From owner-freebsd-pf@freebsd.org Sat Mar 27 11:54:31 2021 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 84D2B5C182E; Sat, 27 Mar 2021 11:54:31 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4F6y1g3Rznz3N3P; Sat, 27 Mar 2021 11:54:31 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.codepro.be", Issuer "R3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 4F6691EB4; Sat, 27 Mar 2021 11:54:31 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id 7726A9C52; Sat, 27 Mar 2021 12:54:29 +0100 (CET) From: "Kristof Provost" To: "FreeBSD pf" Cc: freebsd-arch@freebsd.org Subject: [RFC] pf ioctl changes Date: Sat, 27 Mar 2021 12:54:28 +0100 X-Mailer: MailMate (1.13.2r5673) Message-ID: <24E09373-EBCD-4ED1-8B59-A44E687F287E@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8"; format=flowed; markup=markdown Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Mar 2021 11:54:31 -0000 Hi, There are several patches in the pipeline that require changes in pf’s interface between kernel and userspace. In the past these have been handled in multiple ways. Either by simply making the change, breaking binary compatibility, or by introducing a v2 ioctl (e.g. DIOCADDALTQV1). While one is better than the other neither is wholly satisfying. New versions of calls constitute a maintenance burden after all. I’d like to change the ioctl interface to use nvlists, which would make such extensions much easier, because fields can be optional. That is, if userspace doesn’t supply the ‘shinynewfeature’ field the kernel can assume the default value and things just work. Similarly, if the kernel supplies a ’shinynewfeature’ which userspace doesn’t know about it’s simply ignored. The rough plan is to introduce nvlist versions of the get/add rules calls for now. Others will follow as the need presents itself. As these are new ioctls it is safe to MFC them to stable/12 and stable/13. The old interface will remain supported in those branches, but I’d like to remove it from main (and thus FreeBSD 14). As part of this effort I may end up splitting off the ioctl interface code from pfctl into libpfctl, which should make reuse of that code easier. I hope to post preliminary patches in the coming week. Thoughts? Objections? Best regards, Kristof