NPF: G/C n-code in favour of BPF byte-code. Delete lots of code, mmm!

branches: 1.1.2; 1.1.4; 1.1.10; 1.1.14; 1.1.24; 1.1.28;
Import NPF - a packet filter. Some features:

- Designed to be fully MP-safe and highly efficient.

- Tables/IP sets (hash or red-black tree) for high performance lookups.

- Stateful filtering and Network Address Port Translation (NAPT).
Framework for application level gateways (ALGs).

- Packet inspection engine called n-code processor - inspired by BPF -
supporting generic RISC-like and specific CISC-like instructions for
common patterns (e.g. IPv4 address matching). See npf_ncode(9) manual.

- Convenient userland utility npfctl(8) with npf.conf(8).

NOTE: This is not yet a fully capable alternative to PF or IPFilter.
Further work (support for binat/rdr, return-rst/return-icmp, common ALGs,
state saving/restoring, logging, etc) is in progress.

Thanks a lot to Matt Thomas for various useful comments and code review.
Aye by: board@

npf: Adjust README following tech-kern@ discussion

This text has been adjusted to follow the rough consensus of the
public comments and a number of off-list comments.

branches: 1.1.2; 1.1.6; 1.1.40;
NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.

kernel: extract rules, lookup socket, process filtering, reviews by christos@

branches: 1.23.26;
Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.

branches: 1.22.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.

NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.

branches: 1.20.14; 1.20.16;
NPF: implement dynamic handling of interface addresses (the kernel part).

Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)

This patches ditches the ptree(3) library, because it is broken (you
can get missing entries!). Instead, as a temporary solution, we switch
to a simple linear scan of the hash tables for the longest-prefix-match
(lpm.c lpm.h) algorithm. In fact, with few unique prefixes in the set,
on modern hardware this simple algorithm is pretty fast anyway!

branches: 1.17.2; 1.17.4; 1.17.8; 1.17.10;
NPF: partially rewrite the connection tracking mechanism:
- Separate the tracking interface from the storage (state table)
and thus prepare to use a new data structure for the storage.
- Fix some race conditions in NAT association logic.

branches: 1.16.2;
NPF: add support for specifying the interfaces before they are attached.
If an interface is or gets detached, all associated rules and connections
will be deactivated (it might be useful to have an option to invalidate
the associated connections). Once the interface is reattached they will
become active.

Bump NPF_VERSION.

NPF: G/C n-code in favour of BPF byte-code. Delete lots of code, mmm!

- Convert NPF to use BPF byte-code by default. Compile BPF byte-code in
npfctl(8) and generate separate marks to describe the filter criteria.
- Rewrite 'npfctl show' functionality and fix some of the bugs.
- npftest: add a test for BPF COP.
- Bump NPF_VERSION.

branches: 1.13.2;
- NPF connection tracking: rework synchronisation on tracking disable/enable
points and document it. Split the worker thread into a separate module
with an interface, so it could be re-used for other tasks.
- Replace ALG list with arrays and thus hit fewer cache lines.
- Misc bug fixes.

normali{s,z}e

Split the npflog cloner and auto-load the extensions.

NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.

Add NPF "rndblock" extension to randomly drop packets (using a random function
with a percentage or modulo operation). This is a demo module, although it can
be used for packet loss simulation. Example of a procedure in npf.conf:

procedure "somedrop" {
# Drop 1.9% of the traffic
rndblock: percentage 1.9
}

Implement dynamic NPF extensions interface. An extension consists of
dynamically loaded module (.so) supplementing npfctl(8) and a kernel
module. Move normalisation and logging functionality into their own
extensions. More improvements to come.

branches: 1.7.2;
- Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.

branches: 1.6.2;
- Split NPF rule procedure code into a separate module (no functional changes).
- Simplify some code, add more comments, some asserts.
- G/C unused rule hook code.

branches: 1.5.2;
- Rework and improve TCP state tracking.
- Fix regressions after IPv6 patch merge.

Note: npfctl(8) rework will come soon.

branches: 1.4.6; 1.4.10;
NPF checkpoint:
- Add support for session saving/restoring.
- Add packet logging support (can tcpdump a pseudo-interface).
- Support reload without flushing of sessions; rework some locking.
- Revisit session mangement, replace linking with npf_sentry_t entries.
- Add some counters for statistics, using percpu(9).
- Add IP_DF flag cleansing.
- Fix various bugs; misc clean-up.

NPF checkpoint:
- Add proper TCP state tracking as described in Guido van Rooij paper,
plus handle TCP Window Scaling option.
- Completely rework npf_cache_t, reduce granularity, simplify code.
- Add npf_addr_t as an abstraction, amend session handling code, as well
as NAT code et al, to use it. Now design is prepared for IPv6 support.
- Handle IPv4 fragments i.e. perform packet reassembly.
- Add support for IPv4 ID randomization and minimum TTL enforcement.
- Add support for TCP MSS "clamping".
- Random bits for IPv6. Various fixes and clean-up.

branches: 1.2.2; 1.2.4;
NPF checkpoint:
- Add support for bi-directional NAT and redirection / port forwarding.
- Finish filtering on ICMP type/code and add filtering on TCP flags.
- Add support for TCP reset (RST) or ICMP destination unreachable on block.
- Fix a bunch of bugs; misc cleanup.

Import NPF - a packet filter. Some features:

- Designed to be fully MP-safe and highly efficient.

- Tables/IP sets (hash or red-black tree) for high performance lookups.

- Stateful filtering and Network Address Port Translation (NAPT).
Framework for application level gateways (ALGs).

- Packet inspection engine called n-code processor - inspired by BPF -
supporting generic RISC-like and specific CISC-like instructions for
common patterns (e.g. IPv4 address matching). See npf_ncode(9) manual.

- Convenient userland utility npfctl(8) with npf.conf(8).

NOTE: This is not yet a fully capable alternative to PF or IPFilter.
Further work (support for binat/rdr, return-rst/return-icmp, common ALGs,
state saving/restoring, logging, etc) is in progress.

Thanks a lot to Matt Thomas for various useful comments and code review.
Aye by: board@

NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.

branches: 1.5.12; 1.5.14;
- Increase copyin buffer size to 4M
- Change log output format to be like the OpenBSD's pf including in
the header the matching rule etc, and fill in the matching info.

branches: 1.4.2;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)

branches: 1.3.6; 1.3.14; 1.3.18; 1.3.22;
add missing argument

don't auto-unload

Split the npflog cloner and auto-load the extensions.

NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.

branches: 1.1.2; 1.1.4; 1.1.8; 1.1.18; 1.1.20; 1.1.22;
- Increase copyin buffer size to 4M
- Change log output format to be like the OpenBSD's pf including in
the header the matching rule etc, and fill in the matching info.

Avoid LOCKDEBUG pserialize panic by implementing suggestion #1 from

http://mail-index.netbsd.org/current-users/2019/02/24/msg035220.html:

Convert the mutex to spin-lock at IPL_NET (but it is excessive) and
convert the memory allocations in that code path to KM_NOSLEEP.

NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.

branches: 1.4.8; 1.4.10; 1.4.12;
remove checks for failure after memory allocation calls that cannot fail:

kmem_alloc() with KM_SLEEP
kmem_zalloc() with KM_SLEEP
percpu_alloc()
pserialize_create()
psref_class_create()

all of these paths include an assertion that the allocation has not failed,
so callers should not assert that again.

branches: 1.3.2; 1.3.6; 1.3.8;
Fix kmem_free() in hashmap_remove().

Fix kmem_free() sizes in hashmap_rehash() and lpm_clear().

branches: 1.1.2;
This patches ditches the ptree(3) library, because it is broken (you
can get missing entries!). Instead, as a temporary solution, we switch
to a simple linear scan of the hash tables for the longest-prefix-match
(lpm.c lpm.h) algorithm. In fact, with few unique prefixes in the set,
on modern hardware this simple algorithm is pretty fast anyway!

Avoid LOCKDEBUG pserialize panic by implementing suggestion #1 from

http://mail-index.netbsd.org/current-users/2019/02/24/msg035220.html:

Convert the mutex to spin-lock at IPL_NET (but it is excessive) and
convert the memory allocations in that code path to KM_NOSLEEP.

NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.

branches: 1.1.2; 1.1.4; 1.1.8; 1.1.10; 1.1.22; 1.1.24; 1.1.26;
This patches ditches the ptree(3) library, because it is broken (you
can get missing entries!). Instead, as a temporary solution, we switch
to a simple linear scan of the hash tables for the longest-prefix-match
(lpm.c lpm.h) algorithm. In fact, with few unique prefixes in the set,
on modern hardware this simple algorithm is pretty fast anyway!

npf: Make sure to initialize portmap_lock only once.

PR kern/55586

Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.

Use percpu_foreach_xcall() to gather volatile per-cpu counters. These
must be serialized against the interrupts / soft-interrupts in which
they're manipulated, as well as protected from non-atomic 64-bit memory
loads on 32-bit platforms.

branches: 1.41.2;
- npfctl_load_nvlist: simplify the config loading logic.
- Fix a small race condition in npf_nat_getaddr().
- Rework pserialize/EBR wrappers, make it easier to maintain.

Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.

- npf_conn_init(): fix a race when initialising the G/C thread.
- Fix a bug when partially initialised connection is destroyed on error.
(from rmind@)

branches: 1.38.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.

Major NPF improvements:
- Convert NPF connection table to thmap. State lookup is now lock-free.
- Improve connection state G/C: it is now incremental and tunable.
- Add support for dynamic NAT address. Translation addresses can now be
selected from a pool of addresses. There are two selection algorithms,
"ip-hash" and "round-robin" (see the man page).
- Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf
to dynamically choose an IP from the interface address(es).
- Add support for the NETMAP algorithm with static NAT for net-to-net
translation (it is equivalent to iptables NETMAP logic).
- Convert 'ipset' tables to use thmap; the table lookup is now lock-free.
- Misc improvements, bug fixes and more unit tests.
- Bump NPF_VERSION (will also bump libnpf).

NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.

Fix lockdebug diagnostic error of trying to acquire an rw_lock from a
pserialized active context. From riastradh@

branches: 1.34.8; 1.34.10;
remove checks for failure after memory allocation calls that cannot fail:

kmem_alloc() with KM_SLEEP
kmem_zalloc() with KM_SLEEP
percpu_alloc()
pserialize_create()
psref_class_create()

all of these paths include an assertion that the allocation has not failed,
so callers should not assert that again.

branches: 1.33.6;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)

add functionality to lookup a nat entry from the connection list.

branches: 1.31.2;
Simplify even further and fix non-modular kernels:
We cannot use the init at attach() trick, because other npf ext modules
will load before the attach function is called on non modular kernels.

modules don't define MODULAR.

simplify (and fix) logic.

Ifdef npf_init() the same way as all it's callers are protected.

Fix the code so that it works in all 3 cases: non-modular, modular/builtin,
modular/filesystem. In the non-modular case we initialize through attach.
In the modular/builtin case we define the module to be class misc so it
attaches late (after percpu is initialized) since driver modules attach
too early. In the modular/filesystem case we define it to be a driver
module since we autoload it via /dev/npf open.

Defer initialization of built-in npf module until other pseudo-devices
are initialized. MODULE_CLASS_DRIVER modules are now initialized before
autoconfiguration starts, but npf_init has a dependency on percpu(9) which
doesn't work until CPUs have attached (at least on ARM).

needs to be driver, otherwise it will not load!

mark this MODULE_CLASS_MISC as npf_init cannot run when builtin driver modules are initialized

include "ioconf.h" to get the 'void <driver>attach(int count);' prototype.

branches: 1.22.4;
Add d_discard to all struct cdevsw instances I could find.

All have been set to "nodiscard"; some should get a real implementation.

NPF: rework of the connection saving and restoring:
- Add support for saving a snapshot of the current connections together
with a full configuration. Support a reverse load operation. Eliminate
the old 'sess-save' and 'sess-load' in favour of the new mechanism.
- Share code between load and reload operations: the latter performs
load from npf.conf without affecting the connections.
- Simplify and fix races with connection loading.
- Bump NPF_VERSION.

NPF: partially rewrite the connection tracking mechanism:
- Separate the tracking interface from the storage (state table)
and thus prepare to use a new data structure for the storage.
- Fix some race conditions in NAT association logic.

branches: 1.19.2;
Change (mostly mechanically) every cdevsw/bdevsw I can find to use
designated initializers.

I have not built every extant kernel so I have probably broken at
least one build; however I've also found and fixed some wrong
cdevsw/bdevsw entries so even if so I think we come out ahead.

NPF: add support for specifying the interfaces before they are attached.
If an interface is or gets detached, all associated rules and connections
will be deactivated (it might be useful to have an option to invalidate
the associated connections). Once the interface is reattached they will
become active.

Bump NPF_VERSION.

- Convert NPF to use BPF byte-code by default. Compile BPF byte-code in
npfctl(8) and generate separate marks to describe the filter criteria.
- Rewrite 'npfctl show' functionality and fix some of the bugs.
- npftest: add a test for BPF COP.
- Bump NPF_VERSION.

branches: 1.16.2;
- NPF connection tracking: rework synchronisation on tracking disable/enable
points and document it. Split the worker thread into a separate module
with an interface, so it could be re-used for other tasks.
- Replace ALG list with arrays and thus hit fewer cache lines.
- Misc bug fixes.

NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.

Implement NPF table listing and preservation of entries on reload.
Bump the version.

Implement dynamic NPF extensions interface. An extension consists of
dynamically loaded module (.so) supplementing npfctl(8) and a kernel
module. Move normalisation and logging functionality into their own
extensions. More improvements to come.

branches: 1.12.2;
- Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.

NPF:
- Rename some functions for consistency and de-inline them.
- Fix few invalid asserts (add regressoin test).
- Use pserialize(9) for ALG interface.
- Minor fixes, sprinkle many comments.

Replace the remaining KAUTH_GENERIC_ISSUSER authorization calls with
something meaningful. All relevant documentation has been updated or
written.

Most of these changes were brought up in the following messages:

http://mail-index.netbsd.org/tech-kern/2012/01/18/msg012490.html
http://mail-index.netbsd.org/tech-kern/2012/01/19/msg012502.html
http://mail-index.netbsd.org/tech-kern/2012/02/17/msg012728.html

Thanks to christos, manu, njoly, and jmmv for input.

Huge thanks to pgoyette for spinning these changes through some build
cycles and ATF.

- Save active config in proplib dictionary; add GETCONF ioctl to retrieve.
- Few fixes. Improve some comments.

- Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.

branches: 1.7.2;
- Expire all sessions on flush.
- Enable checking for zero mask in IP{4,6}MATCH after npfctl changes.
- Make locking symmetric for npf_ruleset_inspect().
- Sync function prototypes in npf(3) man page with reality.
- Rename NPF_TABLE_RBTREE to NPF_TABLE_TREE.

branches: 1.6.4;
Change module class to driver as npf(4) is a pseudo device.

branches: 1.5.4;
fix module build

branches: 1.4.2;
NPF checkpoint:
- Add libnpf(3) - a library to control NPF (configuration, ruleset, etc).
- Add NPF support for ftp-proxy(8).
- Add rc.d script for NPF.
- Convert npfctl(8) to use libnpf(3) and thus make it less depressive.
Note: next clean-up step should be a parser, once dholland@ will finish it.
- Add more documentation.
- Various fixes.

branches: 1.3.2;
NPF checkpoint:
- Add the concept of rule procedure: separate normalization, logging and
potentially other functions from the rule structure. Rule procedure can be
shared amongst the rules. Separation is both at kernel level (npf_rproc_t)
and configuration ("procedure" + "apply").
- Fix portmap sharing for NAT policy.
- Update TCP state tracking logic. Use TCP FSM definitions.
- Add if_byindex(), OK by matt@. Use in logging for the lookup.
- Fix traceroute ALG and many other bugs; misc clean-up.

branches: 1.2.2;
NPF checkpoint:
- Add support for session saving/restoring.
- Add packet logging support (can tcpdump a pseudo-interface).
- Support reload without flushing of sessions; rework some locking.
- Revisit session mangement, replace linking with npf_sentry_t entries.
- Add some counters for statistics, using percpu(9).
- Add IP_DF flag cleansing.
- Fix various bugs; misc clean-up.

branches: 1.1.2; 1.1.4;
Import NPF - a packet filter. Some features:

- Designed to be fully MP-safe and highly efficient.

- Tables/IP sets (hash or red-black tree) for high performance lookups.

- Stateful filtering and Network Address Port Translation (NAPT).
Framework for application level gateways (ALGs).

- Packet inspection engine called n-code processor - inspired by BPF -
supporting generic RISC-like and specific CISC-like instructions for
common patterns (e.g. IPv4 address matching). See npf_ncode(9) manual.

- Convenient userland utility npfctl(8) with npf.conf(8).

NOTE: This is not yet a fully capable alternative to PF or IPFilter.
Further work (support for binat/rdr, return-rst/return-icmp, common ALGs,
state saving/restoring, logging, etc) is in progress.

Thanks a lot to Matt Thomas for various useful comments and code review.
Aye by: board@

PR kern/59615 introduce layer checks for 10 userland 11 kernel

branches: 1.67.2;
kernel code for layer 2 filtering in NPF

reviewed by christos@

NPF copyright 2025

Userland: npf rule parser for user and group id

branches: 1.64.6;
PR kern/56052:
allow block-return packets passed through without rule matching.
Included up-stream as https://github.com/rmind/npf/pull/115

branches: 1.63.20;
Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.

Move PACKET_TAG_NPF where it belongs to.

npfkern/libnpf: Add support for the table replace/swap operation.
Contributed by Timshel Knoll-Miller.

branches: 1.60.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.

Major NPF improvements:
- Convert NPF connection table to thmap. State lookup is now lock-free.
- Improve connection state G/C: it is now incremental and tunable.
- Add support for dynamic NAT address. Translation addresses can now be
selected from a pool of addresses. There are two selection algorithms,
"ip-hash" and "round-robin" (see the man page).
- Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf
to dynamically choose an IP from the interface address(es).
- Add support for the NETMAP algorithm with static NAT for net-to-net
translation (it is equivalent to iptables NETMAP logic).
- Convert 'ipset' tables to use thmap; the table lookup is now lock-free.
- Misc improvements, bug fixes and more unit tests.
- Bump NPF_VERSION (will also bump libnpf).

NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.

branches: 1.57.2;
s/static inline/static __inline/g for consistency.

Declare NPC_FMTERR, and use it to kick malformed packets. Several sanity
checks are added in IPv6; after we see the first IPPROTO_FRAGMENT header,
we are allowed to fail to advance, otherwise we kick the packet.

Sent on tech-net@ a few days ago, no response, but I'm committing it now
anyway.

branches: 1.55.2;
Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to
bypass a certain number of filtering rules.

Basically there is an integer overflow in npf_cache_ip: npc_hlen is a
8bit unsigned int, and can wrap to zero if the IPv6 packet being processed
has large extensions.

As a result of an overflow, (mbuf + npc_hlen) won't point at the real
protocol header, but instead at some garbage within the packet. That
garbage, is what NPF applies its rules on.

If these filtering rules allow the packet to enter, that packet is given
to the main IPv6 entry point. This entry point, however, is not subject to
an integer overflow, so it will actually parse the correct protocol header.

The result is: NPF read a wrong header, allowed the packet to enter, the
kernel read the correct header, and delivered the packet depending on this
correct header. So the offending packet was supposed to be kicked, but
still went through the firewall.

Simple example, a packet with:
packet + 0 = IP6 Header
packet + 40 = IP6 Routing header (ip6r_len = 31)
packet + 48 = Crafted UDP header (uh_dport = 7777)
packet + 296 = IP6 Dest header (ip6e_len = 0)
packet + 304 = Real UDP header (uh_dport = 6666)
Will bypass a rule of the kind "block port 6666". Here NPF reads the
crafted UDP header, sees 7777, lets the packet in; later the kernel reads
the real UDP header, and delivers it on port 6666.

Fix this by using uint32_t. While here, it seems to me there is also a
memory overflow: still in npf_cache_ip, npc_hlen may be incremented with
a value that goes beyond the mbuf.

branches: 1.54.6;
- Increase copyin buffer size to 4M
- Change log output format to be like the OpenBSD's pf including in
the header the matching rule etc, and fill in the matching info.

branches: 1.53.2;
Bump NPF_VERSION to 19.

Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)

Welcome to version 18:
- Connection state keys are not stored and loaded using the logical key
contents.
- connection finder key is stored in a map that contains the key and the
direction.

add functionality to lookup a nat entry from the connection list.

make this compile again

NPF: adjust the 'stateful-ends' mechanism to tag the packets and thus
pass-through them on other interfaces. Per discussion with christos@.

branches: 1.47.2; 1.47.4; 1.47.6; 1.47.8; 1.47.12;
- Add npf_ruleset_export(), npf_rule_export() and npf_nat_policyexport().
- Split off npf_conn_export(). Add npf_ifmap_getname() and use it to save
the interface name; pick it up on npf_conn_import().
- Misc fixes. Bump NPF_VERSION.

npf_iscached: add an assert.

NPF: rework of the connection saving and restoring:
- Add support for saving a snapshot of the current connections together
with a full configuration. Support a reverse load operation. Eliminate
the old 'sess-save' and 'sess-load' in favour of the new mechanism.
- Share code between load and reload operations: the latter performs
load from npf.conf without affecting the connections.
- Simplify and fix races with connection loading.
- Bump NPF_VERSION.

NPF: add nbuf_t * into npf_cache_t and remove unnecessary carrying by argument.

NPF: partially rewrite the connection tracking mechanism:
- Separate the tracking interface from the storage (state table)
and thus prepare to use a new data structure for the storage.
- Fix some race conditions in NAT association logic.

NPF:
- Populate the BPF external memory store with L3 information.
- Eliminate NPF_COP_L3 call and just use the data in the memstore.
- Bump NPF_VERSION.

Adjust NPF to the recent BPF / BPF JIT changes and make it work again.
All regression tests are happy now (hi alnsn!).

- npf_nat_freepolicy: handle a race condition when a new connection might
be associated with a NAT policy which is going away and npfctl reload
would wait for its natural expiration (potentially long time).
- Remove npf_ruleset_natreload() by merging into npf_ruleset_reload().
- npf_ruleset_reload: eliminate a small time period when a valid NAT
policy might be inactive during the reload operation.

Add ability to have mbufs disappear (to another interface) during
npf_rproc_run(). For upcoming npf_ext_route extension.

Guidance and ok by rmind@.

branches: 1.38.2;
NPF: add support for "stateful-ends".

NPF: add support for IPv6-to-IPv6 Network Prefix Translation (NPTv6),
as per RFC 6296. Add a unit test. Also, bump NPF_VERSION.

Thanks to S.P.Zeidler for the help with NPTv6 work!

NPF: add support for static (stateless) NAT.

Add support for CDB based NPF tables.

NPF:
- Adjust NAT to not assume flow direction in some cases and thus support
less usual setups which are possible when using 'map' with a custom
filter criteria.
- Introduce NPF_SRC/NPF_DST and replace npc_src/npc_dst with npc_ips[2]
for more convenient handling.
- ICMP ALG: restrict matching only to the outgoing traffic, but be more
direction-agnostic elsewhere.

NPF: add support for table naming and remove NPF_TABLE_SLOTS (there is
just an arbitrary sanity limit of NPF_MAX_TABLES currently set to 128).

Few misc fixes. Bump NPF_VERSION.

NPF: add support for specifying the interfaces before they are attached.
If an interface is or gets detached, all associated rules and connections
will be deactivated (it might be useful to have an option to invalidate
the associated connections). Once the interface is reattached they will
become active.

Bump NPF_VERSION.

- Convert NPF to use BPF byte-code by default. Compile BPF byte-code in
npfctl(8) and generate separate marks to describe the filter criteria.
- Rewrite 'npfctl show' functionality and fix some of the bugs.
- npftest: add a test for BPF COP.
- Bump NPF_VERSION.

branches: 1.30.6;
use sizeof(req) to find if it was empty or not (from uwe)

*"" is not constant according to gcc. So we move the responsibility for adding
a , to the users of the macro.

- avoid trailing , in dependencies when there are none other the npf module
itself.
- remove if_npflog dependency from npf_ext_log.

- Fix NPF config reload with dynamic rules present.
- Implement list and flush commands on a dynamic ruleset.

NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.

- Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.

- Add NPF version check in proplist as well, not only ioctl. Bump the version.
- Fix a bug in table entry lookup.
- Updates/fixes to the man pages. Misc.

npf_rwrcksum: handle delayed checksums in the network stack; also fix
non-NPF_NAT_PORTS case and add some comments. PR/47235.

Implement NPF table listing and preservation of entries on reload.
Bump the version.

Implement dynamic NPF extensions interface. An extension consists of
dynamically loaded module (.so) supplementing npfctl(8) and a kernel
module. Move normalisation and logging functionality into their own
extensions. More improvements to come.

branches: 1.20.2;
teach npf ipv6-icmp
reviewed by rmind@

- Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.

NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary "pass proto <name/number>".
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.

NPF:
- Rename some functions for consistency and de-inline them.
- Fix few invalid asserts (add regressoin test).
- Use pserialize(9) for ALG interface.
- Minor fixes, sprinkle many comments.

Update rumpdev_npf; use WARNS=4.

- Save active config in proplib dictionary; add GETCONF ioctl to retrieve.
- Few fixes. Improve some comments.

branches: 1.14.2;
- Split NPF rule procedure code into a separate module (no functional changes).
- Simplify some code, add more comments, some asserts.
- G/C unused rule hook code.

Multiple NPF fixes, add better error reporting from kernel side, add some
asserts, bump the version.

- Expire all sessions on flush.
- Enable checking for zero mask in IP{4,6}MATCH after npfctl changes.
- Make locking symmetric for npf_ruleset_inspect().
- Sync function prototypes in npf(3) man page with reality.
- Rename NPF_TABLE_RBTREE to NPF_TABLE_TREE.

branches: 1.11.2;
- Rework and improve TCP state tracking.
- Fix regressions after IPv6 patch merge.

Note: npfctl(8) rework will come soon.

Few fixes, KNF/style, bump the NPF version.

Add IPv6 support for NPF.

branches: 1.8.2; 1.8.6;
Bump NPF_VERSION.

NPF checkpoint:
- Add libnpf(3) - a library to control NPF (configuration, ruleset, etc).
- Add NPF support for ftp-proxy(8).
- Add rc.d script for NPF.
- Convert npfctl(8) to use libnpf(3) and thus make it less depressive.
Note: next clean-up step should be a parser, once dholland@ will finish it.
- Add more documentation.
- Various fixes.

branches: 1.6.2;
NPF checkpoint:
- Add the concept of rule procedure: separate normalization, logging and
potentially other functions from the rule structure. Rule procedure can be
shared amongst the rules. Separation is both at kernel level (npf_rproc_t)
and configuration ("procedure" + "apply").
- Fix portmap sharing for NAT policy.
- Update TCP state tracking logic. Use TCP FSM definitions.
- Add if_byindex(), OK by matt@. Use in logging for the lookup.
- Fix traceroute ALG and many other bugs; misc clean-up.

branches: 1.5.2;
NPF checkpoint:
- Add support for session saving/restoring.
- Add packet logging support (can tcpdump a pseudo-interface).
- Support reload without flushing of sessions; rework some locking.
- Revisit session mangement, replace linking with npf_sentry_t entries.
- Add some counters for statistics, using percpu(9).
- Add IP_DF flag cleansing.
- Fix various bugs; misc clean-up.

NPF checkpoint:
- Add proper TCP state tracking as described in Guido van Rooij paper,
plus handle TCP Window Scaling option.
- Completely rework npf_cache_t, reduce granularity, simplify code.
- Add npf_addr_t as an abstraction, amend session handling code, as well
as NAT code et al, to use it. Now design is prepared for IPv6 support.
- Handle IPv4 fragments i.e. perform packet reassembly.
- Add support for IPv4 ID randomization and minimum TTL enforcement.
- Add support for TCP MSS "clamping".
- Random bits for IPv6. Various fixes and clean-up.

branches: 1.3.2; 1.3.4;
Add nbuf_advfetch() and simplify some code slightly.

NPF checkpoint:
- Add support for bi-directional NAT and redirection / port forwarding.
- Finish filtering on ICMP type/code and add filtering on TCP flags.
- Add support for TCP reset (RST) or ICMP destination unreachable on block.
- Fix a bunch of bugs; misc cleanup.

Import NPF - a packet filter. Some features:

- Designed to be fully MP-safe and highly efficient.

- Tables/IP sets (hash or red-black tree) for high performance lookups.

- Stateful filtering and Network Address Port Translation (NAPT).
Framework for application level gateways (ALGs).

- Packet inspection engine called n-code processor - inspired by BPF -
supporting generic RISC-like and specific CISC-like instructions for
common patterns (e.g. IPv4 address matching). See npf_ncode(9) manual.

- Convenient userland utility npfctl(8) with npf.conf(8).

NOTE: This is not yet a fully capable alternative to PF or IPFilter.
Further work (support for binat/rdr, return-rst/return-icmp, common ALGs,
state saving/restoring, logging, etc) is in progress.

Thanks a lot to Matt Thomas for various useful comments and code review.
Aye by: board@

Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.

- npfctl_load_nvlist: simplify the config loading logic.
- Fix a small race condition in npf_nat_getaddr().
- Rework pserialize/EBR wrappers, make it easier to maintain.

branches: 1.20.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.

Major NPF improvements:
- Convert NPF connection table to thmap. State lookup is now lock-free.
- Improve connection state G/C: it is now incremental and tunable.
- Add support for dynamic NAT address. Translation addresses can now be
selected from a pool of addresses. There are two selection algorithms,
"ip-hash" and "round-robin" (see the man page).
- Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf
to dynamically choose an IP from the interface address(es).
- Add support for the NETMAP algorithm with static NAT for net-to-net
translation (it is equivalent to iptables NETMAP logic).
- Convert 'ipset' tables to use thmap; the table lookup is now lock-free.
- Misc improvements, bug fixes and more unit tests.
- Bump NPF_VERSION (will also bump libnpf).

NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.

Fix lockdebug diagnostic error of trying to acquire an rw_lock from a
pserialized active context. From riastradh@

branches: 1.16.14; 1.16.16;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)

branches: 1.15.2; 1.15.4;
- Add and use npf_alg_export().
- npf_conn_import: handle NAT metadata correctly.
- npf_nat_newpolicy: restore the policy ID.
- npfctl_load: fix error code handling for the limit cases.
- npf_config_import: fix the inverted logic.
- npfctl_load: improve error handling.

branches: 1.14.2;
NPF: add nbuf_t * into npf_cache_t and remove unnecessary carrying by argument.

NPF: partially rewrite the connection tracking mechanism:
- Separate the tracking interface from the storage (state table)
and thus prepare to use a new data structure for the storage.
- Fix some race conditions in NAT association logic.

branches: 1.12.2;
npf_alg_session: fix inverted logic in the previous commit.

NPF: pass ALG functions via npfa_funcs_t structure.

NPF:
- Adjust NAT to not assume flow direction in some cases and thus support
less usual setups which are possible when using 'map' with a custom
filter criteria.
- Introduce NPF_SRC/NPF_DST and replace npc_src/npc_dst with npc_ips[2]
for more convenient handling.
- ICMP ALG: restrict matching only to the outgoing traffic, but be more
direction-agnostic elsewhere.

branches: 1.9.2;
- NPF connection tracking: rework synchronisation on tracking disable/enable
points and document it. Split the worker thread into a separate module
with an interface, so it could be re-used for other tasks.
- Replace ALG list with arrays and thus hit fewer cache lines.
- Misc bug fixes.

Make ALG's autoloadable by providing in the config file:
alg "algname"

NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.

- Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.

branches: 1.5.2;
- Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.

NPF:
- Rename some functions for consistency and de-inline them.
- Fix few invalid asserts (add regressoin test).
- Use pserialize(9) for ALG interface.
- Minor fixes, sprinkle many comments.

- Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.

branches: 1.2.6; 1.2.10; 1.2.14; 1.2.16;
NPF checkpoint:
- Add proper TCP state tracking as described in Guido van Rooij paper,
plus handle TCP Window Scaling option.
- Completely rework npf_cache_t, reduce granularity, simplify code.
- Add npf_addr_t as an abstraction, amend session handling code, as well
as NAT code et al, to use it. Now design is prepared for IPv6 support.
- Handle IPv4 fragments i.e. perform packet reassembly.
- Add support for IPv4 ID randomization and minimum TTL enforcement.
- Add support for TCP MSS "clamping".
- Random bits for IPv6. Various fixes and clean-up.

branches: 1.1.2; 1.1.4;
Import NPF - a packet filter. Some features:

- Designed to be fully MP-safe and highly efficient.

- Tables/IP sets (hash or red-black tree) for high performance lookups.

- Stateful filtering and Network Address Port Translation (NAPT).
Framework for application level gateways (ALGs).

- Packet inspection engine called n-code processor - inspired by BPF -
supporting generic RISC-like and specific CISC-like instructions for
common patterns (e.g. IPv4 address matching). See npf_ncode(9) manual.

- Convenient userland utility npfctl(8) with npf.conf(8).

NOTE: This is not yet a fully capable alternative to PF or IPFilter.
Further work (support for binat/rdr, return-rst/return-icmp, common ALGs,
state saving/restoring, logging, etc) is in progress.

Thanks a lot to Matt Thomas for various useful comments and code review.
Aye by: board@

Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.

branches: 1.32.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.

NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.

branches: 1.30.2;
In addition to checking L4 in the cache, here we also need to check the
protocol. The NPF entry point does not ensure that

ICMPv6 can be set only in IPv6
ICMPv4 can be set only in IPv4

So we could have ICMPv6 in IPv4.

Ah, fix compilation. I tested my previous change by loading the kernel
module from the filesystem, but the Makefile didn't have DIAGNOSTIC
enabled, and the two KASSERTs I added did not compile properly.

Change npf_cache_all so that it ensures the potential ICMP Query Id is in
the nbuf. In such a way that we don't need to ensure that later.

Change npfa_icmp4_inspect and npfa_icmp6_inspect so that they touch neither
the nbuf nor npc. Adapt their callers accordingly.

In the end, if a packet has a Query Id, we set NPC_ICMP_ID in npc and leave
right away, without recaching npc (not needed since we didn't touch the
nbuf).

This fixes the handling of Query Id packets (that I broke in my previous
commit), and also fixes another possible use-after-free.

Fix use-after-free.

The nbuf can be reallocated as a result of caching 'enpc', so it is
necessary to recache 'npc', otherwise it contains pointers to the freed
mbuf - pointers which are then used in the ruleset machinery.

We recache 'npc' when we are sure we won't use 'enpc' anymore, because
'enpc' can be clobbered as a result of caching 'npc' (in other words,
only one of the two can be cached at the same time).

Also, we recache 'npc' unconditionally, because there is no way to know
whether the nbuf got clobbered relatively to it. We can't use the
NBUF_DATAREF_RESET flag, because it is stored in the nbuf and not in the
cache.

Discussed with rmind@.

Remove dead branches, 'npc' can't be NULL (and it is dereferenced
earlier).

branches: 1.25.2;
- npf_cop_table: handle non-IP packets in the ether (fixes PR/52290).
- npfa_icmp_nat: do not recompute the checksum if no port translation.
- npf_normalize (MSS clamping): fix the checksum handling on PFIL_OUT.
- npflog: report the packet direction correctly.

branches: 1.24.8;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)

branches: 1.23.2; 1.23.4; 1.23.6; 1.23.8; 1.23.12;
NPF: add nbuf_t * into npf_cache_t and remove unnecessary carrying by argument.

NPF: partially rewrite the connection tracking mechanism:
- Separate the tracking interface from the storage (state table)
and thus prepare to use a new data structure for the storage.
- Fix some race conditions in NAT association logic.

fix typo in comment

branches: 1.20.2;
NPF: fix the recent breakage of the traceroute ALG. Also, simplify and
refactor a little bit.

NPF: pass ALG functions via npfa_funcs_t structure.

NPF:
- Adjust NAT to not assume flow direction in some cases and thus support
less usual setups which are possible when using 'map' with a custom
filter criteria.
- Introduce NPF_SRC/NPF_DST and replace npc_src/npc_dst with npc_ips[2]
for more convenient handling.
- ICMP ALG: restrict matching only to the outgoing traffic, but be more
direction-agnostic elsewhere.

branches: 1.17.2;
- NPF connection tracking: rework synchronisation on tracking disable/enable
points and document it. Split the worker thread into a separate module
with an interface, so it could be re-used for other tasks.
- Replace ALG list with arrays and thus hit fewer cache lines.
- Misc bug fixes.

Make ALG's autoloadable by providing in the config file:
alg "algname"

NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.

- Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.

npf_icmp_uniqid: split into npf_icmp_uniqid4() and npf_icmp_uniqid6() parts.

branches: 1.12.2;
npf_icmp_uniqid: inspect the correct npc_info for IPv4/v6.

teach npf ipv6-icmp
reviewed by rmind@

- Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.

- Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.

branches: 1.8.2; 1.8.4;
- Rework and improve TCP state tracking.
- Fix regressions after IPv6 patch merge.

Note: npfctl(8) rework will come soon.

Add IPv6 support for NPF.

branches: 1.6.4; 1.6.8;
NPF checkpoint:
- Add the concept of rule procedure: separate normalization, logging and
potentially other functions from the rule structure. Rule procedure can be
shared amongst the rules. Separation is both at kernel level (npf_rproc_t)
and configuration ("procedure" + "apply").
- Fix portmap sharing for NAT policy.
- Update TCP state tracking logic. Use TCP FSM definitions.
- Add if_byindex(), OK by matt@. Use in logging for the lookup.
- Fix traceroute ALG and many other bugs; misc clean-up.

branches: 1.5.2;
NPF checkpoint:
- Add support for session saving/restoring.
- Add packet logging support (can tcpdump a pseudo-interface).
- Support reload without flushing of sessions; rework some locking.
- Revisit session mangement, replace linking with npf_sentry_t entries.
- Add some counters for statistics, using percpu(9).
- Add IP_DF flag cleansing.
- Fix various bugs; misc clean-up.

NPF checkpoint:
- Add proper TCP state tracking as described in Guido van Rooij paper,
plus handle TCP Window Scaling option.
- Completely rework npf_cache_t, reduce granularity, simplify code.
- Add npf_addr_t as an abstraction, amend session handling code, as well
as NAT code et al, to use it. Now design is prepared for IPv6 support.
- Handle IPv4 fragments i.e. perform packet reassembly.
- Add support for IPv4 ID randomization and minimum TTL enforcement.
- Add support for TCP MSS "clamping".
- Random bits for IPv6. Various fixes and clean-up.

branches: 1.3.2; 1.3.4;
Add nbuf_advfetch() and simplify some code slightly.

NPF checkpoint:
- Add support for bi-directional NAT and redirection / port forwarding.
- Finish filtering on ICMP type/code and add filtering on TCP flags.
- Add support for TCP reset (RST) or ICMP destination unreachable on block.
- Fix a bunch of bugs; misc cleanup.

Import NPF - a packet filter. Some features:

- Designed to be fully MP-safe and highly efficient.

- Tables/IP sets (hash or red-black tree) for high performance lookups.

- Stateful filtering and Network Address Port Translation (NAPT).
Framework for application level gateways (ALGs).

- Packet inspection engine called n-code processor - inspired by BPF -
supporting generic RISC-like and specific CISC-like instructions for
common patterns (e.g. IPv4 address matching). See npf_ncode(9) manual.

- Convenient userland utility npfctl(8) with npf.conf(8).

NOTE: This is not yet a fully capable alternative to PF or IPFilter.
Further work (support for binat/rdr, return-rst/return-icmp, common ALGs,
state saving/restoring, logging, etc) is in progress.

Thanks a lot to Matt Thomas for various useful comments and code review.
Aye by: board@

NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.

branches: 1.13.2; 1.13.4;
- npf_cop_table: handle non-IP packets in the ether (fixes PR/52290).
- npfa_icmp_nat: do not recompute the checksum if no port translation.
- npf_normalize (MSS clamping): fix the checksum handling on PFIL_OUT.
- npflog: report the packet direction correctly.

Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)

branches: 1.11.4; 1.11.6; 1.11.10;
NPF: add nbuf_t * into npf_cache_t and remove unnecessary carrying by argument.

NPF: use BPF JIT by default.

NPF:
- Populate the BPF external memory store with L3 information.
- Eliminate NPF_COP_L3 call and just use the data in the memstore.
- Bump NPF_VERSION.

Adjust NPF to the recent BPF / BPF JIT changes and make it work again.
All regression tests are happy now (hi alnsn!).

Fix signatures of copfuncs.

branches: 1.6.2; 1.6.4; 1.6.6;
NPF:
- Adjust NAT to not assume flow direction in some cases and thus support
less usual setups which are possible when using 'map' with a custom
filter criteria.
- Introduce NPF_SRC/NPF_DST and replace npc_src/npc_dst with npc_ips[2]
for more convenient handling.
- ICMP ALG: restrict matching only to the outgoing traffic, but be more
direction-agnostic elsewhere.

Move initialisation of bpf_args_t into the npf_ruleset_inspect().
This allows us to reuse the BPF memory store as a cache.

NPF: convert to bpf_jit_generate()/bpf_jit_freecode().

- Add bpf_args_t and convert bpf_filter_ext() to use it. This allows the
caller to initialise (and re-use) the memory store.
- Add bpf_jit_generate() and bpf_jit_freecode() wrappers.

NPF: add support for table naming and remove NPF_TABLE_SLOTS (there is
just an arbitrary sanity limit of NPF_MAX_TABLES currently set to 128).

Few misc fixes. Bump NPF_VERSION.

- Convert NPF to use BPF byte-code by default. Compile BPF byte-code in
npfctl(8) and generate separate marks to describe the filter criteria.
- Rewrite 'npfctl show' functionality and fix some of the bugs.
- npftest: add a test for BPF COP.
- Bump NPF_VERSION.

npf(4): Use atomic_store_release and atomic_load_consume for config.

...or atomic_load_relaxed, when the config is locked. (Not necessary
to use atomic_* at all in NetBSD, but in C11 it will be cheaper to
say atomic_load_relaxed explicitly so an _Atomic-qualified object
doesn't cause the load to be surrounded by unnecessary membars.)

No need for store-before-load ordering here, so no need to
membar_sync.

Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.

Backport selected NPF fixes from the upstream (to be pulled up):

- npf_conndb_lookup: protect the connection lookup with pserialize(9),
instead of incorrectly assuming that the handler always runs at IPL_SOFNET.
Should fix crashes reported on high load (PR/55182).

- npf_config_destroy: handle partially initialized config; fixes crashes
with some invalid configurations.

- NAT policy creation / destruction: set the initial reference and do not
wait for reference draining on destruction; destroy the policy on the
last reference drop instead. Fixes a lockup with the dynamic NAT rules.

- npf_nat_{export,import}: fix a regression since dynamic NAT rules.

- npfctl: fix a regression and restore the default group behaviour.

- Add npf_cache_tcp() and validate the TCP data offset (from maxv@).

- npfctl_load_nvlist: simplify the config loading logic.
- Fix a small race condition in npf_nat_getaddr().
- Rework pserialize/EBR wrappers, make it easier to maintain.

Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.

branches: 1.13.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.

NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.

branches: 1.11.14; 1.11.16;
NPF: fix the interface table initialisation on load.

Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)

branches: 1.9.2;
- npf_config_load: if loading the connections, do not perform any actice
NAT policy take over or or portmap sharing - just replace them all.
- npf_config_fini: flush with the empty connection database.
- npf_nat_import: fix the stat counter.

branches: 1.8.2; 1.8.4;
NPF: finish up the rework of npfctl_save() mechanism.

NPF: rework of the connection saving and restoring:
- Add support for saving a snapshot of the current connections together
with a full configuration. Support a reverse load operation. Eliminate
the old 'sess-save' and 'sess-load' in favour of the new mechanism.
- Share code between load and reload operations: the latter performs
load from npf.conf without affecting the connections.
- Simplify and fix races with connection loading.
- Bump NPF_VERSION.

- npf_nat_freepolicy: handle a race condition when a new connection might
be associated with a NAT policy which is going away and npfctl reload
would wait for its natural expiration (potentially long time).
- Remove npf_ruleset_natreload() by merging into npf_ruleset_reload().
- npf_ruleset_reload: eliminate a small time period when a valid NAT
policy might be inactive during the reload operation.

branches: 1.5.2; 1.5.4;
Add npf_tableset_syncdict() to sync the table IDs in the proplib dictionary,
as they can change on reload now. Also, fix table name checking in npfctl.

NPF: add support for table naming and remove NPF_TABLE_SLOTS (there is
just an arbitrary sanity limit of NPF_MAX_TABLES currently set to 128).

Few misc fixes. Bump NPF_VERSION.

NPF: add support for specifying the interfaces before they are attached.
If an interface is or gets detached, all associated rules and connections
will be deactivated (it might be useful to have an option to invalidate
the associated connections). Once the interface is reattached they will
become active.

Bump NPF_VERSION.

branches: 1.2.2; 1.2.4; 1.2.6;
- Fix NPF config reload with dynamic rules present.
- Implement list and flush commands on a dynamic ruleset.

NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.

npf(9): Update comment to reduce diff from upstream.

No functional change.

npf(4): Use atomic_store_release and atomic_load_consume for conn_db.

...or atomic_load_relaxed, when npf->conn_lock is held, for the sake
of C11.

No need for store-before-load implied by membar_sync.

s/npf_config_lock/npf->config_lock/ in the comments

branches: 1.32.2;
Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.

Backport selected NPF fixes from the upstream (to be pulled up):

- npf_conndb_lookup: protect the connection lookup with pserialize(9),
instead of incorrectly assuming that the handler always runs at IPL_SOFNET.
Should fix crashes reported on high load (PR/55182).

- npf_config_destroy: handle partially initialized config; fixes crashes
with some invalid configurations.

- NAT policy creation / destruction: set the initial reference and do not
wait for reference draining on destruction; destroy the policy on the
last reference drop instead. Fixes a lockup with the dynamic NAT rules.

- npf_nat_{export,import}: fix a regression since dynamic NAT rules.

- npfctl: fix a regression and restore the default group behaviour.

- Add npf_cache_tcp() and validate the TCP data offset (from maxv@).

NPF ifmap: rework and fix a few small bugs.

- npf_conn_init(): fix a race when initialising the G/C thread.
- Fix a bug when partially initialised connection is destroyed on error.
(from rmind@)

Introduce an npf_conn_destroy_idx() that can handle partially constructed
conn structures.

branches: 1.27.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.

Major NPF improvements:
- Convert NPF connection table to thmap. State lookup is now lock-free.
- Improve connection state G/C: it is now incremental and tunable.
- Add support for dynamic NAT address. Translation addresses can now be
selected from a pool of addresses. There are two selection algorithms,
"ip-hash" and "round-robin" (see the man page).
- Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf
to dynamically choose an IP from the interface address(es).
- Add support for the NETMAP algorithm with static NAT for net-to-net
translation (it is equivalent to iptables NETMAP logic).
- Convert 'ipset' tables to use thmap; the table lookup is now lock-free.
- Misc improvements, bug fixes and more unit tests.
- Bump NPF_VERSION (will also bump libnpf).

NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.

branches: 1.24.2; 1.24.4;
- npf_cop_table: handle non-IP packets in the ether (fixes PR/52290).
- npfa_icmp_nat: do not recompute the checksum if no port translation.
- npf_normalize (MSS clamping): fix the checksum handling on PFIL_OUT.
- npflog: report the packet direction correctly.

- Increase copyin buffer size to 4M
- Change log output format to be like the OpenBSD's pf including in
the header the matching rule etc, and fill in the matching info.

branches: 1.22.2;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)

revert dir hack.

Welcome to version 18:
- Connection state keys are not stored and loaded using the logical key
contents.
- connection finder key is stored in a map that contains the key and the
direction.

Remove what looks like remnant (partly removed already) debug code,
which could not possibly compile as it was.

add functionality to lookup a nat entry from the connection list.

NPF: adjust the 'stateful-ends' mechanism to tag the packets and thus
pass-through them on other interfaces. Per discussion with christos@.

branches: 1.16.2;
npf_conn_establish: fix the previous change - drop the reference on error.

- npf_conn_establish: remove a rare race condition when we might destroy a
connection when it is still referenced by another thread.
- npf_conn_destroy: remove the backwards entry using the saved key, PR/49488.
- Sprinkle some asserts.

NPF: set the connection flags atomically in the post-creation logic and
fix a tiny race condition window. Might fix PR/49488.

NPF:
- npf_nat_import: take the port only if using the portmap.
- Sprinkle some comments and asserts.

branches: 1.12.2;
- npf_conn_import: add a missing stat counter increment.
- npf_nat_import: add a missing reference and make a comment.

branches: 1.11.2;
- Add and use npf_alg_export().
- npf_conn_import: handle NAT metadata correctly.
- npf_nat_newpolicy: restore the policy ID.
- npfctl_load: fix error code handling for the limit cases.
- npf_config_import: fix the inverted logic.
- npfctl_load: improve error handling.

branches: 1.10.2;
- Add npf_ruleset_export(), npf_rule_export() and npf_nat_policyexport().
- Split off npf_conn_export(). Add npf_ifmap_getname() and use it to save
the interface name; pick it up on npf_conn_import().
- Misc fixes. Bump NPF_VERSION.

branches: 1.9.2;
npf_conn_conkey: fix a comment.

npf_conn_conkey: adjust to return the key length and add a comment
describing the key layout.

npf_mk_connlist: destroy the connections on error path.

NPF: rework of the connection saving and restoring:
- Add support for saving a snapshot of the current connections together
with a full configuration. Support a reverse load operation. Eliminate
the old 'sess-save' and 'sess-load' in favour of the new mechanism.
- Share code between load and reload operations: the latter performs
load from npf.conf without affecting the connections.
- Simplify and fix races with connection loading.
- Bump NPF_VERSION.

Drop variable only used in return.

NPF: add nbuf_t * into npf_cache_t and remove unnecessary carrying by argument.

gcc-4.8 complains about not being able to inline

Fix gcc warnings.

NPF: partially rewrite the connection tracking mechanism:
- Separate the tracking interface from the storage (state table)
and thus prepare to use a new data structure for the storage.
- Fix some race conditions in NAT association logic.

Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.

Backport selected NPF fixes from the upstream (to be pulled up):

- npf_conndb_lookup: protect the connection lookup with pserialize(9),
instead of incorrectly assuming that the handler always runs at IPL_SOFNET.
Should fix crashes reported on high load (PR/55182).

- npf_config_destroy: handle partially initialized config; fixes crashes
with some invalid configurations.

- NAT policy creation / destruction: set the initial reference and do not
wait for reference draining on destruction; destroy the policy on the
last reference drop instead. Fixes a lockup with the dynamic NAT rules.

- npf_nat_{export,import}: fix a regression since dynamic NAT rules.

- npfctl: fix a regression and restore the default group behaviour.

- Add npf_cache_tcp() and validate the TCP data offset (from maxv@).

Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.

- npf_conn_init(): fix a race when initialising the G/C thread.
- Fix a bug when partially initialised connection is destroyed on error.
(from rmind@)

branches: 1.16.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.

Major NPF improvements:
- Convert NPF connection table to thmap. State lookup is now lock-free.
- Improve connection state G/C: it is now incremental and tunable.
- Add support for dynamic NAT address. Translation addresses can now be
selected from a pool of addresses. There are two selection algorithms,
"ip-hash" and "round-robin" (see the man page).
- Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf
to dynamically choose an IP from the interface address(es).
- Add support for the NETMAP algorithm with static NAT for net-to-net
translation (it is equivalent to iptables NETMAP logic).
- Convert 'ipset' tables to use thmap; the table lookup is now lock-free.
- Misc improvements, bug fixes and more unit tests.
- Bump NPF_VERSION (will also bump libnpf).

NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.

branches: 1.13.2; 1.13.4;
- npf_cop_table: handle non-IP packets in the ether (fixes PR/52290).
- npfa_icmp_nat: do not recompute the checksum if no port translation.
- npf_normalize (MSS clamping): fix the checksum handling on PFIL_OUT.
- npflog: report the packet direction correctly.

- Increase copyin buffer size to 4M
- Change log output format to be like the OpenBSD's pf including in
the header the matching rule etc, and fill in the matching info.

branches: 1.11.2;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)

Welcome to version 18:
- Connection state keys are not stored and loaded using the logical key
contents.
- connection finder key is stored in a map that contains the key and the
direction.

add functionality to lookup a nat entry from the connection list.

branches: 1.8.2;
NPF: set the connection flags atomically in the post-creation logic and
fix a tiny race condition window. Might fix PR/49488.

NPF:
- npf_nat_import: take the port only if using the portmap.
- Sprinkle some comments and asserts.

branches: 1.6.2; 1.6.4; 1.6.6;
- Add npf_ruleset_export(), npf_rule_export() and npf_nat_policyexport().
- Split off npf_conn_export(). Add npf_ifmap_getname() and use it to save
the interface name; pick it up on npf_conn_import().
- Misc fixes. Bump NPF_VERSION.

branches: 1.5.2;
npf_conn_conkey: adjust to return the key length and add a comment
describing the key layout.

npf_mk_connlist: destroy the connections on error path.

NPF: rework of the connection saving and restoring:
- Add support for saving a snapshot of the current connections together
with a full configuration. Support a reverse load operation. Eliminate
the old 'sess-save' and 'sess-load' in favour of the new mechanism.
- Share code between load and reload operations: the latter performs
load from npf.conf without affecting the connections.
- Simplify and fix races with connection loading.
- Bump NPF_VERSION.

NPF: add nbuf_t * into npf_cache_t and remove unnecessary carrying by argument.

Add npf_conn.h missed in the previous commit.

Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.

Backport selected NPF fixes from the upstream (to be pulled up):

- npf_conndb_lookup: protect the connection lookup with pserialize(9),
instead of incorrectly assuming that the handler always runs at IPL_SOFNET.
Should fix crashes reported on high load (PR/55182).

- npf_config_destroy: handle partially initialized config; fixes crashes
with some invalid configurations.

- NAT policy creation / destruction: set the initial reference and do not
wait for reference draining on destruction; destroy the policy on the
last reference drop instead. Fixes a lockup with the dynamic NAT rules.

- npf_nat_{export,import}: fix a regression since dynamic NAT rules.

- npfctl: fix a regression and restore the default group behaviour.

- Add npf_cache_tcp() and validate the TCP data offset (from maxv@).

Skip npf_config_sync if nothing to do.

Saves an unnecessary pserialize_perform every second.

branches: 1.6.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.

Major NPF improvements:
- Convert NPF connection table to thmap. State lookup is now lock-free.
- Improve connection state G/C: it is now incremental and tunable.
- Add support for dynamic NAT address. Translation addresses can now be
selected from a pool of addresses. There are two selection algorithms,
"ip-hash" and "round-robin" (see the man page).
- Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf
to dynamically choose an IP from the interface address(es).
- Add support for the NETMAP algorithm with static NAT for net-to-net
translation (it is equivalent to iptables NETMAP logic).
- Convert 'ipset' tables to use thmap; the table lookup is now lock-free.
- Misc improvements, bug fixes and more unit tests.
- Bump NPF_VERSION (will also bump libnpf).

NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.

branches: 1.3.14; 1.3.16;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)

branches: 1.2.2; 1.2.6; 1.2.8; 1.2.12;
NPF: rework of the connection saving and restoring:
- Add support for saving a snapshot of the current connections together
with a full configuration. Support a reverse load operation. Eliminate
the old 'sess-save' and 'sess-load' in favour of the new mechanism.
- Share code between load and reload operations: the latter performs
load from npf.conf without affecting the connections.
- Simplify and fix races with connection loading.
- Bump NPF_VERSION.

NPF: partially rewrite the connection tracking mechanism:
- Separate the tracking interface from the storage (state table)
and thus prepare to use a new data structure for the storage.
- Fix some race conditions in NAT association logic.

Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.

branches: 1.1.2; 1.1.10;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.

NPF copyright 2025

kernel: extract rules, lookup socket, process filtering, reviews by christos@

branches: 1.60.26;
Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.

libnpf/npfctl: support dynamic NAT rulesets using a name prefix.

ake npfctl_switch() and pfil private to OS-specific module.

- npfctl_load_nvlist: simplify the config loading logic.
- Fix a small race condition in npf_nat_getaddr().
- Rework pserialize/EBR wrappers, make it easier to maintain.

npfkern/libnpf: Add support for the table replace/swap operation.
Contributed by Timshel Knoll-Miller.

Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.

branches: 1.54.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.

Major NPF improvements:
- Convert NPF connection table to thmap. State lookup is now lock-free.
- Improve connection state G/C: it is now incremental and tunable.
- Add support for dynamic NAT address. Translation addresses can now be
selected from a pool of addresses. There are two selection algorithms,
"ip-hash" and "round-robin" (see the man page).
- Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf
to dynamically choose an IP from the interface address(es).
- Add support for the NETMAP algorithm with static NAT for net-to-net
translation (it is equivalent to iptables NETMAP logic).
- Convert 'ipset' tables to use thmap; the table lookup is now lock-free.
- Misc improvements, bug fixes and more unit tests.
- Bump NPF_VERSION (will also bump libnpf).

We need to have rump tests work in two modes:

1. npf unit tests. In this case only the npf subsystem is created
and dictionaries are passed directly.
2. kernel system tests (like the ipsec natt test). In this case, npf is
instantiated regularly as part of the kernel and dictionaries are
passed via ioctl.

We differentiate between the two cases by checking the "mbufops" member
which is NULL, regularly and non-NULL in the npf unit tests. Previously
this was done using an ifdef which obviously can't work for both cases.

NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.

branches: 1.50.2; 1.50.4;
- npf_mk_rules: enforce unique names for the dynamic rulesets.
- npf_worker_unregister: merge fix for the standalone NPF.

Fix npfclt reload on rump kernels

It fails because npfctl cannot get an errno when it calls ioctl to the (rump)
kernel; npfctl (libnpf) expects that an errno is returned via proplib,
however, the rump library of npf doesn't so. It happens because of mishandlings
of complicate npf kernel options.

PR kern/52643

branches: 1.48.2;
Allow npf to be used "normally" from a rump kernel, not just from the
test harness (problem reported by Frank Kardel)

branches: 1.47.4;
- Increase copyin buffer size to 4M
- Change log output format to be like the OpenBSD's pf including in
the header the matching rule etc, and fill in the matching info.

branches: 1.46.2;
NPF: implement dynamic handling of interface addresses (the kernel part).

Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)

add functionality to lookup a nat entry from the connection list.

branches: 1.43.2;
remove bogus KASSERT, there are error paths that don't satisfy this.
XXX: should improve error reporting to userland.

- npfctl: fix the confusion in the parser (0/0 case with no other filter).
- Always populate the error dictionary, not only for DEBUG/DIAGNOSTIC.

NPF: replace the TAILQ of the dynamic rules with a linked list and fix the
inheriting of the active dynamic rules during the reload; also, fix a bug
in the insert path by putting a memory barrier in the right place.

branches: 1.40.2;
- npf_conn_import: add a missing stat counter increment.
- npf_nat_import: add a missing reference and make a comment.

- Add and use npf_alg_export().
- npf_conn_import: handle NAT metadata correctly.
- npf_nat_newpolicy: restore the policy ID.
- npfctl_load: fix error code handling for the limit cases.
- npf_config_import: fix the inverted logic.
- npfctl_load: improve error handling.

branches: 1.38.2;
NPF: finish up the rework of npfctl_save() mechanism.

- Add npf_ruleset_export(), npf_rule_export() and npf_nat_policyexport().
- Split off npf_conn_export(). Add npf_ifmap_getname() and use it to save
the interface name; pick it up on npf_conn_import().
- Misc fixes. Bump NPF_VERSION.

npf_mk_connlist: destroy the connections on error path.

NPF: rework of the connection saving and restoring:
- Add support for saving a snapshot of the current connections together
with a full configuration. Support a reverse load operation. Eliminate
the old 'sess-save' and 'sess-load' in favour of the new mechanism.
- Share code between load and reload operations: the latter performs
load from npf.conf without affecting the connections.
- Simplify and fix races with connection loading.
- Bump NPF_VERSION.

NPF: partially rewrite the connection tracking mechanism:
- Separate the tracking interface from the storage (state table)
and thus prepare to use a new data structure for the storage.
- Fix some race conditions in NAT association logic.

branches: 1.33.2;
Add support for CDB based NPF tables.

NPF: add support for table naming and remove NPF_TABLE_SLOTS (there is
just an arbitrary sanity limit of NPF_MAX_TABLES currently set to 128).

Few misc fixes. Bump NPF_VERSION.

NPF: add support for specifying the interfaces before they are attached.
If an interface is or gets detached, all associated rules and connections
will be deactivated (it might be useful to have an option to invalidate
the associated connections). Once the interface is reattached they will
become active.

Bump NPF_VERSION.

Add NPF_MAX_RULES, an artificial limit (set it to 1M).

NPF: G/C n-code in favour of BPF byte-code. Delete lots of code, mmm!

- Convert NPF to use BPF byte-code by default. Compile BPF byte-code in
npfctl(8) and generate separate marks to describe the filter criteria.
- Rewrite 'npfctl show' functionality and fix some of the bugs.
- npftest: add a test for BPF COP.
- Bump NPF_VERSION.

npfctl_rule: fixes for the dynamic rules.

branches: 1.26.2;
- NPF connection tracking: rework synchronisation on tracking disable/enable
points and document it. Split the worker thread into a separate module
with an interface, so it could be re-used for other tasks.
- Replace ALG list with arrays and thus hit fewer cache lines.
- Misc bug fixes.

- Add NPF table flushing functionality.
- Fix line numbering for npfctl debug command.

Make ALG's autoloadable by providing in the config file:
alg "algname"

- Convert NPF dynamic rule ID to just incremented 64-bit counter.
- Fix multiple bugs. Also, update the man page.

- Fix NPF config reload with dynamic rules present.
- Implement list and flush commands on a dynamic ruleset.

NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.

- Add NPF version check in proplist as well, not only ioctl. Bump the version.
- Fix a bug in table entry lookup.
- Updates/fixes to the man pages. Misc.

Implement NPF table listing and preservation of entries on reload.
Bump the version.

Implement dynamic NPF extensions interface. An extension consists of
dynamically loaded module (.so) supplementing npfctl(8) and a kernel
module. Move normalisation and logging functionality into their own
extensions. More improvements to come.

branches: 1.17.2;
- {npf_mk_rproc,npf_nat_save}: fix the fetching of {rproc-ptr,id_ptr}.
- npf_rproc_setlog: initialise variables to 0, as keys may not exist.

Bugs found by mlelstv@ while testing on Amiga.

- Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.

npftest: add a stream processor, which prints out the TCP state information.
A tool for debugging connection tracking from tcpdump -w captured data.

- Save active config in proplib dictionary; add GETCONF ioctl to retrieve.
- Few fixes. Improve some comments.

- Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.

branches: 1.12.2;
Multiple NPF fixes, add better error reporting from kernel side, add some
asserts, bump the version.

- Expire all sessions on flush.
- Enable checking for zero mask in IP{4,6}MATCH after npfctl changes.
- Make locking symmetric for npf_ruleset_inspect().
- Sync function prototypes in npf(3) man page with reality.
- Rename NPF_TABLE_RBTREE to NPF_TABLE_TREE.

branches: 1.10.2;
- Rework and improve TCP state tracking.
- Fix regressions after IPv6 patch merge.

Note: npfctl(8) rework will come soon.

Few fixes, KNF/style, bump the NPF version.

Use uint8_t instead of npf_netmask_t, as npf_netmask_t is a uint_fast8_t,
which is in many places is actually a uint32_t and thus incompatible with
prop_dictionary_get_uint8(). The correct type is noted in a comment.

Add IPv6 support for NPF.

branches: 1.6.2; 1.6.6;
NPF checkpoint:
- Add libnpf(3) - a library to control NPF (configuration, ruleset, etc).
- Add NPF support for ftp-proxy(8).
- Add rc.d script for NPF.
- Convert npfctl(8) to use libnpf(3) and thus make it less depressive.
Note: next clean-up step should be a parser, once dholland@ will finish it.
- Add more documentation.
- Various fixes.

branches: 1.5.2;
NPF checkpoint:
- Add the concept of rule procedure: separate normalization, logging and
potentially other functions from the rule structure. Rule procedure can be
shared amongst the rules. Separation is both at kernel level (npf_rproc_t)
and configuration ("procedure" + "apply").
- Fix portmap sharing for NAT policy.
- Update TCP state tracking logic. Use TCP FSM definitions.
- Add if_byindex(), OK by matt@. Use in logging for the lookup.
- Fix traceroute ALG and many other bugs; misc clean-up.

branches: 1.4.2;
NPF checkpoint:
- Add support for session saving/restoring.
- Add packet logging support (can tcpdump a pseudo-interface).
- Support reload without flushing of sessions; rework some locking.
- Revisit session mangement, replace linking with npf_sentry_t entries.
- Add some counters for statistics, using percpu(9).
- Add IP_DF flag cleansing.
- Fix various bugs; misc clean-up.

NPF checkpoint:
- Add proper TCP state tracking as described in Guido van Rooij paper,
plus handle TCP Window Scaling option.
- Completely rework npf_cache_t, reduce granularity, simplify code.
- Add npf_addr_t as an abstraction, amend session handling code, as well
as NAT code et al, to use it. Now design is prepared for IPv6 support.
- Handle IPv4 fragments i.e. perform packet reassembly.
- Add support for IPv4 ID randomization and minimum TTL enforcement.
- Add support for TCP MSS "clamping".
- Random bits for IPv6. Various fixes and clean-up.

branches: 1.2.2; 1.2.4;
NPF checkpoint:
- Add support for bi-directional NAT and redirection / port forwarding.
- Finish filtering on ICMP type/code and add filtering on TCP flags.
- Add support for TCP reset (RST) or ICMP destination unreachable on block.
- Fix a bunch of bugs; misc cleanup.

Import NPF - a packet filter. Some features:

- Designed to be fully MP-safe and highly efficient.

- Tables/IP sets (hash or red-black tree) for high performance lookups.

- Stateful filtering and Network Address Port Translation (NAPT).
Framework for application level gateways (ALGs).

- Packet inspection engine called n-code processor - inspired by BPF -
supporting generic RISC-like and specific CISC-like instructions for
common patterns (e.g. IPv4 address matching). See npf_ncode(9) manual.

- Convenient userland utility npfctl(8) with npf.conf(8).

NOTE: This is not yet a fully capable alternative to PF or IPFilter.
Further work (support for binat/rdr, return-rst/return-icmp, common ALGs,
state saving/restoring, logging, etc) is in progress.

Thanks a lot to Matt Thomas for various useful comments and code review.
Aye by: board@

Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.

Adopt <net/if_stats.h>.

branches: 1.15.4; 1.15.6;
NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.

branches: 1.14.2;
Implement the BPF direction filter (BIOC[GS]DIRECTION). It provides backward
compatibility with BIOC[GS]SEESENT ioctl. The userland interface is the same
as FreeBSD.

This change also fixes a bug that the direction is misunderstand on some
environment by passing the direction to bpf_mtap*() instead of checking
m->m_pkthdr.rcvif.

branches: 1.13.12;
provide a copy function used for logging that does not lock, but can return
trash.

npf_ifmap_getname requires the config to be locked. For now, just prevent the
crash.

- Increase copyin buffer size to 4M
- Change log output format to be like the OpenBSD's pf including in
the header the matching rule etc, and fill in the matching info.

branches: 1.10.2;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)

branches: 1.9.2;
Use if_get_byindex instead of if_byindex for MP-safe

branches: 1.8.4;
NPF: add nbuf_t * into npf_cache_t and remove unnecessary carrying by argument.

Add ability to have mbufs disappear (to another interface) during
npf_rproc_run(). For upcoming npf_ext_route extension.

Guidance and ok by rmind@.

branches: 1.6.10;
*"" is not constant according to gcc. So we move the responsibility for adding
a , to the users of the macro.

- avoid trailing , in dependencies when there are none other the npf module
itself.
- remove if_npflog dependency from npf_ext_log.

remove the detach that does not belong here anymore.

Split the npflog cloner and auto-load the extensions.

- Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.

branches: 1.1.2; 1.1.4; 1.1.6;
Implement dynamic NPF extensions interface. An extension consists of
dynamically loaded module (.so) supplementing npfctl(8) and a kernel
module. Move normalisation and logging functionality into their own
extensions. More improvements to come.

normali{s,z}e

*"" is not constant according to gcc. So we move the responsibility for adding
a , to the users of the macro.

- avoid trailing , in dependencies when there are none other the npf module
itself.
- remove if_npflog dependency from npf_ext_log.

- Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.

branches: 1.1.2; 1.1.4; 1.1.6;
Implement dynamic NPF extensions interface. An extension consists of
dynamically loaded module (.so) supplementing npfctl(8) and a kernel
module. Move normalisation and logging functionality into their own
extensions. More improvements to come.

reinstate a simple version of ip_randomid()

branches: 1.10.2;
Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.

branches: 1.9.4;
NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.

Introduce npf_set_mss(). When the MSS is not 16bit-aligned, it sets:

0 8 16 24 32
+------+-----------+-----------+------+
| data | MSS (low) | MSS (hig) | data |
+------+-----------+-----------+------+
^ ^
old[0] old[1]

And sets new[0,1] accordingly with the new value. The MSS-clamping code
then adjusts twice the checksum on a 16bit boundary:

from old[0] to new[0]
from old[1] to new[1]

Fixes PR/53479, opened by myself. Tested with wireshark and kASan.

branches: 1.7.2;
Fix an inverted logic.

nbuf_cksum_barrier returns true when the direction is PFIL_OUT and TSO is
active; that is to say, it returns true when the checksum was already
recomputed by the function.

The check should be !nbuf_cksum_barrier, because otherwise we're wrongfully
checksumming twice, and it causes the packet to be kicked later in
tcp_input.

This can be seen with a configuration of the type:

procedure "norm" {
normalize: "max-mss" 15000
}
group default {
pass all apply "norm"
}

The packets systematically get dropped because the checksum validation in
tcp_input fails. With this patch in place, it works.

branches: 1.6.2;
- npf_cop_table: handle non-IP packets in the ether (fixes PR/52290).
- npfa_icmp_nat: do not recompute the checksum if no port translation.
- npf_normalize (MSS clamping): fix the checksum handling on PFIL_OUT.
- npflog: report the packet direction correctly.

- Increase copyin buffer size to 4M
- Change log output format to be like the OpenBSD's pf including in
the header the matching rule etc, and fill in the matching info.

branches: 1.4.2;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)

branches: 1.3.4; 1.3.8;
NPF: add nbuf_t * into npf_cache_t and remove unnecessary carrying by argument.

branches: 1.2.2;
Add ability to have mbufs disappear (to another interface) during
npf_rproc_run(). For upcoming npf_ext_route extension.

Guidance and ok by rmind@.

branches: 1.1.6; 1.1.12;
normali{s,z}e

Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.

branches: 1.8.4;
NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.

branches: 1.7.12; 1.7.14;
- Increase copyin buffer size to 4M
- Change log output format to be like the OpenBSD's pf including in
the header the matching rule etc, and fill in the matching info.

branches: 1.6.2;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)

branches: 1.5.4; 1.5.8;
NPF: add nbuf_t * into npf_cache_t and remove unnecessary carrying by argument.

Add ability to have mbufs disappear (to another interface) during
npf_rproc_run(). For upcoming npf_ext_route extension.

Guidance and ok by rmind@.

branches: 1.3.10;
*"" is not constant according to gcc. So we move the responsibility for adding
a , to the users of the macro.

- avoid trailing , in dependencies when there are none other the npf module
itself.
- remove if_npflog dependency from npf_ext_log.

branches: 1.1.2; 1.1.4; 1.1.8;
Add NPF "rndblock" extension to randomly drop packets (using a random function
with a percentage or modulo operation). This is a demo module, although it can
be used for packet loss simulation. Example of a procedure in npf.conf:

procedure "somedrop" {
# Drop 1.9% of the traffic
rndblock: percentage 1.9
}

Pass frames directly when no layer 2 rules are set

NPF's original implementation of default pass is to block. i.e if the packet matches absolutely
no rule even the default group. we cannot use that in layer 2 as well since all frames will be
blocked when no rules are set for layer 2 and that would not be good. since NPF is primarily
a layer 3 filter.

Greg@ Markus@

kernel code for layer 2 filtering in NPF

reviewed by christos@

NPF copyright 2025

kernel: extract rules, lookup socket, process filtering, reviews by christos@

npf: Drop redundant NULL check before m_freem(9)

XXX
Their standalone version of m_freem() does not work for NULL input.
I will send pullreq to upstream soon.

branches: 1.49.26;
Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.

- npfctl_load_nvlist: simplify the config loading logic.
- Fix a small race condition in npf_nat_getaddr().
- Rework pserialize/EBR wrappers, make it easier to maintain.

Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.

branches: 1.46.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.

NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.

Modify the logic in npf_reassembly. Don't call nbuf_reset, we don't need
it since we don't read the IPv4 header anymore.

If ip{6}_reass_packet fails, always free 'm', and always clear the nbuf.

We want to avoid the case where

'm' was reallocated
the nbuf pointer was not updated accordingly
the caller tried to use the nbuf pointer

This case doesn't happen right now, but the code is fragile, so strengthen
it.

Remove the second argument from ip_reass_packet(). We want the IP header
on the mbuf, not elsewhere. Simplifies the NPF reassembly code a little.
No real functional change.

Simplify the pointer handling. Set *mp = NULL at the beginning of the
function. In npf_reassembly, pass a simple boolean instead of a ** mbuf
pointer. Add a KASSERT for IPv4, we don't want (error && !m). Remove
the 'fastout' label, use 'out'.

Update the pointer when fast-kicking, because it may have been freed.
Before my changes the nonsensical pointer ininitialization held, but
when I started introducing sanity checks the whole thing collapsed.

Need pullup-8.

Set con = NULL just once, instead of doing it in each branch.

branches: 1.39.2;
Fix two consecutive mistakes.

The first mistake was npf_inet.c rev1.37:

"Don't reassemble ipv6 fragments, instead treat the first fragment
as a regular packet (subject to filtering rules), and pass
subsequent fragments in the same group unconditionally."

Doing this was entirely wrong, because then a packet just had to push
the L4 payload in a secondary fragment, and NPF wouldn't apply rules on
it - meaning any IPv6 packet could bypass >=L4 filtering. This mistake
was supposed to be a fix for the second mistake.

The second mistake was that ip6_reass_packet (in npf_reassembly) was
getting called with npc->npc_hlen. But npc_hlen pointed to the last
encountered header in the IPv6 chain, which was not necessarily the
fragment header. So ip6_reass_packet was given garbage, and would fail,
resulting in the packet getting kicked. So basically IPv6 was broken by
NPF.

The first mistake is reverted, and the second one is fixed by doing:

- hlen = sizeof(struct ip6_frag);
+ hlen = 0;

Now the iteration stops on the fragment header, and the call to
ip6_reass_packet is valid.

My npf_inet.c rev1.38 is partially reverted: we don't need to worry
about failing properly to advance; once the packet is reassembled
npf_cache_ip gets called again, and this time the whole chain should be
there.

Tested with a simple UDPv6 server - send a 3000-byte-sized buffer, the
packet gets correctly reassembled by NPF now.

Declare NPC_FMTERR, and use it to kick malformed packets. Several sanity
checks are added in IPv6; after we see the first IPPROTO_FRAGMENT header,
we are allowed to fail to advance, otherwise we kick the packet.

Sent on tech-net@ a few days ago, no response, but I'm committing it now
anyway.

branches: 1.37.6; 1.37.12;
Don't reassemble ipv6 fragments, instead treat the first fragment as a regular
packet (subject to filtering rules), and pass subsequent fragments in the
same group unconditionally.

- Increase copyin buffer size to 4M
- Change log output format to be like the OpenBSD's pf including in
the header the matching rule etc, and fill in the matching info.

branches: 1.35.2;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)

NPF: adjust the 'stateful-ends' mechanism to tag the packets and thus
pass-through them on other interfaces. Per discussion with christos@.

branches: 1.33.4; 1.33.8;
NPF: rework of the connection saving and restoring:
- Add support for saving a snapshot of the current connections together
with a full configuration. Support a reverse load operation. Eliminate
the old 'sess-save' and 'sess-load' in favour of the new mechanism.
- Share code between load and reload operations: the latter performs
load from npf.conf without affecting the connections.
- Simplify and fix races with connection loading.
- Bump NPF_VERSION.

NPF: add nbuf_t * into npf_cache_t and remove unnecessary carrying by argument.

NPF: partially rewrite the connection tracking mechanism:
- Separate the tracking interface from the storage (state table)
and thus prepare to use a new data structure for the storage.
- Fix some race conditions in NAT association logic.

Add ability to have mbufs disappear (to another interface) during
npf_rproc_run(). For upcoming npf_ext_route extension.

Guidance and ok by rmind@.

branches: 1.29.2;
NPF: add support for "stateful-ends".

NPF: add support for specifying the interfaces before they are attached.
If an interface is or gets detached, all associated rules and connections
will be deactivated (it might be useful to have an option to invalidate
the associated connections). Once the interface is reattached they will
become active.

Bump NPF_VERSION.

- Rewrite parts of pfil(9): use array to store hooks and thus be more cache
friendly (there are only few hooks in the system). Make the structures
opaque and the interface more strict.
- Remove PFIL_HOOKS option by making pfil(9) mandatory.

branches: 1.26.2;
NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.

- nbuf_ensure_contig: rework to use m_ensure_contig(9), which will not free
the mbuf chain on failure. Fixes some corner cases. Improve regression
test and sprinkle some asserts.
- npf_reassembly: clear nbuf on IPv6 reassembly failure path (partial fix).
The problem was found and fix provided by Anthony Mallet.

- Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.

npf_packet_handler: drop the packet if IPv6 reassembly did not work.

Implement dynamic NPF extensions interface. An extension consists of
dynamically loaded module (.so) supplementing npfctl(8) and a kernel
module. Move normalisation and logging functionality into their own
extensions. More improvements to come.

branches: 1.21.2;
- Extend npftest: add ruleset inspection testing from the config generated
by npfctl debug functionality. Auto-create npftest interfaces for this.
- NPF sessions: combine protocol and interface into a separate substructure,
share between the entries and thus fix the handling of them. Constify.
- npftest: add regression tests for NAT policies.
- npf_build_nat: simplify and fix bi-NAT regression.
- Bump yacc stack size for npfctl.

- Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.

npf_packet_handler: fix gcc unused warning.

NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary "pass proto <name/number>".
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.

npftest: add a stream processor, which prints out the TCP state information.
A tool for debugging connection tracking from tcpdump -w captured data.

- Fix double-free case on ICMP return case.
- npf_pfil_register: handle kernels without INET6 option correctly.
- Reduce some #ifdefs.

- Save active config in proplib dictionary; add GETCONF ioctl to retrieve.
- Few fixes. Improve some comments.

- Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.

branches: 1.13.2;
- Split NPF rule procedure code into a separate module (no functional changes).
- Simplify some code, add more comments, some asserts.
- G/C unused rule hook code.

- Expire all sessions on flush.
- Enable checking for zero mask in IP{4,6}MATCH after npfctl changes.
- Make locking symmetric for npf_ruleset_inspect().
- Sync function prototypes in npf(3) man page with reality.
- Rename NPF_TABLE_RBTREE to NPF_TABLE_TREE.

branches: 1.11.2;
- Rework and improve TCP state tracking.
- Fix regressions after IPv6 patch merge.

Note: npfctl(8) rework will come soon.

Few fixes, KNF/style, bump the NPF version.

When building the kernel without IPv6 support, compilation failed.
Fix that.

Add IPv6 support for NPF.

branches: 1.7.2; 1.7.6;
NPF checkpoint:
- Add libnpf(3) - a library to control NPF (configuration, ruleset, etc).
- Add NPF support for ftp-proxy(8).
- Add rc.d script for NPF.
- Convert npfctl(8) to use libnpf(3) and thus make it less depressive.
Note: next clean-up step should be a parser, once dholland@ will finish it.
- Add more documentation.
- Various fixes.

branches: 1.6.2;
NPF checkpoint:
- Add the concept of rule procedure: separate normalization, logging and
potentially other functions from the rule structure. Rule procedure can be
shared amongst the rules. Separation is both at kernel level (npf_rproc_t)
and configuration ("procedure" + "apply").
- Fix portmap sharing for NAT policy.
- Update TCP state tracking logic. Use TCP FSM definitions.
- Add if_byindex(), OK by matt@. Use in logging for the lookup.
- Fix traceroute ALG and many other bugs; misc clean-up.

branches: 1.5.2;
NPF checkpoint:
- Add support for session saving/restoring.
- Add packet logging support (can tcpdump a pseudo-interface).
- Support reload without flushing of sessions; rework some locking.
- Revisit session mangement, replace linking with npf_sentry_t entries.
- Add some counters for statistics, using percpu(9).
- Add IP_DF flag cleansing.
- Fix various bugs; misc clean-up.

NPF checkpoint:
- Add proper TCP state tracking as described in Guido van Rooij paper,
plus handle TCP Window Scaling option.
- Completely rework npf_cache_t, reduce granularity, simplify code.
- Add npf_addr_t as an abstraction, amend session handling code, as well
as NAT code et al, to use it. Now design is prepared for IPv6 support.
- Handle IPv4 fragments i.e. perform packet reassembly.
- Add support for IPv4 ID randomization and minimum TTL enforcement.
- Add support for TCP MSS "clamping".
- Random bits for IPv6. Various fixes and clean-up.

branches: 1.3.2;
npf_packet_handler: clear M_CANFASTFWD flag, so inspection would work when
fast forwarding is enabled (e.g. with GATEWAY kernel option). Thanks matt@
for the tip.