From nobody Thu Feb 13 12:39:06 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YtvrD2B7Tz5nRF1; Thu, 13 Feb 2025 12:39:08 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YtvrB5T1Pz3flW; Thu, 13 Feb 2025 12:39:06 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1739450346; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=LB603FvKPIuJALwjxe3Uxp8dzthduBiWyMOI0G3kBPA=; b=yTXV74sCQSrtscFFk6oJ1Kc6c6fEk8zOx1j/c3z30EMT2bwThN78+RUognzKamG7klQYQB X4x8LdTN99tehVjBFDYs/jhN8oUgjWD271azUza74hBmjxszYSYOi5WRkB78DYEhnwLI9j lsXoDHl1BWOGwy93nQRAXZJ8fxJcG1dkv5OBAZaTnvbmn1BkhrWMu0kg9iU2gsTyomQlKm u5+kfku2CPdG+LclCIzYvOOwp1L07XFWNVOPatO5vZBRB+y0CP2fMJ2tFAzqacbwYSyGm1 IrMn0w0SAZR82GpoTP6zGEJL7WyI4Lq1bEzGWxoO2v6kTHeCku0NQjnX3fvb2w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1739450346; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=LB603FvKPIuJALwjxe3Uxp8dzthduBiWyMOI0G3kBPA=; b=c/72Qubz2J6l9jPRoijNze5IEZzETg8mR6+ikFfUm3PCHwHxm315yv7Bxnn+0MvY9iQssm 2RvB3iT7+zV439AgtfixGyc2lpfzbXUj8HFifv6UfI//BB20r4jYzE+3bnmKBvV0Ozuaqd DRQF4AwV6Qd/FmXsDLLvBnj+I3mS0PyTorTp9aiPLVlhvniPpRmVcTDBcroy3ul4PVxwwg P2pHm4AfGN1+Bncu+4M5c8fq4jx1LYAH3U6Buk6A688hOGfh2JTvMEYs1r4havR1Y93Cbh 2Ab2qh4C4dt6eVS+nLSiInVI1Koth7nbYxWw9F1v7arXIME9JL3aiXL20RgVvA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1739450346; a=rsa-sha256; cv=none; b=a5Tbo3G6Sykvaqz2yv5hWxNv8tDhit2oYkVl0OLtHQV8pa7+hHdNGEHP0sVyJf6F9aJweV AqMs6XVu/2vHd0fRK0eVJmKCBGE4vwoUiHS1ve2Z2KTvq+uGmutPtBBlb3p1smq7fNRIZs eRE75om7ea0qVWxUvQ5c3/c0EaRp4tWGicdETJChKmTQ6dPh/6VSiXt1X4MGMvD0oWF0ip J4WL2nNAEWI4p2DF7Juqix3a1TTT7yfbVFLFelPy1j/DyfN434LQtBPW+RUXoxuN4fPaRV ETE+OzeqFcyxvuqPMZGgLcyrNrK14Ilc90YWMqaY0OuYWdloyUt6sAhAn0K0mg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YtvrB4nJCzlyd; Thu, 13 Feb 2025 12:39:06 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 51DCd6hF075624; Thu, 13 Feb 2025 12:39:06 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 51DCd6R6075621; Thu, 13 Feb 2025 12:39:06 GMT (envelope-from git) Date: Thu, 13 Feb 2025 12:39:06 GMT Message-Id: <202502131239.51DCd6R6075621@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 67c19da08f57 - main - pf: support negated matches on the rcvif List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 67c19da08f5788da53cec2764618b9a0dd97460f Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=67c19da08f5788da53cec2764618b9a0dd97460f commit 67c19da08f5788da53cec2764618b9a0dd97460f Author: Kristof Provost AuthorDate: 2025-02-10 16:30:50 +0000 Commit: Kristof Provost CommitDate: 2025-02-13 12:38:44 +0000 pf: support negated matches on the rcvif ok dlg benno Obtained from: OpenBSD, henning , 08c03b768d Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/net/pfvar.h | 1 + sys/netpfil/pf/pf.c | 3 ++- sys/netpfil/pf/pf_ioctl.c | 1 + sys/netpfil/pf/pf_nl.c | 2 ++ sys/netpfil/pf/pf_nl.h | 1 + 5 files changed, 7 insertions(+), 1 deletion(-) diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 88364aaa45ed..d973fe15a5c4 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -865,6 +865,7 @@ struct pf_krule { u_int8_t prio; u_int8_t set_prio[2]; sa_family_t naf; + u_int8_t rcvifnot; struct { struct pf_addr addr; diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 1b0eb6d6dd80..378be1e72d9a 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -5778,7 +5778,8 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, PF_TEST_ATTRIB(r->match_tag && !pf_match_tag(pd->m, r, &tag, pd->pf_mtag ? pd->pf_mtag->tag : 0), TAILQ_NEXT(r, entries)); - PF_TEST_ATTRIB(r->rcv_kif && !pf_match_rcvif(pd->m, r), + PF_TEST_ATTRIB((r->rcv_kif && pf_match_rcvif(pd->m, r) == + r->rcvifnot), TAILQ_NEXT(r, entries)); PF_TEST_ATTRIB((r->rule_flag & PFRULE_FRAGMENT && pd->virtual_proto != PF_VPROTO_FRAGMENT), diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index b8e9a078baf2..bea2cf1a5331 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -1316,6 +1316,7 @@ pf_hash_rule_rolling(MD5_CTX *ctx, struct pf_krule *rule) PF_MD5_UPD(rule, af); PF_MD5_UPD(rule, quick); PF_MD5_UPD(rule, ifnot); + PF_MD5_UPD(rule, rcvifnot); PF_MD5_UPD(rule, match_tag_not); PF_MD5_UPD(rule, natpass); PF_MD5_UPD(rule, keep_state); diff --git a/sys/netpfil/pf/pf_nl.c b/sys/netpfil/pf/pf_nl.c index 97552880b9e3..4cdb16d1fbba 100644 --- a/sys/netpfil/pf/pf_nl.c +++ b/sys/netpfil/pf/pf_nl.c @@ -737,6 +737,7 @@ static const struct nlattr_parser nla_p_rule[] = { { .type = PF_RT_RPOOL_NAT, .off = _OUT(nat), .arg = &pool_parser, .cb = nlattr_get_nested }, { .type = PF_RT_NAF, .off = _OUT(naf), .cb = nlattr_get_uint8 }, { .type = PF_RT_RPOOL_RT, .off = _OUT(route), .arg = &pool_parser, .cb = nlattr_get_nested }, + { .type = PF_RT_RCV_IFNOT, .off = _OUT(rcvifnot), .cb = nlattr_get_bool }, }; NL_DECLARE_ATTR_PARSER(rule_parser, nla_p_rule); #undef _OUT @@ -940,6 +941,7 @@ pf_handle_getrule(struct nlmsghdr *hdr, struct nl_pstate *npt) nlattr_add_rule_uid(nw, PF_RT_GID, (const struct pf_rule_uid *)&rule->gid); nlattr_add_string(nw, PF_RT_RCV_IFNAME, rule->rcv_ifname); + nlattr_add_bool(nw, PF_RT_RCV_IFNOT, rule->rcvifnot); nlattr_add_u32(nw, PF_RT_RULE_FLAG, rule->rule_flag); nlattr_add_u8(nw, PF_RT_ACTION, rule->action); diff --git a/sys/netpfil/pf/pf_nl.h b/sys/netpfil/pf/pf_nl.h index a66ff5bc3f1e..4d9db08c8be2 100644 --- a/sys/netpfil/pf/pf_nl.h +++ b/sys/netpfil/pf/pf_nl.h @@ -270,6 +270,7 @@ enum pf_rule_type_t { PF_RT_RPOOL_NAT = 75, /* nested, pf_rpool_type_t */ PF_RT_NAF = 76, /* u8 */ PF_RT_RPOOL_RT = 77, /* nested, pf_rpool_type_t */ + PF_RT_RCV_IFNOT = 78, /* bool */ }; enum pf_addrule_type_t {