pf.conf(5): fixed a typo, updated date.

Added binat support, modified pf.conf(5) man page to cover the new syntax, re-enabled a few more original OpenBSD pfctl tests.

I have re-enabled OpenBSD tests. Some of them required modification to resolve port numbers to service names, include the "keep state" keyword, insert commas between table members, not auto-expand redirection table-like syntax into tables.

I've moved the tests back to pfctl.

In D49218#1123087, @kp wrote:

In D49218#1123087, @kp wrote:

Are the tests doing something we can't do in the sbin/pfctl/tests tests? Those don't spin up a jail, they just feed input to pfctl and compare the parsed result to an expected output.
It's significantly faster to run those than it is to mess with real jails and interfaces.

Ah, yeah, these tests also have expected failures, which I don't think the pfctl tests support. I wonder if it's worth adding that and migrating these tests, or if we just keep the ones you have.

In D49218#1122711, @kp wrote:

This fails one of the new tests on my machine:

(kp@geb)  /usr/tests/sys/netpfil % sudo kyua debug pf/redirection_pool_syntax:af_to                                                                                                [11:14]
Testing rule:
pass in on vlan0 inet6 from any to 64:ff9b::/96 af-to inet from 192.0.2.102 to 198.51.100.102
Parsed ruleset difference:
--- /tmp/kyua.JWtsI2/2/work/tmp.aCH51evNTr      2025-03-04 10:14:41.041368000 +0000
+++ /tmp/kyua.JWtsI2/2/work/tmp.HYltlMftHQ      2025-03-04 10:14:41.060891000 +0000
@@ -1 +1 @@
-@0 pass in on vlan0 inet6 from any to 64:ff9b::/96 flags S/SA keep state af-to inet from 192.0.2.102 to 198.51.100.102
+@0 pass in on vlan0 inet6 from any to 64:ff9b::/96 flags S/SA keep state af-to inet from 192.0.2.102

Fix too long lines and other syntax issues. Deduplicate calculation of src, dst, psrc, pdst for state tracking, which also fixes outbound NAT64 for UDP traffic.

Restored original variable names in libpfctl, added typedef for the enum.

Source node locking issues have been solved in another review. This patch now covers only adding source node types.

Improve the situation a bit: force logging if state creation fails.
This isn't totally right as we'll end up logging the packet twice in
this case, but it's better than not logging the drop at all.

Improve some comments.

Restore the old value of _Static_assert(sizeof(struct pf_kstate))

Plug holes in pf_rule_actions

Use style(9)-compliant boolean tests

As promised yesterday, I propose how to get further with simplifying source node handling. This is a draft/proposal, however it compiles and passes all tests, at least the ones not skipped, which for me are dummynet and altq, I need to revive my custom kernel config to get those running.

Change limited to bool. Fix one missing PF_SRC_NODE… macro.

Make pf_hashsrc() available from everywhere. Use PF_SRC_NODE… macros now that pf_hashsrc() is accessible. The OB1 error in pf_insert_src_node() is gone, adjust the tests accordingly. Simplify pf_src_connlimit() logic,

This patch only aims to fix issues with locking, not the other issues found in D39880 (which will require some modifications, as while writing this one, I found some issues with the 2 different paths reaching pf_map_addr_sn(), which D39880 does not take into account). I suppose it could be MFC'd into the currently maintained releases of FreeBSD after more testing.

Duplicate of https://cgit.freebsd.org/src/commit/?id=6463b6b59152fb1695bbe0de78f6e2675c5a765a

There's no need for additional variable, time is used only once.

This code suffers from very old OpenBSD idea of (ab)using the same data structure for in-kernel storage and communication with userspace over ioctl. There is no need for struct pf_threshold *t, as pfctl only displays its count and seconds properties. Instead of having a separate function nlattr_add_pf_threshold() with all its PF_TH_… variables we could just add new variables PF_SN_CONN_RATE_RATE and PF_SN_CONN_RATE_SECONDS directly into the source node. And rename PF_SN_CREATION to PF_SN_AGE since it's the age of the SN, calculated during the export, not its creation time, as stored in kernel.

This is also broken on FreeBSD 14.

In D47543#1085347, @franco_opnsense.org wrote:

So regardless of why I already stated this is a technical issue that is by no means "pointless", what do you suggest to improve this particular test to make it more robust? Uncontrolled creation of processes that inherit file descriptors isn't exactly clean design but I can see why you do not want to apply this mere bandaid with that larger issue at hand.

Closed by commit rG65b20771713c: pf tests: Simplify handling of pfctl -s

In D47435#1081961, @kp wrote: