From nobody Mon Oct 23 16:41:46 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SDgvG3Sgpz4yFV0; Mon, 23 Oct 2023 16:41:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SDgvG317qz4TSM; Mon, 23 Oct 2023 16:41:46 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1698079306; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=BjfijAxtI8es5OkYaqmukCLJWBTRF2YYxvyx51FA3P8=; b=QKrpH1mWRnobcmaspC7VGRQ42pYRNxFgAs1C5rc35C4ZRg8kynMP/FH+sMYcj8AfBmaBkq 0ZGkbWIqrfvRiyLnLBxTz7y0iheyXcx7OY9FbGXiDXjfmnANhErHEUDwW4hd8IHHq9sEBS G8+WXourTbwWwWdRQle4FVHjI+R6A15Td1dJ2pGVw+t/VYkNKX5qCz+qRezNshcA3XFZgs havZ2TPFwzR+Ox3r0+eKAYqyKScAwBxm+SiEqy5ej6szzoQBblDh2+Ztrz48KPwPT6Jg50 1Ky784t3Fu1FUab058toWpBiU5RM5EOu3Yh8IgyvrfvQuuPZpn5rSwy321i/sw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1698079306; a=rsa-sha256; cv=none; b=R33D2YD9/fBhJ3eSGSW+ce3fuci28+co0H/3cSD8uDxRiomXumnPx5c2soVyKdWECna6/z gbgDG9eBYXjfZExP2mOl11TxubV2zSHomNwYENx+44M17gRPz2viXEq5zD6lree3oSxUod vf//nYcY6hBmx5bCaTtF59JREMS6b1ZxuU7FHgXiHFCPRy2p02Rq5QbMwA6MhpFbfX34aS JGDOmUkEPBiy+TqDQ9ppIB3fCrQvYwpq3ofjv2Lgx3lOuGx9xlxMlFGsqtnEj17lHN2ZAC 8+4RNtnUT2Pz3b3dq7xGbSM5UofQjtTt5kXKM7YPW695GRfLloN3QycD3EcrkA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1698079306; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=BjfijAxtI8es5OkYaqmukCLJWBTRF2YYxvyx51FA3P8=; b=OGwPQxWnsm7Zta9lQCWVGZzTNXESL5CnqoWEUTTfkrGLrf+R+U/kx07B1yfW/F0FqJVE0j vBQqeqtJX3J67Ir53TLn1Dw0ACEmV1VcIrl5jNlP8gzba8KRT6n7MYTu+U4FjAkxJaJa46 pSiU6t3BOkJakAodesPngx5ObPigTmUUUrMNWP3gYkj3+huNIctJMuqal+s8nwtGtxwlFD 8PEVSfVum+XJwT2W/udBZm8EKCTZ5QWU8xOdvv6WiciMg9pFt88ZGVwkLZVBbKuZWYEWVw tMa/92Ud0WMyVG6oWMxSH6qJp8ByqLMIT3hgPcyfbcywO5dAF/BicTWSFzrn5w== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4SDgvG23YHznNN; Mon, 23 Oct 2023 16:41:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 39NGfkDB093716; Mon, 23 Oct 2023 16:41:46 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 39NGfkDD093713; Mon, 23 Oct 2023 16:41:46 GMT (envelope-from git) Date: Mon, 23 Oct 2023 16:41:46 GMT Message-Id: <202310231641.39NGfkDD093713@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 4f33755051c6 - main - pf: allow states to be killed by their pre-NAT address List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 4f33755051c60c6f65ba9f6aaa33d11e72909618 Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=4f33755051c60c6f65ba9f6aaa33d11e72909618 commit 4f33755051c60c6f65ba9f6aaa33d11e72909618 Author: Kristof Provost AuthorDate: 2023-10-20 05:37:46 +0000 Commit: Kristof Provost CommitDate: 2023-10-23 14:37:05 +0000 pf: allow states to be killed by their pre-NAT address If a connection is NAT-ed we could previously only terminate it by its ID or the post-NAT IP address. Allow users to specify they want look for the state by its pre-NAT address. Usage: `pfctl -k nat -k
`. See also: https://redmine.pfsense.org/issues/11556 Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D42312 --- lib/libpfctl/libpfctl.c | 1 + lib/libpfctl/libpfctl.h | 1 + sbin/pfctl/pfctl.8 | 13 +++++++++---- sbin/pfctl/pfctl.c | 6 ++++++ sys/net/pfvar.h | 1 + sys/netpfil/pf/pf_ioctl.c | 6 +++--- sys/netpfil/pf/pf_nv.c | 3 +++ 7 files changed, 24 insertions(+), 7 deletions(-) diff --git a/lib/libpfctl/libpfctl.c b/lib/libpfctl/libpfctl.c index 25bb77d9c021..0360c0c63be7 100644 --- a/lib/libpfctl/libpfctl.c +++ b/lib/libpfctl/libpfctl.c @@ -1468,6 +1468,7 @@ _pfctl_clear_states(int dev, const struct pfctl_kill *kill, nvlist_add_string(nvl, "ifname", kill->ifname); nvlist_add_string(nvl, "label", kill->label); nvlist_add_bool(nvl, "kill_match", kill->kill_match); + nvlist_add_bool(nvl, "nat", kill->nat); if ((ret = pfctl_do_ioctl(dev, ioctlval, 1024, &nvl)) != 0) return (ret); diff --git a/lib/libpfctl/libpfctl.h b/lib/libpfctl/libpfctl.h index ad6fde89771c..0b50cc054060 100644 --- a/lib/libpfctl/libpfctl.h +++ b/lib/libpfctl/libpfctl.h @@ -310,6 +310,7 @@ struct pfctl_kill { char ifname[IFNAMSIZ]; char label[PF_RULE_LABEL_SIZE]; bool kill_match; + bool nat; }; struct pfctl_state_peer { diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8 index 41eb2bea9f94..6c9a9f3b2ca4 100644 --- a/sbin/pfctl/pfctl.8 +++ b/sbin/pfctl/pfctl.8 @@ -24,7 +24,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd February 22, 2021 +.Dd October 20, 2023 .Dt PFCTL 8 .Os .Sh NAME @@ -43,7 +43,7 @@ .Op Fl K Ar host | network .Xo .Oo Fl k -.Ar host | network | label | id | gateway +.Ar host | network | label | id | gateway | nat .Oc Xc .Op Fl o Ar level .Op Fl p Ar device @@ -256,15 +256,16 @@ option may be specified, which will kill all the source tracking entries from the first host/network to the second. .It Xo .Fl k -.Ar host | network | label | id | gateway +.Ar host | network | label | id | gateway | nat .Xc Kill all of the state entries matching the specified .Ar host , .Ar network , .Ar label , .Ar id , +.Ar gateway, or -.Ar gateway. +.Ar nat. .Pp For example, to kill all of the state entries originating from .Dq host : @@ -332,6 +333,10 @@ To kill all states using a gateway in 192.168.0.0/24: .Pp .Dl # pfctl -k gateway -k 192.168.0.0/24 .Pp +States can also be killed based on their pre-NAT address: +.Pp +.Dl # pfctl -k nat -k 192.168.0.1 +.Pp .It Fl M Kill matching states in the opposite direction (on other interfaces) when killing states. diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index c3f3d82ff767..03b7f24ce60a 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -725,6 +725,12 @@ pfctl_net_kill_states(int dev, const char *iface, int opts) sizeof(kill.ifname)) >= sizeof(kill.ifname)) errx(1, "invalid interface: %s", iface); + if (state_killers == 2 && (strcmp(state_kill[0], "nat") == 0)) { + kill.nat = true; + state_kill[0] = state_kill[1]; + state_killers = 1; + } + pfctl_addrprefix(state_kill[0], &kill.src.addr.v.a.mask); if (opts & PF_OPT_KILLMATCH) diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index b2aa1c450c50..6a5f8761755d 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1770,6 +1770,7 @@ struct pf_kstate_kill { char psk_label[PF_RULE_LABEL_SIZE]; u_int psk_killed; bool psk_kill_match; + bool psk_nat; }; #endif diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index 2eae03a908ec..851bf8ee5b63 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -2249,7 +2249,7 @@ relock_DIOCKILLSTATES: /* For floating states look at the original kif. */ kif = s->kif == V_pfi_all ? s->orig_kif : s->kif; - sk = s->key[PF_SK_WIRE]; + sk = s->key[psk->psk_nat ? PF_SK_STACK : PF_SK_WIRE]; if (s->direction == PF_OUT) { srcaddr = &sk->addr[1]; dstaddr = &sk->addr[0]; @@ -2308,10 +2308,10 @@ relock_DIOCKILLSTATES: if (s->direction == PF_OUT) { dir = PF_IN; - idx = PF_SK_STACK; + idx = psk->psk_nat ? PF_SK_WIRE : PF_SK_STACK; } else { dir = PF_OUT; - idx = PF_SK_WIRE; + idx = psk->psk_nat ? PF_SK_STACK : PF_SK_WIRE; } match_key.af = s->key[idx]->af; diff --git a/sys/netpfil/pf/pf_nv.c b/sys/netpfil/pf/pf_nv.c index c4fa276da8fe..721d35be8916 100644 --- a/sys/netpfil/pf/pf_nv.c +++ b/sys/netpfil/pf/pf_nv.c @@ -873,6 +873,9 @@ pf_nvstate_kill_to_kstate_kill(const nvlist_t *nvl, sizeof(kill->psk_label))); PFNV_CHK(pf_nvbool(nvl, "kill_match", &kill->psk_kill_match)); + if (nvlist_exists_bool(nvl, "nat")) + PFNV_CHK(pf_nvbool(nvl, "nat", &kill->psk_nat)); + errout: return (error); }