D=3D NULL || !ipsrc[0])
+       return (-1);
+
+     if (inet_pton(AF_INET, ipsrc, &pfa.v4) =3D=3D 1)
+-          psk.psk_af =3D saf =3D AF_INET;
++          k.af =3D AF_INET;
+     else if (inet_pton(AF_INET6, ipsrc, &pfa.v6) =3D=3D 1)
+-          psk.psk_af =3D saf =3D AF_INET6;
++          k.af =3D AF_INET6;
+     else {
+       snprintf(msg, sizeof(msg) - 1, "invalid ipsrc");
+       logmessage(3, msg, "pf2", 0);
+@@ -415,40 +417,31 @@ pf2_kill_states(int pfdev, const char *ipsrc, int =
tin,
+
+     /* Kill all states from pfa */
+     if (tin || PF2_KILL_STATE_ALL) {
+-      memcpy(&psk.psk_src.addr.v.a.addr, &pfa, sizeof(psk.psk_s=
rc.addr.v.a.addr));
+-      memset(&psk.psk_src.addr.v.a.mask, 0xff, sizeof(psk.psk_src.a=
ddr.v.a.mask));
+-      if (ioctl(pfdev, DIOCKILLSTATES, &psk)) {
++      memcpy(&k.src.addr.v.a.addr, &pfa, sizeof(k.src.addr.v.a.=
addr));
++      memset(&k.src.addr.v.a.mask, 0xff, sizeof(k.src.addr.v.a.mask=
));
++      if (pfctl_kill_states(pfdev, &k, &kcount)) {
+           snprintf(msg, sizeof(msg) - 1, "Error: DIOCKILLSTATES fa=
iled (%s)", strerror(errno));
+           logmessage(1, msg, "pf2", 0);
+       }
+       else {
+-#if OpenBSD >=3D 200811 /* since OpenBSD4_4 killed states returned i=
n psk_killed */
+-          killed_src +=3D psk.psk_killed;
+-#else
+-          killed_src +=3D psk.psk_af;
+-#endif
++          killed_src +=3D kcount;
+ #ifdef FWSAMDEBUG
+           printf("Debug: [pf2] killed %lu (tin) states for host %s=
\n", killed_src, ipsrc);
+ #endif
+       }
+-    psk.psk_af =3D saf; /* restore AF_INET */
+     }
+
+     /* Kill all states to pfa */
+     if (tout || PF2_KILL_STATE_ALL) {
+-      bzero(&psk.psk_src, sizeof(psk.psk_src));  /* clear source ad=
dress field (set before for incomming) */
+-      memcpy(&psk.psk_dst.addr.v.a.addr, &pfa, sizeof(psk.psk_d=
st.addr.v.a.addr));
+-      memset(&psk.psk_dst.addr.v.a.mask, 0xff, sizeof(psk.psk_dst.a=
ddr.v.a.mask));
+-      if (ioctl(pfdev, DIOCKILLSTATES, &psk)) {
++      bzero(&k.src, sizeof(k.src));  /* clear source address field =
(set before for incomming) */
++      memcpy(&k.dst.addr.v.a.addr, &pfa, sizeof(k.dst.addr.v.a.=
addr));
++      memset(&k.dst.addr.v.a.mask, 0xff, sizeof(k.dst.addr.v.a.mask=
));
++      if (pfctl_kill_states(pfdev, &k, &kcount)) {
+           snprintf(msg, sizeof(msg) - 1, "Error: DIOCKILLSTATES fa=
iled (%s)", strerror(errno));
+           logmessage(1, msg, "pf2", 0);
+       }
+       else {
+-#if OpenBSD >=3D 200811 /* since OpenBSD4_4 killed states returned i=
n psk_killed */
+-          killed_dst +=3D psk.psk_killed;
+-#else
+-          killed_dst +=3D psk.psk_af;
+-#endif
++          killed_dst +=3D kcount;
+ #ifdef FWSAMDEBUG
+           printf("Debug: [pf2] killed %lu (tout) states for host %=
s\n", killed_dst, ipsrc);
+ #endif

Tl;dr If you maintain a port that uses /dev/pf you=E2=80=99= re going to have to start using net/libpfctl.

Best regards,
Kristof

--=_MailMate_1767B026-9A02-4D14-939B-D23767FA7B10_=-- From nobody Thu Sep 7 03:56:37 2023 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Rh55f18bnz4sB3p for ; Thu, 7 Sep 2023 03:56:38 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Rh55d6sJyz4Z7m for ; Thu, 7 Sep 2023 03:56:37 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1694058998; a=rsa-sha256; cv=none; b=NEYyorXlnr7c5o6dWettBblluFCQMY528YLe85vVfpsfzV3MA0wP+x0i5JztvEM3DNN38r EFNESCgU+ihcj+sgt5CaMJ8nXV7ch7bd2b/Y46YkhZZogpu+L26+tuo/sUFIL+sB9vm0Gi D4/KqL9lS3BBf58qIxCFplh3R6VZpFd7/prOmupMImayX1Lyw9GjeCU+jEWXu4RuAxcHd6 GSOAA124EQWfXMqqLxP0LoUpoMNciY4pH9uXZubQGGDubXqF87nytFBbZD2PbvYtFex8Z4 mj8euGv7T3BLxAGKfoyWJoCk1TAFOsE2qw7wiJVhcvgMf/7cpSI6Ofmfg2IlKg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1694058998; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=os7KSjA8RylOLH6OSyc92sx/iTBfl3DQFgtBzL5h2q0=; b=G9bICZvU4WLEjJ2Kp7EInamZQVxeOSy5nrMvhHQsKwYaOar9lwqXAcNpQjqeFS21GzUWiO c5zkrQ2t+xk4JwfJ/GlOko2DMtPdfGxaq9gDVvsNjuehqeFNFctLhhNMkQMLVLBjCO5QEV PhUYnx6eRLejTcmKNVr8G4rxBNkAuhCF5WdBv4wrZQ+sZr9BZxI55AdMP2IzWSK0NnrSUo vgW6xWzSHrNYvGFtAlXFjRUW0u2xlmM3Azg0o12XuRHX9DGI+bBphRgCS33qoYfoOHYRnt ovwFP32SBKXFMlSTbHejq8V5t7hyTdEsiBu20X19yQx1ctRSWUHbDz8U8JmRKQ== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Rh55d5tpVzkBy for ; Thu, 7 Sep 2023 03:56:37 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 3873ubwc085914 for ; Thu, 7 Sep 2023 03:56:37 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 3873ubw9085913 for pf@FreeBSD.org; Thu, 7 Sep 2023 03:56:37 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 273207] pf_syncookie_mac for IPv6 random cause panic Date: Thu, 07 Sep 2023 03:56:37 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D273207 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs@FreeBSD.org |pf@FreeBSD.org --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Thu Sep 7 03:57:29 2023 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Rh56f0JJxz4sBXM for ; Thu, 7 Sep 2023 03:57:30 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Rh56d660qz4Zbt for ; Thu, 7 Sep 2023 03:57:29 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1694059049; a=rsa-sha256; cv=none; b=Tlt7P904BIHvyt970U3tt1lBJM9ya/voiTIyOji3uQLx9xUEIysR6mDnZoZt+1UJujH5CX /6TKc5i31LOEZUGmJSB55G5CyNTy6TQvOA9CAZAyEV0v3XMg0VvNlkdX7/xbh7x7MZYS/0 bWrqEx4208PMiRcVDfY3DsrGzVSfO6UszVXXluETfRee4xJ8pcQwfyF6bajRmaSHQ6Wfv/ oIlT+S8bcepm81lOC3nV1a6zqki3BS+m9i26fVzlaJOIJvFzVrMYCjMdmp5FTi7G1ez3jL tfKITT6rLGTwpF6azTm93T/N/ibupnByDrARR7k4tz8nNeBsWWe2kg5q9saJBg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1694059049; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wLXLK4z1jpcV1OqL1iFArgi1FbAc0Trmadj0NnRfSiI=; b=TRjePK+DC5bxGq+NLOhfhHHBhwXbzcqd1ParYJEPRTAl9wdvpt7QaKvSQR9fy6boTnImGL cIgyFe42ztyzQfcKypRRuD1ZrSE2tkIHSlX5JiIBaUmW2p1gP75xbqNwgBr320YL48l86S 1vZvrQM55s6ZObZS6RlAl8nOpZMx9rTyBjE1ASMko5vpHbvIc4hkeUWPx1VIsf+DXLPpm/ RhfG8meFmRBlL5K4LAEkr3OwqidVxKfIgKgbt0ZrM2V0m0B4QO+5jTkWCQJIQJDr5obs7Q KevNQ1D9bMP7Z8IMb5VSEbzm88Vip5ZNLsnOzkYwovFHSXGB0nZZAzmq2kfG1w== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Rh56d53FSzk4X for ; Thu, 7 Sep 2023 03:57:29 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 3873vTeS086234 for ; Thu, 7 Sep 2023 03:57:29 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 3873vTDx086233 for pf@FreeBSD.org; Thu, 7 Sep 2023 03:57:29 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 273198] [14.0 CURRENT] PF recognizes encrypted IPSec traffic as coming from WAN. | NAT with IPsec Phase 2 Networks Date: Thu, 07 Sep 2023 03:57:29 +0000 X-Bugzilla-Reason: AssignedTo CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D273198 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs@FreeBSD.org |pf@FreeBSD.org CC|pf@FreeBSD.org | --=20 You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug.= From nobody Thu Sep 7 17:16:07 2023 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RhQr74hPvz4s85f for ; Thu, 7 Sep 2023 17:16:07 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RhQr73d9Rz4JjH for ; Thu, 7 Sep 2023 17:16:07 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1694106967; a=rsa-sha256; cv=none; b=Wefd5QyLKtZ3r6Gni3Chq6iqqctQP9rDg1P9SHv9u2LLC7gOs51EwVqKk2erkHKut379mD pIEgx1GRSBHwq22y79rmFMtLigE+0fizPP7dznbf2i39o2H7wSlkLFXJncyZuAEGj76KIK +4qOwUJ01ld35fdZxV3bYQ/QfdfYvxK/gYMCfgKbBOYioOzZy+Nftqbm1nSYciPXOSv4VS MM1X6bNVMH2Bg05mVv+YnsM8RT9lTGtpmlm6HhnnzLtHdI4OxTF9Q3kqcbRFf2Y33c7A4G APYqO2biDUkDWSxy4o+fx1TZkHYd3nYwg4A+snjebb8pqdX0pfBU92pOrF7Knw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1694106967; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5UxDLWhEIs04/eTjhVxBUfIYwTtazLEzAEFQYbMoGjk=; b=aphlEMkdON2HmEaTlqoHA4hgNZ1zPmSuu9duPzAyxtvam6YnqeUUumJCf9IprGBSAJ7Gjy 36bcy5u6FrpAY3+ZrARK88MixzXFNasJ0a294zho9QPgvphgyO2FN/bo05pZibFdqKiTjO 7gH+Qd+cERI/a3GJcRcnPxw6i4rXJ2DYVHenIPyLkHfBcj3jnCuIqfGn9yekrqfGORTR0/ pNupLGwzn/lhuauAKp6pCmnuiAxYZpdjt0Ukds6KB7Q4hYwGjGBzwCHH/T0Mx+O6BOvtqI lLVeCSUXcpRgqMYlMap1ZclTFcnCRoxr+Mxi9CZ/Zk+MMv2GBKoqJlcRbqQlRg== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4RhQr72Xx3z174d for ; Thu, 7 Sep 2023 17:16:07 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 387HG7lr090595 for ; Thu, 7 Sep 2023 17:16:07 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 387HG71a090594 for pf@FreeBSD.org; Thu, 7 Sep 2023 17:16:07 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 273618] [pf] Port redirects for packets received on loopback have bad checksums Date: Thu, 07 Sep 2023 17:16:07 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: freebsd@igalic.co X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to cc bug_status Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D273618 Mina Gali=C4=87 changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs@FreeBSD.org |pf@FreeBSD.org CC| |freebsd@igalic.co Status|New |Open --=20 You are receiving this mail because: You are the assignee for the bug.=