1 /* $OpenBSD: pf_ioctl.c,v 1.213 2009/02/15 21:46:12 mbalmer Exp $ */
4 * Copyright (c) 2001 Daniel Hartmeier
5 * Copyright (c) 2002,2003 Henning Brauer
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * - Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * - Redistributions in binary form must reproduce the above
15 * copyright notice, this list of conditions and the following
16 * disclaimer in the documentation and/or other materials provided
17 * with the distribution.
19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
21 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
22 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
23 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
25 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
26 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
27 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
29 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30 * POSSIBILITY OF SUCH DAMAGE.
32 * Effort sponsored in part by the Defense Advanced Research Projects
33 * Agency (DARPA) and Air Force Research Laboratory, Air Force
34 * Materiel Command, USAF, under agreement number F30602-01-2-0537.
39 #include <sys/cdefs.h>
40 __FBSDID("$FreeBSD$");
43 #include "opt_inet6.h"
48 #define NBPFILTER DEV_BPF
54 #define NPFLOG DEV_PFLOG
60 #define NPFSYNC DEV_PFSYNC
70 #include <sys/param.h>
71 #include <sys/systm.h>
73 #include <sys/filio.h>
74 #include <sys/fcntl.h>
75 #include <sys/socket.h>
76 #include <sys/socketvar.h>
77 #include <sys/kernel.h>
80 #include <sys/ucred.h>
82 #include <sys/module.h>
85 #include <sys/sysctl.h>
87 #include <sys/timeout.h>
91 #include <sys/malloc.h>
92 #include <sys/kthread.h>
94 #include <sys/rwlock.h>
95 #include <uvm/uvm_extern.h>
99 #include <net/if_types.h>
101 #include <net/vnet.h>
103 #include <net/route.h>
105 #include <netinet/in.h>
106 #include <netinet/in_var.h>
107 #include <netinet/in_systm.h>
108 #include <netinet/ip.h>
109 #include <netinet/ip_var.h>
110 #include <netinet/ip_icmp.h>
115 #include <dev/rndvar.h>
116 #include <crypto/md5.h>
118 #include <net/pfvar.h>
120 #include <net/if_pfsync.h>
123 #include <net/if_pflog.h>
124 #endif /* NPFLOG > 0 */
127 #include <netinet/ip6.h>
128 #include <netinet/in_pcb.h>
132 #include <altq/altq.h>
136 #include <sys/limits.h>
137 #include <sys/lock.h>
138 #include <sys/mutex.h>
139 #include <net/pfil.h>
140 #endif /* __FreeBSD__ */
143 void init_zone_var(void);
144 void cleanup_pf_zone(void);
148 void pf_thread_create(void *);
149 int pfopen(dev_t, int, int, struct proc *);
150 int pfclose(dev_t, int, int, struct proc *);
152 struct pf_pool *pf_get_pool(char *, u_int32_t, u_int8_t, u_int32_t,
153 u_int8_t, u_int8_t, u_int8_t);
155 void pf_mv_pool(struct pf_palist *, struct pf_palist *);
156 void pf_empty_pool(struct pf_palist *);
158 int pfioctl(struct cdev *, u_long, caddr_t, int, struct thread *);
160 int pfioctl(dev_t, u_long, caddr_t, int, struct proc *);
163 int pf_begin_altq(u_int32_t *);
164 int pf_rollback_altq(u_int32_t);
165 int pf_commit_altq(u_int32_t);
166 int pf_enable_altq(struct pf_altq *);
167 int pf_disable_altq(struct pf_altq *);
169 int pf_begin_rules(u_int32_t *, int, const char *);
170 int pf_rollback_rules(u_int32_t, int, char *);
171 int pf_setup_pfsync_matching(struct pf_ruleset *);
172 void pf_hash_rule(MD5_CTX *, struct pf_rule *);
173 void pf_hash_rule_addr(MD5_CTX *, struct pf_rule_addr *);
174 int pf_commit_rules(u_int32_t, int, char *);
175 int pf_addr_setup(struct pf_ruleset *,
176 struct pf_addr_wrap *, sa_family_t);
177 void pf_addr_copyout(struct pf_addr_wrap *);
179 #define TAGID_MAX 50000
182 VNET_DEFINE(struct pf_rule, pf_default_rule);
183 VNET_DEFINE(struct sx, pf_consistency_lock);
186 static VNET_DEFINE(int, pf_altq_running);
187 #define V_pf_altq_running VNET(pf_altq_running)
190 TAILQ_HEAD(pf_tags, pf_tagname);
192 #define V_pf_tags VNET(pf_tags)
193 VNET_DEFINE(struct pf_tags, pf_tags);
194 #define V_pf_qids VNET(pf_qids)
195 VNET_DEFINE(struct pf_tags, pf_qids);
197 #else /* !__FreeBSD__ */
198 struct pf_rule pf_default_rule;
199 struct rwlock pf_consistency_lock = RWLOCK_INITIALIZER("pfcnslk");
201 static int pf_altq_running;
204 TAILQ_HEAD(pf_tags, pf_tagname) pf_tags = TAILQ_HEAD_INITIALIZER(pf_tags),
205 pf_qids = TAILQ_HEAD_INITIALIZER(pf_qids);
206 #endif /* __FreeBSD__ */
208 #if (PF_QNAME_SIZE != PF_TAG_NAME_SIZE)
209 #error PF_QNAME_SIZE must be equal to PF_TAG_NAME_SIZE
212 u_int16_t tagname2tag(struct pf_tags *, char *);
213 void tag2tagname(struct pf_tags *, u_int16_t, char *);
214 void tag_unref(struct pf_tags *, u_int16_t);
215 int pf_rtlabel_add(struct pf_addr_wrap *);
216 void pf_rtlabel_remove(struct pf_addr_wrap *);
217 void pf_rtlabel_copyout(struct pf_addr_wrap *);
220 #define DPFPRINTF(n, x) if (V_pf_status.debug >= (n)) printf x
222 #define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x
229 * XXX - These are new and need to be checked when moveing to a new version
231 static void pf_clear_states(void);
232 static int pf_clear_tables(void);
233 static void pf_clear_srcnodes(void);
235 * XXX - These are new and need to be checked when moveing to a new version
239 * Wrapper functions for pfil(9) hooks
242 static int pf_check_in(void *arg, struct mbuf **m, struct ifnet *ifp,
243 int dir, struct inpcb *inp);
244 static int pf_check_out(void *arg, struct mbuf **m, struct ifnet *ifp,
245 int dir, struct inpcb *inp);
248 static int pf_check6_in(void *arg, struct mbuf **m, struct ifnet *ifp,
249 int dir, struct inpcb *inp);
250 static int pf_check6_out(void *arg, struct mbuf **m, struct ifnet *ifp,
251 int dir, struct inpcb *inp);
254 static int hook_pf(void);
255 static int dehook_pf(void);
256 static int shutdown_pf(void);
257 static int pf_load(void);
258 static int pf_unload(void);
260 static struct cdevsw pf_cdevsw = {
263 .d_version = D_VERSION,
266 static volatile VNET_DEFINE(int, pf_pfil_hooked);
267 #define V_pf_pfil_hooked VNET(pf_pfil_hooked)
268 VNET_DEFINE(int, pf_end_threads);
269 struct mtx pf_task_mtx;
272 pfsync_state_import_t *pfsync_state_import_ptr = NULL;
273 pfsync_insert_state_t *pfsync_insert_state_ptr = NULL;
274 pfsync_update_state_t *pfsync_update_state_ptr = NULL;
275 pfsync_delete_state_t *pfsync_delete_state_ptr = NULL;
276 pfsync_clear_states_t *pfsync_clear_states_ptr = NULL;
277 pfsync_state_in_use_t *pfsync_state_in_use_ptr = NULL;
278 pfsync_defer_t *pfsync_defer_ptr = NULL;
279 pfsync_up_t *pfsync_up_ptr = NULL;
281 export_pflow_t *export_pflow_ptr = NULL;
283 pflog_packet_t *pflog_packet_ptr = NULL;
285 VNET_DEFINE(int, debug_pfugidhack);
286 SYSCTL_VNET_INT(_debug, OID_AUTO, pfugidhack, CTLFLAG_RW,
287 &VNET_NAME(debug_pfugidhack), 0,
288 "Enable/disable pf user/group rules mpsafe hack");
294 mtx_init(&pf_task_mtx, "pf task mtx", NULL, MTX_DEF);
298 destroy_pf_mutex(void)
301 mtx_destroy(&pf_task_mtx);
306 V_pf_src_tree_pl = V_pf_rule_pl = NULL;
307 V_pf_state_pl = V_pf_state_key_pl = V_pf_state_item_pl = NULL;
308 V_pf_altq_pl = V_pf_pooladdr_pl = NULL;
309 V_pf_frent_pl = V_pf_frag_pl = V_pf_cache_pl = V_pf_cent_pl = NULL;
310 V_pf_state_scrub_pl = NULL;
311 V_pfr_ktable_pl = V_pfr_kentry_pl = NULL;
315 cleanup_pf_zone(void)
317 UMA_DESTROY(V_pf_src_tree_pl);
318 UMA_DESTROY(V_pf_rule_pl);
319 UMA_DESTROY(V_pf_state_pl);
320 UMA_DESTROY(V_pf_state_key_pl);
321 UMA_DESTROY(V_pf_state_item_pl);
322 UMA_DESTROY(V_pf_altq_pl);
323 UMA_DESTROY(V_pf_pooladdr_pl);
324 UMA_DESTROY(V_pf_frent_pl);
325 UMA_DESTROY(V_pf_frag_pl);
326 UMA_DESTROY(V_pf_cache_pl);
327 UMA_DESTROY(V_pf_cent_pl);
328 UMA_DESTROY(V_pfr_ktable_pl);
329 UMA_DESTROY(V_pfr_kentry_pl);
330 UMA_DESTROY(V_pf_state_scrub_pl);
331 UMA_DESTROY(V_pfi_addr_pl);
337 u_int32_t *my_timeout = V_pf_default_rule.timeout;
341 UMA_CREATE(V_pf_src_tree_pl, struct pf_src_node, "pfsrctrpl");
342 UMA_CREATE(V_pf_rule_pl, struct pf_rule, "pfrulepl");
343 UMA_CREATE(V_pf_state_pl, struct pf_state, "pfstatepl");
344 UMA_CREATE(V_pf_state_key_pl, struct pf_state, "pfstatekeypl");
345 UMA_CREATE(V_pf_state_item_pl, struct pf_state, "pfstateitempl");
346 UMA_CREATE(V_pf_altq_pl, struct pf_altq, "pfaltqpl");
347 UMA_CREATE(V_pf_pooladdr_pl, struct pf_pooladdr, "pfpooladdrpl");
348 UMA_CREATE(V_pfr_ktable_pl, struct pfr_ktable, "pfrktable");
349 UMA_CREATE(V_pfr_kentry_pl, struct pfr_kentry, "pfrkentry");
350 UMA_CREATE(V_pf_frent_pl, struct pf_frent, "pffrent");
351 UMA_CREATE(V_pf_frag_pl, struct pf_fragment, "pffrag");
352 UMA_CREATE(V_pf_cache_pl, struct pf_fragment, "pffrcache");
353 UMA_CREATE(V_pf_cent_pl, struct pf_frcache, "pffrcent");
354 UMA_CREATE(V_pf_state_scrub_pl, struct pf_state_scrub,
356 UMA_CREATE(V_pfi_addr_pl, struct pfi_dynaddr, "pfiaddrpl");
365 if ( (error = pf_osfp_initialize()) ) {
371 V_pf_pool_limits[PF_LIMIT_STATES].pp = V_pf_state_pl;
372 V_pf_pool_limits[PF_LIMIT_STATES].limit = PFSTATE_HIWAT;
373 V_pf_pool_limits[PF_LIMIT_SRC_NODES].pp = V_pf_src_tree_pl;
374 V_pf_pool_limits[PF_LIMIT_SRC_NODES].limit = PFSNODE_HIWAT;
375 V_pf_pool_limits[PF_LIMIT_FRAGS].pp = V_pf_frent_pl;
376 V_pf_pool_limits[PF_LIMIT_FRAGS].limit = PFFRAG_FRENT_HIWAT;
377 V_pf_pool_limits[PF_LIMIT_TABLES].pp = V_pfr_ktable_pl;
378 V_pf_pool_limits[PF_LIMIT_TABLES].limit = PFR_KTABLE_HIWAT;
379 V_pf_pool_limits[PF_LIMIT_TABLE_ENTRIES].pp = V_pfr_kentry_pl;
380 V_pf_pool_limits[PF_LIMIT_TABLE_ENTRIES].limit = PFR_KENTRY_HIWAT;
381 uma_zone_set_max(V_pf_pool_limits[PF_LIMIT_STATES].pp,
382 V_pf_pool_limits[PF_LIMIT_STATES].limit);
384 RB_INIT(&V_tree_src_tracking);
385 RB_INIT(&V_pf_anchors);
386 pf_init_ruleset(&pf_main_ruleset);
388 TAILQ_INIT(&V_pf_altqs[0]);
389 TAILQ_INIT(&V_pf_altqs[1]);
390 TAILQ_INIT(&V_pf_pabuf);
391 V_pf_altqs_active = &V_pf_altqs[0];
392 V_pf_altqs_inactive = &V_pf_altqs[1];
393 TAILQ_INIT(&V_state_list);
395 /* default rule should never be garbage collected */
396 V_pf_default_rule.entries.tqe_prev = &V_pf_default_rule.entries.tqe_next;
397 V_pf_default_rule.action = PF_PASS;
398 V_pf_default_rule.nr = -1;
399 V_pf_default_rule.rtableid = -1;
401 /* initialize default timeouts */
402 my_timeout[PFTM_TCP_FIRST_PACKET] = PFTM_TCP_FIRST_PACKET_VAL;
403 my_timeout[PFTM_TCP_OPENING] = PFTM_TCP_OPENING_VAL;
404 my_timeout[PFTM_TCP_ESTABLISHED] = PFTM_TCP_ESTABLISHED_VAL;
405 my_timeout[PFTM_TCP_CLOSING] = PFTM_TCP_CLOSING_VAL;
406 my_timeout[PFTM_TCP_FIN_WAIT] = PFTM_TCP_FIN_WAIT_VAL;
407 my_timeout[PFTM_TCP_CLOSED] = PFTM_TCP_CLOSED_VAL;
408 my_timeout[PFTM_UDP_FIRST_PACKET] = PFTM_UDP_FIRST_PACKET_VAL;
409 my_timeout[PFTM_UDP_SINGLE] = PFTM_UDP_SINGLE_VAL;
410 my_timeout[PFTM_UDP_MULTIPLE] = PFTM_UDP_MULTIPLE_VAL;
411 my_timeout[PFTM_ICMP_FIRST_PACKET] = PFTM_ICMP_FIRST_PACKET_VAL;
412 my_timeout[PFTM_ICMP_ERROR_REPLY] = PFTM_ICMP_ERROR_REPLY_VAL;
413 my_timeout[PFTM_OTHER_FIRST_PACKET] = PFTM_OTHER_FIRST_PACKET_VAL;
414 my_timeout[PFTM_OTHER_SINGLE] = PFTM_OTHER_SINGLE_VAL;
415 my_timeout[PFTM_OTHER_MULTIPLE] = PFTM_OTHER_MULTIPLE_VAL;
416 my_timeout[PFTM_FRAG] = PFTM_FRAG_VAL;
417 my_timeout[PFTM_INTERVAL] = PFTM_INTERVAL_VAL;
418 my_timeout[PFTM_SRC_NODE] = PFTM_SRC_NODE_VAL;
419 my_timeout[PFTM_TS_DIFF] = PFTM_TS_DIFF_VAL;
420 my_timeout[PFTM_ADAPTIVE_START] = PFSTATE_ADAPT_START;
421 my_timeout[PFTM_ADAPTIVE_END] = PFSTATE_ADAPT_END;
425 bzero(&V_pf_status, sizeof(V_pf_status));
426 V_pf_status.debug = PF_DEBUG_URGENT;
428 V_pf_pfil_hooked = 0;
430 /* XXX do our best to avoid a conflict */
431 V_pf_status.hostid = arc4random();
433 if (kproc_create(pf_purge_thread, curvnet, NULL, 0, 0, "pfpurge"))
436 m_addr_chg_pf_p = pf_pkt_addr_changed;
440 #else /* !__FreeBSD__ */
445 u_int32_t *timeout = pf_default_rule.timeout;
447 pool_init(&pf_rule_pl, sizeof(struct pf_rule), 0, 0, 0, "pfrulepl",
448 &pool_allocator_nointr);
449 pool_init(&pf_src_tree_pl, sizeof(struct pf_src_node), 0, 0, 0,
451 pool_init(&pf_state_pl, sizeof(struct pf_state), 0, 0, 0, "pfstatepl",
453 pool_init(&pf_state_key_pl, sizeof(struct pf_state_key), 0, 0, 0,
454 "pfstatekeypl", NULL);
455 pool_init(&pf_state_item_pl, sizeof(struct pf_state_item), 0, 0, 0,
456 "pfstateitempl", NULL);
457 pool_init(&pf_altq_pl, sizeof(struct pf_altq), 0, 0, 0, "pfaltqpl",
458 &pool_allocator_nointr);
459 pool_init(&pf_pooladdr_pl, sizeof(struct pf_pooladdr), 0, 0, 0,
460 "pfpooladdrpl", &pool_allocator_nointr);
463 pf_osfp_initialize();
465 pool_sethardlimit(pf_pool_limits[PF_LIMIT_STATES].pp,
466 pf_pool_limits[PF_LIMIT_STATES].limit, NULL, 0);
468 if (physmem <= atop(100*1024*1024))
469 pf_pool_limits[PF_LIMIT_TABLE_ENTRIES].limit =
470 PFR_KENTRY_HIWAT_SMALL;
472 RB_INIT(&tree_src_tracking);
473 RB_INIT(&pf_anchors);
474 pf_init_ruleset(&pf_main_ruleset);
475 TAILQ_INIT(&pf_altqs[0]);
476 TAILQ_INIT(&pf_altqs[1]);
477 TAILQ_INIT(&pf_pabuf);
478 pf_altqs_active = &pf_altqs[0];
479 pf_altqs_inactive = &pf_altqs[1];
480 TAILQ_INIT(&state_list);
482 /* default rule should never be garbage collected */
483 pf_default_rule.entries.tqe_prev = &pf_default_rule.entries.tqe_next;
484 pf_default_rule.action = PF_PASS;
485 pf_default_rule.nr = -1;
486 pf_default_rule.rtableid = -1;
488 /* initialize default timeouts */
489 timeout[PFTM_TCP_FIRST_PACKET] = PFTM_TCP_FIRST_PACKET_VAL;
490 timeout[PFTM_TCP_OPENING] = PFTM_TCP_OPENING_VAL;
491 timeout[PFTM_TCP_ESTABLISHED] = PFTM_TCP_ESTABLISHED_VAL;
492 timeout[PFTM_TCP_CLOSING] = PFTM_TCP_CLOSING_VAL;
493 timeout[PFTM_TCP_FIN_WAIT] = PFTM_TCP_FIN_WAIT_VAL;
494 timeout[PFTM_TCP_CLOSED] = PFTM_TCP_CLOSED_VAL;
495 timeout[PFTM_UDP_FIRST_PACKET] = PFTM_UDP_FIRST_PACKET_VAL;
496 timeout[PFTM_UDP_SINGLE] = PFTM_UDP_SINGLE_VAL;
497 timeout[PFTM_UDP_MULTIPLE] = PFTM_UDP_MULTIPLE_VAL;
498 timeout[PFTM_ICMP_FIRST_PACKET] = PFTM_ICMP_FIRST_PACKET_VAL;
499 timeout[PFTM_ICMP_ERROR_REPLY] = PFTM_ICMP_ERROR_REPLY_VAL;
500 timeout[PFTM_OTHER_FIRST_PACKET] = PFTM_OTHER_FIRST_PACKET_VAL;
501 timeout[PFTM_OTHER_SINGLE] = PFTM_OTHER_SINGLE_VAL;
502 timeout[PFTM_OTHER_MULTIPLE] = PFTM_OTHER_MULTIPLE_VAL;
503 timeout[PFTM_FRAG] = PFTM_FRAG_VAL;
504 timeout[PFTM_INTERVAL] = PFTM_INTERVAL_VAL;
505 timeout[PFTM_SRC_NODE] = PFTM_SRC_NODE_VAL;
506 timeout[PFTM_TS_DIFF] = PFTM_TS_DIFF_VAL;
507 timeout[PFTM_ADAPTIVE_START] = PFSTATE_ADAPT_START;
508 timeout[PFTM_ADAPTIVE_END] = PFSTATE_ADAPT_END;
511 bzero(&pf_status, sizeof(pf_status));
512 pf_status.debug = PF_DEBUG_URGENT;
514 /* XXX do our best to avoid a conflict */
515 pf_status.hostid = arc4random();
517 /* require process context to purge states, so perform in a thread */
518 kthread_create_deferred(pf_thread_create, NULL);
522 pf_thread_create(void *v)
524 if (kthread_create(pf_purge_thread, NULL, NULL, "pfpurge"))
525 panic("pfpurge thread");
529 pfopen(dev_t dev, int flags, int fmt, struct proc *p)
537 pfclose(dev_t dev, int flags, int fmt, struct proc *p)
546 pf_get_pool(char *anchor, u_int32_t ticket, u_int8_t rule_action,
547 u_int32_t rule_number, u_int8_t r_last, u_int8_t active,
548 u_int8_t check_ticket)
550 struct pf_ruleset *ruleset;
551 struct pf_rule *rule;
554 ruleset = pf_find_ruleset(anchor);
557 rs_num = pf_get_ruleset_number(rule_action);
558 if (rs_num >= PF_RULESET_MAX)
561 if (check_ticket && ticket !=
562 ruleset->rules[rs_num].active.ticket)
565 rule = TAILQ_LAST(ruleset->rules[rs_num].active.ptr,
568 rule = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr);
570 if (check_ticket && ticket !=
571 ruleset->rules[rs_num].inactive.ticket)
574 rule = TAILQ_LAST(ruleset->rules[rs_num].inactive.ptr,
577 rule = TAILQ_FIRST(ruleset->rules[rs_num].inactive.ptr);
580 while ((rule != NULL) && (rule->nr != rule_number))
581 rule = TAILQ_NEXT(rule, entries);
586 return (&rule->rpool);
590 pf_mv_pool(struct pf_palist *poola, struct pf_palist *poolb)
592 struct pf_pooladdr *mv_pool_pa;
594 while ((mv_pool_pa = TAILQ_FIRST(poola)) != NULL) {
595 TAILQ_REMOVE(poola, mv_pool_pa, entries);
596 TAILQ_INSERT_TAIL(poolb, mv_pool_pa, entries);
601 pf_empty_pool(struct pf_palist *poola)
603 struct pf_pooladdr *empty_pool_pa;
605 while ((empty_pool_pa = TAILQ_FIRST(poola)) != NULL) {
606 pfi_dynaddr_remove(&empty_pool_pa->addr);
607 pf_tbladdr_remove(&empty_pool_pa->addr);
608 pfi_kif_unref(empty_pool_pa->kif, PFI_KIF_REF_RULE);
609 TAILQ_REMOVE(poola, empty_pool_pa, entries);
611 pool_put(&V_pf_pooladdr_pl, empty_pool_pa);
613 pool_put(&pf_pooladdr_pl, empty_pool_pa);
619 pf_rm_rule(struct pf_rulequeue *rulequeue, struct pf_rule *rule)
621 if (rulequeue != NULL) {
622 if (rule->states_cur <= 0) {
624 * XXX - we need to remove the table *before* detaching
625 * the rule to make sure the table code does not delete
626 * the anchor under our feet.
628 pf_tbladdr_remove(&rule->src.addr);
629 pf_tbladdr_remove(&rule->dst.addr);
630 if (rule->overload_tbl)
631 pfr_detach_table(rule->overload_tbl);
633 TAILQ_REMOVE(rulequeue, rule, entries);
634 rule->entries.tqe_prev = NULL;
638 if (rule->states_cur > 0 || rule->src_nodes > 0 ||
639 rule->entries.tqe_prev != NULL)
641 pf_tag_unref(rule->tag);
642 pf_tag_unref(rule->match_tag);
644 if (rule->pqid != rule->qid)
645 pf_qid_unref(rule->pqid);
646 pf_qid_unref(rule->qid);
648 pf_rtlabel_remove(&rule->src.addr);
649 pf_rtlabel_remove(&rule->dst.addr);
650 pfi_dynaddr_remove(&rule->src.addr);
651 pfi_dynaddr_remove(&rule->dst.addr);
652 if (rulequeue == NULL) {
653 pf_tbladdr_remove(&rule->src.addr);
654 pf_tbladdr_remove(&rule->dst.addr);
655 if (rule->overload_tbl)
656 pfr_detach_table(rule->overload_tbl);
658 pfi_kif_unref(rule->kif, PFI_KIF_REF_RULE);
659 pf_anchor_remove(rule);
660 pf_empty_pool(&rule->rpool.list);
662 pool_put(&V_pf_rule_pl, rule);
664 pool_put(&pf_rule_pl, rule);
669 tagname2tag(struct pf_tags *head, char *tagname)
671 struct pf_tagname *tag, *p = NULL;
672 u_int16_t new_tagid = 1;
674 TAILQ_FOREACH(tag, head, entries)
675 if (strcmp(tagname, tag->name) == 0) {
681 * to avoid fragmentation, we do a linear search from the beginning
682 * and take the first free slot we find. if there is none or the list
683 * is empty, append a new entry at the end.
687 if (!TAILQ_EMPTY(head))
688 for (p = TAILQ_FIRST(head); p != NULL &&
689 p->tag == new_tagid; p = TAILQ_NEXT(p, entries))
690 new_tagid = p->tag + 1;
692 if (new_tagid > TAGID_MAX)
695 /* allocate and fill new struct pf_tagname */
696 tag = malloc(sizeof(*tag), M_TEMP, M_NOWAIT|M_ZERO);
699 strlcpy(tag->name, tagname, sizeof(tag->name));
700 tag->tag = new_tagid;
703 if (p != NULL) /* insert new entry before p */
704 TAILQ_INSERT_BEFORE(p, tag, entries);
705 else /* either list empty or no free slot in between */
706 TAILQ_INSERT_TAIL(head, tag, entries);
712 tag2tagname(struct pf_tags *head, u_int16_t tagid, char *p)
714 struct pf_tagname *tag;
716 TAILQ_FOREACH(tag, head, entries)
717 if (tag->tag == tagid) {
718 strlcpy(p, tag->name, PF_TAG_NAME_SIZE);
724 tag_unref(struct pf_tags *head, u_int16_t tag)
726 struct pf_tagname *p, *next;
731 for (p = TAILQ_FIRST(head); p != NULL; p = next) {
732 next = TAILQ_NEXT(p, entries);
735 TAILQ_REMOVE(head, p, entries);
744 pf_tagname2tag(char *tagname)
747 return (tagname2tag(&V_pf_tags, tagname));
749 return (tagname2tag(&pf_tags, tagname));
754 pf_tag2tagname(u_int16_t tagid, char *p)
757 tag2tagname(&V_pf_tags, tagid, p);
759 tag2tagname(&pf_tags, tagid, p);
764 pf_tag_ref(u_int16_t tag)
766 struct pf_tagname *t;
769 TAILQ_FOREACH(t, &V_pf_tags, entries)
771 TAILQ_FOREACH(t, &pf_tags, entries)
780 pf_tag_unref(u_int16_t tag)
783 tag_unref(&V_pf_tags, tag);
785 tag_unref(&pf_tags, tag);
790 pf_rtlabel_add(struct pf_addr_wrap *a)
793 /* XXX_IMPORT: later */
796 if (a->type == PF_ADDR_RTLABEL &&
797 (a->v.rtlabel = rtlabel_name2id(a->v.rtlabelname)) == 0)
804 pf_rtlabel_remove(struct pf_addr_wrap *a)
807 /* XXX_IMPORT: later */
809 if (a->type == PF_ADDR_RTLABEL)
810 rtlabel_unref(a->v.rtlabel);
815 pf_rtlabel_copyout(struct pf_addr_wrap *a)
818 /* XXX_IMPORT: later */
819 if (a->type == PF_ADDR_RTLABEL && a->v.rtlabel)
820 strlcpy(a->v.rtlabelname, "?", sizeof(a->v.rtlabelname));
824 if (a->type == PF_ADDR_RTLABEL && a->v.rtlabel) {
825 if ((name = rtlabel_id2name(a->v.rtlabel)) == NULL)
826 strlcpy(a->v.rtlabelname, "?",
827 sizeof(a->v.rtlabelname));
829 strlcpy(a->v.rtlabelname, name,
830 sizeof(a->v.rtlabelname));
837 pf_qname2qid(char *qname)
840 return ((u_int32_t)tagname2tag(&V_pf_qids, qname));
842 return ((u_int32_t)tagname2tag(&pf_qids, qname));
847 pf_qid2qname(u_int32_t qid, char *p)
850 tag2tagname(&V_pf_qids, (u_int16_t)qid, p);
852 tag2tagname(&pf_qids, (u_int16_t)qid, p);
857 pf_qid_unref(u_int32_t qid)
860 tag_unref(&V_pf_qids, (u_int16_t)qid);
862 tag_unref(&pf_qids, (u_int16_t)qid);
867 pf_begin_altq(u_int32_t *ticket)
869 struct pf_altq *altq;
872 /* Purge the old altq list */
874 while ((altq = TAILQ_FIRST(V_pf_altqs_inactive)) != NULL) {
875 TAILQ_REMOVE(V_pf_altqs_inactive, altq, entries);
876 if (altq->qname[0] == 0 &&
877 (altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
879 while ((altq = TAILQ_FIRST(pf_altqs_inactive)) != NULL) {
880 TAILQ_REMOVE(pf_altqs_inactive, altq, entries);
881 if (altq->qname[0] == 0) {
883 /* detach and destroy the discipline */
884 error = altq_remove(altq);
886 pf_qid_unref(altq->qid);
888 pool_put(&V_pf_altq_pl, altq);
890 pool_put(&pf_altq_pl, altq);
896 *ticket = ++V_ticket_altqs_inactive;
897 V_altqs_inactive_open = 1;
899 *ticket = ++ticket_altqs_inactive;
900 altqs_inactive_open = 1;
906 pf_rollback_altq(u_int32_t ticket)
908 struct pf_altq *altq;
912 if (!V_altqs_inactive_open || ticket != V_ticket_altqs_inactive)
914 /* Purge the old altq list */
915 while ((altq = TAILQ_FIRST(V_pf_altqs_inactive)) != NULL) {
916 TAILQ_REMOVE(V_pf_altqs_inactive, altq, entries);
917 if (altq->qname[0] == 0 &&
918 (altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
920 if (!altqs_inactive_open || ticket != ticket_altqs_inactive)
922 /* Purge the old altq list */
923 while ((altq = TAILQ_FIRST(pf_altqs_inactive)) != NULL) {
924 TAILQ_REMOVE(pf_altqs_inactive, altq, entries);
925 if (altq->qname[0] == 0) {
927 /* detach and destroy the discipline */
928 error = altq_remove(altq);
930 pf_qid_unref(altq->qid);
932 pool_put(&V_pf_altq_pl, altq);
934 pool_put(&pf_altq_pl, altq);
938 V_altqs_inactive_open = 0;
940 altqs_inactive_open = 0;
946 pf_commit_altq(u_int32_t ticket)
948 struct pf_altqqueue *old_altqs;
949 struct pf_altq *altq;
950 int s, err, error = 0;
953 if (!V_altqs_inactive_open || ticket != V_ticket_altqs_inactive)
955 if (!altqs_inactive_open || ticket != ticket_altqs_inactive)
959 /* swap altqs, keep the old. */
962 old_altqs = V_pf_altqs_active;
963 V_pf_altqs_active = V_pf_altqs_inactive;
964 V_pf_altqs_inactive = old_altqs;
965 V_ticket_altqs_active = V_ticket_altqs_inactive;
967 old_altqs = pf_altqs_active;
968 pf_altqs_active = pf_altqs_inactive;
969 pf_altqs_inactive = old_altqs;
970 ticket_altqs_active = ticket_altqs_inactive;
973 /* Attach new disciplines */
975 TAILQ_FOREACH(altq, V_pf_altqs_active, entries) {
976 if (altq->qname[0] == 0 &&
977 (altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
979 TAILQ_FOREACH(altq, pf_altqs_active, entries) {
980 if (altq->qname[0] == 0) {
982 /* attach the discipline */
983 error = altq_pfattach(altq);
985 if (error == 0 && V_pf_altq_running)
987 if (error == 0 && pf_altq_running)
989 error = pf_enable_altq(altq);
997 /* Purge the old altq list */
999 while ((altq = TAILQ_FIRST(V_pf_altqs_inactive)) != NULL) {
1000 TAILQ_REMOVE(V_pf_altqs_inactive, altq, entries);
1001 if (altq->qname[0] == 0 &&
1002 (altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
1004 while ((altq = TAILQ_FIRST(pf_altqs_inactive)) != NULL) {
1005 TAILQ_REMOVE(pf_altqs_inactive, altq, entries);
1006 if (altq->qname[0] == 0) {
1008 /* detach and destroy the discipline */
1010 if (V_pf_altq_running)
1012 if (pf_altq_running)
1014 error = pf_disable_altq(altq);
1015 err = altq_pfdetach(altq);
1016 if (err != 0 && error == 0)
1018 err = altq_remove(altq);
1019 if (err != 0 && error == 0)
1022 pf_qid_unref(altq->qid);
1024 pool_put(&V_pf_altq_pl, altq);
1026 pool_put(&pf_altq_pl, altq);
1032 V_altqs_inactive_open = 0;
1034 altqs_inactive_open = 0;
1040 pf_enable_altq(struct pf_altq *altq)
1043 struct tb_profile tb;
1046 if ((ifp = ifunit(altq->ifname)) == NULL)
1049 if (ifp->if_snd.altq_type != ALTQT_NONE)
1050 error = altq_enable(&ifp->if_snd);
1052 /* set tokenbucket regulator */
1053 if (error == 0 && ifp != NULL && ALTQ_IS_ENABLED(&ifp->if_snd)) {
1054 tb.rate = altq->ifbandwidth;
1055 tb.depth = altq->tbrsize;
1060 error = tbr_set(&ifp->if_snd, &tb);
1071 pf_disable_altq(struct pf_altq *altq)
1074 struct tb_profile tb;
1077 if ((ifp = ifunit(altq->ifname)) == NULL)
1081 * when the discipline is no longer referenced, it was overridden
1082 * by a new one. if so, just return.
1084 if (altq->altq_disc != ifp->if_snd.altq_disc)
1087 error = altq_disable(&ifp->if_snd);
1090 /* clear tokenbucket regulator */
1096 error = tbr_set(&ifp->if_snd, &tb);
1108 pf_altq_ifnet_event(struct ifnet *ifp, int remove)
1111 struct pf_altq *a1, *a2, *a3;
1115 /* Interrupt userland queue modifications */
1117 if (V_altqs_inactive_open)
1118 pf_rollback_altq(V_ticket_altqs_inactive);
1120 if (altqs_inactive_open)
1121 pf_rollback_altq(ticket_altqs_inactive);
1124 /* Start new altq ruleset */
1125 if (pf_begin_altq(&ticket))
1128 /* Copy the current active set */
1130 TAILQ_FOREACH(a1, V_pf_altqs_active, entries) {
1131 a2 = pool_get(&V_pf_altq_pl, PR_NOWAIT);
1133 TAILQ_FOREACH(a1, pf_altqs_active, entries) {
1134 a2 = pool_get(&pf_altq_pl, PR_NOWAIT);
1140 bcopy(a1, a2, sizeof(struct pf_altq));
1142 if (a2->qname[0] != 0) {
1143 if ((a2->qid = pf_qname2qid(a2->qname)) == 0) {
1146 pool_put(&V_pf_altq_pl, a2);
1148 pool_put(&pf_altq_pl, a2);
1152 a2->altq_disc = NULL;
1154 TAILQ_FOREACH(a3, V_pf_altqs_inactive, entries) {
1156 TAILQ_FOREACH(a3, pf_altqs_inactive, entries) {
1158 if (strncmp(a3->ifname, a2->ifname,
1159 IFNAMSIZ) == 0 && a3->qname[0] == 0) {
1160 a2->altq_disc = a3->altq_disc;
1165 /* Deactivate the interface in question */
1166 a2->local_flags &= ~PFALTQ_FLAG_IF_REMOVED;
1167 if ((ifp1 = ifunit(a2->ifname)) == NULL ||
1168 (remove && ifp1 == ifp)) {
1169 a2->local_flags |= PFALTQ_FLAG_IF_REMOVED;
1172 error = altq_add(a2);
1176 if (ticket != V_ticket_altqs_inactive)
1178 if (ticket != ticket_altqs_inactive)
1184 pool_put(&V_pf_altq_pl, a2);
1186 pool_put(&pf_altq_pl, a2);
1193 TAILQ_INSERT_TAIL(V_pf_altqs_inactive, a2, entries);
1195 TAILQ_INSERT_TAIL(pf_altqs_inactive, a2, entries);
1200 pf_rollback_altq(ticket);
1202 pf_commit_altq(ticket);
1208 pf_begin_rules(u_int32_t *ticket, int rs_num, const char *anchor)
1210 struct pf_ruleset *rs;
1211 struct pf_rule *rule;
1213 if (rs_num < 0 || rs_num >= PF_RULESET_MAX)
1215 rs = pf_find_or_create_ruleset(anchor);
1218 while ((rule = TAILQ_FIRST(rs->rules[rs_num].inactive.ptr)) != NULL) {
1219 pf_rm_rule(rs->rules[rs_num].inactive.ptr, rule);
1220 rs->rules[rs_num].inactive.rcount--;
1222 *ticket = ++rs->rules[rs_num].inactive.ticket;
1223 rs->rules[rs_num].inactive.open = 1;
1228 pf_rollback_rules(u_int32_t ticket, int rs_num, char *anchor)
1230 struct pf_ruleset *rs;
1231 struct pf_rule *rule;
1233 if (rs_num < 0 || rs_num >= PF_RULESET_MAX)
1235 rs = pf_find_ruleset(anchor);
1236 if (rs == NULL || !rs->rules[rs_num].inactive.open ||
1237 rs->rules[rs_num].inactive.ticket != ticket)
1239 while ((rule = TAILQ_FIRST(rs->rules[rs_num].inactive.ptr)) != NULL) {
1240 pf_rm_rule(rs->rules[rs_num].inactive.ptr, rule);
1241 rs->rules[rs_num].inactive.rcount--;
1243 rs->rules[rs_num].inactive.open = 0;
1247 #define PF_MD5_UPD(st, elm) \
1248 MD5Update(ctx, (u_int8_t *) &(st)->elm, sizeof((st)->elm))
1250 #define PF_MD5_UPD_STR(st, elm) \
1251 MD5Update(ctx, (u_int8_t *) (st)->elm, strlen((st)->elm))
1253 #define PF_MD5_UPD_HTONL(st, elm, stor) do { \
1254 (stor) = htonl((st)->elm); \
1255 MD5Update(ctx, (u_int8_t *) &(stor), sizeof(u_int32_t));\
1258 #define PF_MD5_UPD_HTONS(st, elm, stor) do { \
1259 (stor) = htons((st)->elm); \
1260 MD5Update(ctx, (u_int8_t *) &(stor), sizeof(u_int16_t));\
1264 pf_hash_rule_addr(MD5_CTX *ctx, struct pf_rule_addr *pfr)
1266 PF_MD5_UPD(pfr, addr.type);
1267 switch (pfr->addr.type) {
1268 case PF_ADDR_DYNIFTL:
1269 PF_MD5_UPD(pfr, addr.v.ifname);
1270 PF_MD5_UPD(pfr, addr.iflags);
1273 PF_MD5_UPD(pfr, addr.v.tblname);
1275 case PF_ADDR_ADDRMASK:
1276 /* XXX ignore af? */
1277 PF_MD5_UPD(pfr, addr.v.a.addr.addr32);
1278 PF_MD5_UPD(pfr, addr.v.a.mask.addr32);
1280 case PF_ADDR_RTLABEL:
1281 PF_MD5_UPD(pfr, addr.v.rtlabelname);
1285 PF_MD5_UPD(pfr, port[0]);
1286 PF_MD5_UPD(pfr, port[1]);
1287 PF_MD5_UPD(pfr, neg);
1288 PF_MD5_UPD(pfr, port_op);
1292 pf_hash_rule(MD5_CTX *ctx, struct pf_rule *rule)
1297 pf_hash_rule_addr(ctx, &rule->src);
1298 pf_hash_rule_addr(ctx, &rule->dst);
1299 PF_MD5_UPD_STR(rule, label);
1300 PF_MD5_UPD_STR(rule, ifname);
1301 PF_MD5_UPD_STR(rule, match_tagname);
1302 PF_MD5_UPD_HTONS(rule, match_tag, x); /* dup? */
1303 PF_MD5_UPD_HTONL(rule, os_fingerprint, y);
1304 PF_MD5_UPD_HTONL(rule, prob, y);
1305 PF_MD5_UPD_HTONL(rule, uid.uid[0], y);
1306 PF_MD5_UPD_HTONL(rule, uid.uid[1], y);
1307 PF_MD5_UPD(rule, uid.op);
1308 PF_MD5_UPD_HTONL(rule, gid.gid[0], y);
1309 PF_MD5_UPD_HTONL(rule, gid.gid[1], y);
1310 PF_MD5_UPD(rule, gid.op);
1311 PF_MD5_UPD_HTONL(rule, rule_flag, y);
1312 PF_MD5_UPD(rule, action);
1313 PF_MD5_UPD(rule, direction);
1314 PF_MD5_UPD(rule, af);
1315 PF_MD5_UPD(rule, quick);
1316 PF_MD5_UPD(rule, ifnot);
1317 PF_MD5_UPD(rule, match_tag_not);
1318 PF_MD5_UPD(rule, natpass);
1319 PF_MD5_UPD(rule, keep_state);
1320 PF_MD5_UPD(rule, proto);
1321 PF_MD5_UPD(rule, type);
1322 PF_MD5_UPD(rule, code);
1323 PF_MD5_UPD(rule, flags);
1324 PF_MD5_UPD(rule, flagset);
1325 PF_MD5_UPD(rule, allow_opts);
1326 PF_MD5_UPD(rule, rt);
1327 PF_MD5_UPD(rule, tos);
1331 pf_commit_rules(u_int32_t ticket, int rs_num, char *anchor)
1333 struct pf_ruleset *rs;
1334 struct pf_rule *rule, **old_array;
1335 struct pf_rulequeue *old_rules;
1337 u_int32_t old_rcount;
1339 if (rs_num < 0 || rs_num >= PF_RULESET_MAX)
1341 rs = pf_find_ruleset(anchor);
1342 if (rs == NULL || !rs->rules[rs_num].inactive.open ||
1343 ticket != rs->rules[rs_num].inactive.ticket)
1346 /* Calculate checksum for the main ruleset */
1347 if (rs == &pf_main_ruleset) {
1348 error = pf_setup_pfsync_matching(rs);
1353 /* Swap rules, keep the old. */
1355 old_rules = rs->rules[rs_num].active.ptr;
1356 old_rcount = rs->rules[rs_num].active.rcount;
1357 old_array = rs->rules[rs_num].active.ptr_array;
1359 rs->rules[rs_num].active.ptr =
1360 rs->rules[rs_num].inactive.ptr;
1361 rs->rules[rs_num].active.ptr_array =
1362 rs->rules[rs_num].inactive.ptr_array;
1363 rs->rules[rs_num].active.rcount =
1364 rs->rules[rs_num].inactive.rcount;
1365 rs->rules[rs_num].inactive.ptr = old_rules;
1366 rs->rules[rs_num].inactive.ptr_array = old_array;
1367 rs->rules[rs_num].inactive.rcount = old_rcount;
1369 rs->rules[rs_num].active.ticket =
1370 rs->rules[rs_num].inactive.ticket;
1371 pf_calc_skip_steps(rs->rules[rs_num].active.ptr);
1374 /* Purge the old rule list. */
1375 while ((rule = TAILQ_FIRST(old_rules)) != NULL)
1376 pf_rm_rule(old_rules, rule);
1377 if (rs->rules[rs_num].inactive.ptr_array)
1378 free(rs->rules[rs_num].inactive.ptr_array, M_TEMP);
1379 rs->rules[rs_num].inactive.ptr_array = NULL;
1380 rs->rules[rs_num].inactive.rcount = 0;
1381 rs->rules[rs_num].inactive.open = 0;
1382 pf_remove_if_empty_ruleset(rs);
1388 pf_setup_pfsync_matching(struct pf_ruleset *rs)
1391 struct pf_rule *rule;
1393 u_int8_t digest[PF_MD5_DIGEST_LENGTH];
1396 for (rs_cnt = 0; rs_cnt < PF_RULESET_MAX; rs_cnt++) {
1397 /* XXX PF_RULESET_SCRUB as well? */
1398 if (rs_cnt == PF_RULESET_SCRUB)
1401 if (rs->rules[rs_cnt].inactive.ptr_array)
1402 free(rs->rules[rs_cnt].inactive.ptr_array, M_TEMP);
1403 rs->rules[rs_cnt].inactive.ptr_array = NULL;
1405 if (rs->rules[rs_cnt].inactive.rcount) {
1406 rs->rules[rs_cnt].inactive.ptr_array =
1407 malloc(sizeof(caddr_t) *
1408 rs->rules[rs_cnt].inactive.rcount,
1411 if (!rs->rules[rs_cnt].inactive.ptr_array)
1415 TAILQ_FOREACH(rule, rs->rules[rs_cnt].inactive.ptr,
1417 pf_hash_rule(&ctx, rule);
1418 (rs->rules[rs_cnt].inactive.ptr_array)[rule->nr] = rule;
1422 MD5Final(digest, &ctx);
1424 memcpy(V_pf_status.pf_chksum, digest, sizeof(V_pf_status.pf_chksum));
1426 memcpy(pf_status.pf_chksum, digest, sizeof(pf_status.pf_chksum));
1432 pf_addr_setup(struct pf_ruleset *ruleset, struct pf_addr_wrap *addr,
1435 if (pfi_dynaddr_setup(addr, af) ||
1436 pf_tbladdr_setup(ruleset, addr))
1443 pf_addr_copyout(struct pf_addr_wrap *addr)
1445 pfi_dynaddr_copyout(addr);
1446 pf_tbladdr_copyout(addr);
1447 pf_rtlabel_copyout(addr);
1452 pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td)
1454 pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
1457 struct pf_pooladdr *pa = NULL;
1458 struct pf_pool *pool = NULL;
1464 CURVNET_SET(TD_TO_VNET(td));
1466 /* XXX keep in sync with switch() below */
1468 if (securelevel_gt(td->td_ucred, 2))
1470 if (securelevel > 1)
1478 case DIOCSETSTATUSIF:
1484 case DIOCGETTIMEOUT:
1485 case DIOCCLRRULECTRS:
1490 case DIOCGETRULESETS:
1491 case DIOCGETRULESET:
1492 case DIOCRGETTABLES:
1493 case DIOCRGETTSTATS:
1494 case DIOCRCLRTSTATS:
1500 case DIOCRGETASTATS:
1501 case DIOCRCLRASTATS:
1504 case DIOCGETSRCNODES:
1505 case DIOCCLRSRCNODES:
1506 case DIOCIGETIFACES:
1513 case DIOCRCLRTABLES:
1514 case DIOCRADDTABLES:
1515 case DIOCRDELTABLES:
1516 case DIOCRSETTFLAGS:
1517 if (((struct pfioc_table *)addr)->pfrio_flags &
1519 break; /* dummy operation ok */
1525 if (!(flags & FWRITE))
1533 case DIOCGETTIMEOUT:
1538 case DIOCGETRULESETS:
1539 case DIOCGETRULESET:
1541 case DIOCRGETTABLES:
1542 case DIOCRGETTSTATS:
1544 case DIOCRGETASTATS:
1547 case DIOCGETSRCNODES:
1548 case DIOCIGETIFACES:
1553 case DIOCRCLRTABLES:
1554 case DIOCRADDTABLES:
1555 case DIOCRDELTABLES:
1556 case DIOCRCLRTSTATS:
1561 case DIOCRSETTFLAGS:
1562 if (((struct pfioc_table *)addr)->pfrio_flags &
1564 flags |= FWRITE; /* need write lock for dummy */
1565 break; /* dummy operation ok */
1569 if (((struct pfioc_rule *)addr)->action ==
1579 sx_xlock(&V_pf_consistency_lock);
1581 sx_slock(&V_pf_consistency_lock);
1583 rw_enter_write(&pf_consistency_lock);
1585 rw_enter_read(&pf_consistency_lock);
1597 if (V_pf_status.running)
1599 if (pf_status.running)
1608 DPFPRINTF(PF_DEBUG_MISC,
1609 ("pf: pfil registeration fail\n"));
1612 V_pf_status.running = 1;
1613 V_pf_status.since = time_second;
1615 if (V_pf_status.stateid == 0) {
1616 V_pf_status.stateid = time_second;
1617 V_pf_status.stateid = V_pf_status.stateid << 32;
1620 pf_status.running = 1;
1621 pf_status.since = time_second;
1623 if (pf_status.stateid == 0) {
1624 pf_status.stateid = time_second;
1625 pf_status.stateid = pf_status.stateid << 32;
1628 DPFPRINTF(PF_DEBUG_MISC, ("pf: started\n"));
1634 if (!V_pf_status.running)
1637 V_pf_status.running = 0;
1639 error = dehook_pf();
1642 V_pf_status.running = 1;
1643 DPFPRINTF(PF_DEBUG_MISC,
1644 ("pf: pfil unregisteration failed\n"));
1646 V_pf_status.since = time_second;
1648 if (!pf_status.running)
1651 pf_status.running = 0;
1652 pf_status.since = time_second;
1654 DPFPRINTF(PF_DEBUG_MISC, ("pf: stopped\n"));
1659 struct pfioc_rule *pr = (struct pfioc_rule *)addr;
1660 struct pf_ruleset *ruleset;
1661 struct pf_rule *rule, *tail;
1662 struct pf_pooladdr *pa;
1665 pr->anchor[sizeof(pr->anchor) - 1] = 0;
1666 ruleset = pf_find_ruleset(pr->anchor);
1667 if (ruleset == NULL) {
1671 rs_num = pf_get_ruleset_number(pr->rule.action);
1672 if (rs_num >= PF_RULESET_MAX) {
1676 if (pr->rule.return_icmp >> 8 > ICMP_MAXTYPE) {
1680 if (pr->ticket != ruleset->rules[rs_num].inactive.ticket) {
1682 DPFPRINTF(PF_DEBUG_MISC,
1683 ("ticket: %d != [%d]%d\n", pr->ticket, rs_num,
1684 ruleset->rules[rs_num].inactive.ticket));
1690 if (pr->pool_ticket != V_ticket_pabuf) {
1691 DPFPRINTF(PF_DEBUG_MISC,
1692 ("pool_ticket: %d != %d\n", pr->pool_ticket,
1695 if (pr->pool_ticket != ticket_pabuf) {
1701 rule = pool_get(&V_pf_rule_pl, PR_NOWAIT);
1703 rule = pool_get(&pf_rule_pl, PR_WAITOK|PR_LIMITFAIL);
1709 bcopy(&pr->rule, rule, sizeof(struct pf_rule));
1711 rule->cuid = td->td_ucred->cr_ruid;
1712 rule->cpid = td->td_proc ? td->td_proc->p_pid : 0;
1714 rule->cuid = p->p_cred->p_ruid;
1715 rule->cpid = p->p_pid;
1717 rule->anchor = NULL;
1719 TAILQ_INIT(&rule->rpool.list);
1720 /* initialize refcounting */
1721 rule->states_cur = 0;
1722 rule->src_nodes = 0;
1723 rule->entries.tqe_prev = NULL;
1725 if (rule->af == AF_INET) {
1727 pool_put(&V_pf_rule_pl, rule);
1729 pool_put(&pf_rule_pl, rule);
1731 error = EAFNOSUPPORT;
1736 if (rule->af == AF_INET6) {
1738 pool_put(&V_pf_rule_pl, rule);
1740 pool_put(&pf_rule_pl, rule);
1742 error = EAFNOSUPPORT;
1746 tail = TAILQ_LAST(ruleset->rules[rs_num].inactive.ptr,
1749 rule->nr = tail->nr + 1;
1752 if (rule->ifname[0]) {
1753 rule->kif = pfi_kif_get(rule->ifname);
1754 if (rule->kif == NULL) {
1756 pool_put(&V_pf_rule_pl, rule);
1758 pool_put(&pf_rule_pl, rule);
1763 pfi_kif_ref(rule->kif, PFI_KIF_REF_RULE);
1766 #ifdef __FreeBSD__ /* ROUTING */
1767 if (rule->rtableid > 0 && rule->rtableid > rt_numfibs)
1769 if (rule->rtableid > 0 && !rtable_exists(rule->rtableid))
1775 if (rule->qname[0] != 0) {
1776 if ((rule->qid = pf_qname2qid(rule->qname)) == 0)
1778 else if (rule->pqname[0] != 0) {
1780 pf_qname2qid(rule->pqname)) == 0)
1783 rule->pqid = rule->qid;
1786 if (rule->tagname[0])
1787 if ((rule->tag = pf_tagname2tag(rule->tagname)) == 0)
1789 if (rule->match_tagname[0])
1790 if ((rule->match_tag =
1791 pf_tagname2tag(rule->match_tagname)) == 0)
1793 if (rule->rt && !rule->direction)
1798 if (rule->logif >= PFLOGIFS_MAX)
1801 if (pf_rtlabel_add(&rule->src.addr) ||
1802 pf_rtlabel_add(&rule->dst.addr))
1804 if (pf_addr_setup(ruleset, &rule->src.addr, rule->af))
1806 if (pf_addr_setup(ruleset, &rule->dst.addr, rule->af))
1808 if (pf_anchor_setup(rule, ruleset, pr->anchor_call))
1811 TAILQ_FOREACH(pa, &V_pf_pabuf, entries)
1813 TAILQ_FOREACH(pa, &pf_pabuf, entries)
1815 if (pf_tbladdr_setup(ruleset, &pa->addr))
1818 if (rule->overload_tblname[0]) {
1819 if ((rule->overload_tbl = pfr_attach_table(ruleset,
1820 rule->overload_tblname, 0)) == NULL)
1823 rule->overload_tbl->pfrkt_flags |=
1828 pf_mv_pool(&V_pf_pabuf, &rule->rpool.list);
1830 pf_mv_pool(&pf_pabuf, &rule->rpool.list);
1832 if (((((rule->action == PF_NAT) || (rule->action == PF_RDR) ||
1833 (rule->action == PF_BINAT)) && rule->anchor == NULL) ||
1834 (rule->rt > PF_FASTROUTE)) &&
1835 (TAILQ_FIRST(&rule->rpool.list) == NULL))
1839 pf_rm_rule(NULL, rule);
1844 if (!V_debug_pfugidhack && (rule->uid.op || rule->gid.op ||
1845 rule->log & PF_LOG_SOCKET_LOOKUP)) {
1846 DPFPRINTF(PF_DEBUG_MISC,
1847 ("pf: debug.pfugidhack enabled\n"));
1848 V_debug_pfugidhack = 1;
1851 rule->rpool.cur = TAILQ_FIRST(&rule->rpool.list);
1852 rule->evaluations = rule->packets[0] = rule->packets[1] =
1853 rule->bytes[0] = rule->bytes[1] = 0;
1854 TAILQ_INSERT_TAIL(ruleset->rules[rs_num].inactive.ptr,
1856 ruleset->rules[rs_num].inactive.rcount++;
1860 case DIOCGETRULES: {
1861 struct pfioc_rule *pr = (struct pfioc_rule *)addr;
1862 struct pf_ruleset *ruleset;
1863 struct pf_rule *tail;
1866 pr->anchor[sizeof(pr->anchor) - 1] = 0;
1867 ruleset = pf_find_ruleset(pr->anchor);
1868 if (ruleset == NULL) {
1872 rs_num = pf_get_ruleset_number(pr->rule.action);
1873 if (rs_num >= PF_RULESET_MAX) {
1877 tail = TAILQ_LAST(ruleset->rules[rs_num].active.ptr,
1880 pr->nr = tail->nr + 1;
1883 pr->ticket = ruleset->rules[rs_num].active.ticket;
1888 struct pfioc_rule *pr = (struct pfioc_rule *)addr;
1889 struct pf_ruleset *ruleset;
1890 struct pf_rule *rule;
1893 pr->anchor[sizeof(pr->anchor) - 1] = 0;
1894 ruleset = pf_find_ruleset(pr->anchor);
1895 if (ruleset == NULL) {
1899 rs_num = pf_get_ruleset_number(pr->rule.action);
1900 if (rs_num >= PF_RULESET_MAX) {
1904 if (pr->ticket != ruleset->rules[rs_num].active.ticket) {
1908 rule = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr);
1909 while ((rule != NULL) && (rule->nr != pr->nr))
1910 rule = TAILQ_NEXT(rule, entries);
1915 bcopy(rule, &pr->rule, sizeof(struct pf_rule));
1916 if (pf_anchor_copyout(ruleset, rule, pr)) {
1920 pf_addr_copyout(&pr->rule.src.addr);
1921 pf_addr_copyout(&pr->rule.dst.addr);
1922 for (i = 0; i < PF_SKIP_COUNT; ++i)
1923 if (rule->skip[i].ptr == NULL)
1924 pr->rule.skip[i].nr = -1;
1926 pr->rule.skip[i].nr =
1927 rule->skip[i].ptr->nr;
1929 if (pr->action == PF_GET_CLR_CNTR) {
1930 rule->evaluations = 0;
1931 rule->packets[0] = rule->packets[1] = 0;
1932 rule->bytes[0] = rule->bytes[1] = 0;
1933 rule->states_tot = 0;
1938 case DIOCCHANGERULE: {
1939 struct pfioc_rule *pcr = (struct pfioc_rule *)addr;
1940 struct pf_ruleset *ruleset;
1941 struct pf_rule *oldrule = NULL, *newrule = NULL;
1945 if (!(pcr->action == PF_CHANGE_REMOVE ||
1946 pcr->action == PF_CHANGE_GET_TICKET) &&
1948 pcr->pool_ticket != V_ticket_pabuf) {
1950 pcr->pool_ticket != ticket_pabuf) {
1956 if (pcr->action < PF_CHANGE_ADD_HEAD ||
1957 pcr->action > PF_CHANGE_GET_TICKET) {
1961 ruleset = pf_find_ruleset(pcr->anchor);
1962 if (ruleset == NULL) {
1966 rs_num = pf_get_ruleset_number(pcr->rule.action);
1967 if (rs_num >= PF_RULESET_MAX) {
1972 if (pcr->action == PF_CHANGE_GET_TICKET) {
1973 pcr->ticket = ++ruleset->rules[rs_num].active.ticket;
1977 ruleset->rules[rs_num].active.ticket) {
1981 if (pcr->rule.return_icmp >> 8 > ICMP_MAXTYPE) {
1987 if (pcr->action != PF_CHANGE_REMOVE) {
1989 newrule = pool_get(&V_pf_rule_pl, PR_NOWAIT);
1991 newrule = pool_get(&pf_rule_pl, PR_WAITOK|PR_LIMITFAIL);
1993 if (newrule == NULL) {
1997 bcopy(&pcr->rule, newrule, sizeof(struct pf_rule));
1999 newrule->cuid = td->td_ucred->cr_ruid;
2000 newrule->cpid = td->td_proc ? td->td_proc->p_pid : 0;
2002 newrule->cuid = p->p_cred->p_ruid;
2003 newrule->cpid = p->p_pid;
2005 TAILQ_INIT(&newrule->rpool.list);
2006 /* initialize refcounting */
2007 newrule->states_cur = 0;
2008 newrule->entries.tqe_prev = NULL;
2010 if (newrule->af == AF_INET) {
2012 pool_put(&V_pf_rule_pl, newrule);
2014 pool_put(&pf_rule_pl, newrule);
2016 error = EAFNOSUPPORT;
2021 if (newrule->af == AF_INET6) {
2023 pool_put(&V_pf_rule_pl, newrule);
2025 pool_put(&pf_rule_pl, newrule);
2027 error = EAFNOSUPPORT;
2031 if (newrule->ifname[0]) {
2032 newrule->kif = pfi_kif_get(newrule->ifname);
2033 if (newrule->kif == NULL) {
2035 pool_put(&V_pf_rule_pl, newrule);
2037 pool_put(&pf_rule_pl, newrule);
2042 pfi_kif_ref(newrule->kif, PFI_KIF_REF_RULE);
2044 newrule->kif = NULL;
2046 if (newrule->rtableid > 0 &&
2047 #ifdef __FreeBSD__ /* ROUTING */
2048 newrule->rtableid > rt_numfibs)
2050 !rtable_exists(newrule->rtableid))
2056 if (newrule->qname[0] != 0) {
2058 pf_qname2qid(newrule->qname)) == 0)
2060 else if (newrule->pqname[0] != 0) {
2061 if ((newrule->pqid =
2062 pf_qname2qid(newrule->pqname)) == 0)
2065 newrule->pqid = newrule->qid;
2068 if (newrule->tagname[0])
2070 pf_tagname2tag(newrule->tagname)) == 0)
2072 if (newrule->match_tagname[0])
2073 if ((newrule->match_tag = pf_tagname2tag(
2074 newrule->match_tagname)) == 0)
2076 if (newrule->rt && !newrule->direction)
2081 if (newrule->logif >= PFLOGIFS_MAX)
2084 if (pf_rtlabel_add(&newrule->src.addr) ||
2085 pf_rtlabel_add(&newrule->dst.addr))
2087 if (pf_addr_setup(ruleset, &newrule->src.addr, newrule->af))
2089 if (pf_addr_setup(ruleset, &newrule->dst.addr, newrule->af))
2091 if (pf_anchor_setup(newrule, ruleset, pcr->anchor_call))
2094 TAILQ_FOREACH(pa, &V_pf_pabuf, entries)
2096 TAILQ_FOREACH(pa, &pf_pabuf, entries)
2098 if (pf_tbladdr_setup(ruleset, &pa->addr))
2101 if (newrule->overload_tblname[0]) {
2102 if ((newrule->overload_tbl = pfr_attach_table(
2103 ruleset, newrule->overload_tblname, 0)) ==
2107 newrule->overload_tbl->pfrkt_flags |=
2112 pf_mv_pool(&V_pf_pabuf, &newrule->rpool.list);
2114 pf_mv_pool(&pf_pabuf, &newrule->rpool.list);
2116 if (((((newrule->action == PF_NAT) ||
2117 (newrule->action == PF_RDR) ||
2118 (newrule->action == PF_BINAT) ||
2119 (newrule->rt > PF_FASTROUTE)) &&
2120 !newrule->anchor)) &&
2121 (TAILQ_FIRST(&newrule->rpool.list) == NULL))
2125 pf_rm_rule(NULL, newrule);
2130 if (!V_debug_pfugidhack && (newrule->uid.op ||
2132 newrule->log & PF_LOG_SOCKET_LOOKUP)) {
2133 DPFPRINTF(PF_DEBUG_MISC,
2134 ("pf: debug.pfugidhack enabled\n"));
2135 V_debug_pfugidhack = 1;
2139 newrule->rpool.cur = TAILQ_FIRST(&newrule->rpool.list);
2140 newrule->evaluations = 0;
2141 newrule->packets[0] = newrule->packets[1] = 0;
2142 newrule->bytes[0] = newrule->bytes[1] = 0;
2145 pf_empty_pool(&V_pf_pabuf);
2147 pf_empty_pool(&pf_pabuf);
2150 if (pcr->action == PF_CHANGE_ADD_HEAD)
2151 oldrule = TAILQ_FIRST(
2152 ruleset->rules[rs_num].active.ptr);
2153 else if (pcr->action == PF_CHANGE_ADD_TAIL)
2154 oldrule = TAILQ_LAST(
2155 ruleset->rules[rs_num].active.ptr, pf_rulequeue);
2157 oldrule = TAILQ_FIRST(
2158 ruleset->rules[rs_num].active.ptr);
2159 while ((oldrule != NULL) && (oldrule->nr != pcr->nr))
2160 oldrule = TAILQ_NEXT(oldrule, entries);
2161 if (oldrule == NULL) {
2162 if (newrule != NULL)
2163 pf_rm_rule(NULL, newrule);
2169 if (pcr->action == PF_CHANGE_REMOVE) {
2170 pf_rm_rule(ruleset->rules[rs_num].active.ptr, oldrule);
2171 ruleset->rules[rs_num].active.rcount--;
2173 if (oldrule == NULL)
2175 ruleset->rules[rs_num].active.ptr,
2177 else if (pcr->action == PF_CHANGE_ADD_HEAD ||
2178 pcr->action == PF_CHANGE_ADD_BEFORE)
2179 TAILQ_INSERT_BEFORE(oldrule, newrule, entries);
2182 ruleset->rules[rs_num].active.ptr,
2183 oldrule, newrule, entries);
2184 ruleset->rules[rs_num].active.rcount++;
2188 TAILQ_FOREACH(oldrule,
2189 ruleset->rules[rs_num].active.ptr, entries)
2192 ruleset->rules[rs_num].active.ticket++;
2194 pf_calc_skip_steps(ruleset->rules[rs_num].active.ptr);
2195 pf_remove_if_empty_ruleset(ruleset);
2200 case DIOCCLRSTATES: {
2201 struct pf_state *s, *nexts;
2202 struct pfioc_state_kill *psk = (struct pfioc_state_kill *)addr;
2206 for (s = RB_MIN(pf_state_tree_id, &V_tree_id); s; s = nexts) {
2207 nexts = RB_NEXT(pf_state_tree_id, &V_tree_id, s);
2209 for (s = RB_MIN(pf_state_tree_id, &tree_id); s; s = nexts) {
2210 nexts = RB_NEXT(pf_state_tree_id, &tree_id, s);
2213 if (!psk->psk_ifname[0] || !strcmp(psk->psk_ifname,
2214 s->kif->pfik_name)) {
2216 /* don't send out individual delete messages */
2217 SET(s->state_flags, PFSTATE_NOSYNC);
2223 psk->psk_killed = killed;
2226 if (pfsync_clear_states_ptr != NULL)
2227 pfsync_clear_states_ptr(V_pf_status.hostid, psk->psk_ifname);
2229 pfsync_clear_states(pf_status.hostid, psk->psk_ifname);
2235 case DIOCKILLSTATES: {
2236 struct pf_state *s, *nexts;
2237 struct pf_state_key *sk;
2238 struct pf_addr *srcaddr, *dstaddr;
2239 u_int16_t srcport, dstport;
2240 struct pfioc_state_kill *psk = (struct pfioc_state_kill *)addr;
2243 if (psk->psk_pfcmp.id) {
2244 if (psk->psk_pfcmp.creatorid == 0)
2246 psk->psk_pfcmp.creatorid = V_pf_status.hostid;
2248 psk->psk_pfcmp.creatorid = pf_status.hostid;
2250 if ((s = pf_find_state_byid(&psk->psk_pfcmp))) {
2252 psk->psk_killed = 1;
2258 for (s = RB_MIN(pf_state_tree_id, &V_tree_id); s;
2260 nexts = RB_NEXT(pf_state_tree_id, &V_tree_id, s);
2262 for (s = RB_MIN(pf_state_tree_id, &tree_id); s;
2264 nexts = RB_NEXT(pf_state_tree_id, &tree_id, s);
2266 sk = s->key[PF_SK_WIRE];
2268 if (s->direction == PF_OUT) {
2269 srcaddr = &sk->addr[1];
2270 dstaddr = &sk->addr[0];
2271 srcport = sk->port[0];
2272 dstport = sk->port[0];
2274 srcaddr = &sk->addr[0];
2275 dstaddr = &sk->addr[1];
2276 srcport = sk->port[0];
2277 dstport = sk->port[0];
2279 if ((!psk->psk_af || sk->af == psk->psk_af)
2280 && (!psk->psk_proto || psk->psk_proto ==
2282 PF_MATCHA(psk->psk_src.neg,
2283 &psk->psk_src.addr.v.a.addr,
2284 &psk->psk_src.addr.v.a.mask,
2286 PF_MATCHA(psk->psk_dst.neg,
2287 &psk->psk_dst.addr.v.a.addr,
2288 &psk->psk_dst.addr.v.a.mask,
2290 (psk->psk_src.port_op == 0 ||
2291 pf_match_port(psk->psk_src.port_op,
2292 psk->psk_src.port[0], psk->psk_src.port[1],
2294 (psk->psk_dst.port_op == 0 ||
2295 pf_match_port(psk->psk_dst.port_op,
2296 psk->psk_dst.port[0], psk->psk_dst.port[1],
2298 (!psk->psk_label[0] || (s->rule.ptr->label[0] &&
2299 !strcmp(psk->psk_label, s->rule.ptr->label))) &&
2300 (!psk->psk_ifname[0] || !strcmp(psk->psk_ifname,
2301 s->kif->pfik_name))) {
2306 psk->psk_killed = killed;
2310 case DIOCADDSTATE: {
2311 struct pfioc_state *ps = (struct pfioc_state *)addr;
2312 struct pfsync_state *sp = &ps->state;
2314 if (sp->timeout >= PFTM_MAX &&
2315 sp->timeout != PFTM_UNTIL_PACKET) {
2320 if (pfsync_state_import_ptr != NULL)
2321 error = pfsync_state_import_ptr(sp, PFSYNC_SI_IOCTL);
2323 error = pfsync_state_import(sp, PFSYNC_SI_IOCTL);
2328 case DIOCGETSTATE: {
2329 struct pfioc_state *ps = (struct pfioc_state *)addr;
2331 struct pf_state_cmp id_key;
2333 bcopy(ps->state.id, &id_key.id, sizeof(id_key.id));
2334 id_key.creatorid = ps->state.creatorid;
2336 s = pf_find_state_byid(&id_key);
2342 pfsync_state_export(&ps->state, s);
2346 case DIOCGETSTATES: {
2347 struct pfioc_states *ps = (struct pfioc_states *)addr;
2348 struct pf_state *state;
2349 struct pfsync_state *p, *pstore;
2352 if (ps->ps_len == 0) {
2354 nr = V_pf_status.states;
2356 nr = pf_status.states;
2358 ps->ps_len = sizeof(struct pfsync_state) * nr;
2365 pstore = malloc(sizeof(*pstore), M_TEMP, M_WAITOK);
2373 state = TAILQ_FIRST(&V_state_list);
2375 state = TAILQ_FIRST(&state_list);
2378 if (state->timeout != PFTM_UNLINKED) {
2379 if ((nr+1) * sizeof(*p) > (unsigned)ps->ps_len)
2381 pfsync_state_export(pstore, state);
2383 PF_COPYOUT(pstore, p, sizeof(*p), error);
2385 error = copyout(pstore, p, sizeof(*p));
2388 free(pstore, M_TEMP);
2394 state = TAILQ_NEXT(state, entry_list);
2397 ps->ps_len = sizeof(struct pfsync_state) * nr;
2399 free(pstore, M_TEMP);
2403 case DIOCGETSTATUS: {
2404 struct pf_status *s = (struct pf_status *)addr;
2406 bcopy(&V_pf_status, s, sizeof(struct pf_status));
2408 bcopy(&pf_status, s, sizeof(struct pf_status));
2410 pfi_update_status(s->ifname, s);
2414 case DIOCSETSTATUSIF: {
2415 struct pfioc_if *pi = (struct pfioc_if *)addr;
2417 if (pi->ifname[0] == 0) {
2419 bzero(V_pf_status.ifname, IFNAMSIZ);
2421 bzero(pf_status.ifname, IFNAMSIZ);
2426 strlcpy(V_pf_status.ifname, pi->ifname, IFNAMSIZ);
2428 strlcpy(pf_status.ifname, pi->ifname, IFNAMSIZ);
2433 case DIOCCLRSTATUS: {
2435 bzero(V_pf_status.counters, sizeof(V_pf_status.counters));
2436 bzero(V_pf_status.fcounters, sizeof(V_pf_status.fcounters));
2437 bzero(V_pf_status.scounters, sizeof(V_pf_status.scounters));
2438 V_pf_status.since = time_second;
2439 if (*V_pf_status.ifname)
2440 pfi_update_status(V_pf_status.ifname, NULL);
2442 bzero(pf_status.counters, sizeof(pf_status.counters));
2443 bzero(pf_status.fcounters, sizeof(pf_status.fcounters));
2444 bzero(pf_status.scounters, sizeof(pf_status.scounters));
2445 pf_status.since = time_second;
2446 if (*pf_status.ifname)
2447 pfi_update_status(pf_status.ifname, NULL);
2453 struct pfioc_natlook *pnl = (struct pfioc_natlook *)addr;
2454 struct pf_state_key *sk;
2455 struct pf_state *state;
2456 struct pf_state_key_cmp key;
2457 int m = 0, direction = pnl->direction;
2460 /* NATLOOK src and dst are reversed, so reverse sidx/didx */
2461 sidx = (direction == PF_IN) ? 1 : 0;
2462 didx = (direction == PF_IN) ? 0 : 1;
2465 PF_AZERO(&pnl->saddr, pnl->af) ||
2466 PF_AZERO(&pnl->daddr, pnl->af) ||
2467 ((pnl->proto == IPPROTO_TCP ||
2468 pnl->proto == IPPROTO_UDP) &&
2469 (!pnl->dport || !pnl->sport)))
2473 key.proto = pnl->proto;
2474 PF_ACPY(&key.addr[sidx], &pnl->saddr, pnl->af);
2475 key.port[sidx] = pnl->sport;
2476 PF_ACPY(&key.addr[didx], &pnl->daddr, pnl->af);
2477 key.port[didx] = pnl->dport;
2479 state = pf_find_state_all(&key, direction, &m);
2482 error = E2BIG; /* more than one state */
2483 else if (state != NULL) {
2484 sk = state->key[sidx];
2485 PF_ACPY(&pnl->rsaddr, &sk->addr[sidx], sk->af);
2486 pnl->rsport = sk->port[sidx];
2487 PF_ACPY(&pnl->rdaddr, &sk->addr[didx], sk->af);
2488 pnl->rdport = sk->port[didx];
2495 case DIOCSETTIMEOUT: {
2496 struct pfioc_tm *pt = (struct pfioc_tm *)addr;
2499 if (pt->timeout < 0 || pt->timeout >= PFTM_MAX ||
2505 old = V_pf_default_rule.timeout[pt->timeout];
2507 old = pf_default_rule.timeout[pt->timeout];
2509 if (pt->timeout == PFTM_INTERVAL && pt->seconds == 0)
2512 V_pf_default_rule.timeout[pt->timeout] = pt->seconds;
2514 pf_default_rule.timeout[pt->timeout] = pt->seconds;
2516 if (pt->timeout == PFTM_INTERVAL && pt->seconds < old)
2517 wakeup(pf_purge_thread);
2522 case DIOCGETTIMEOUT: {
2523 struct pfioc_tm *pt = (struct pfioc_tm *)addr;
2525 if (pt->timeout < 0 || pt->timeout >= PFTM_MAX) {
2530 pt->seconds = V_pf_default_rule.timeout[pt->timeout];
2532 pt->seconds = pf_default_rule.timeout[pt->timeout];
2537 case DIOCGETLIMIT: {
2538 struct pfioc_limit *pl = (struct pfioc_limit *)addr;
2540 if (pl->index < 0 || pl->index >= PF_LIMIT_MAX) {
2545 pl->limit = V_pf_pool_limits[pl->index].limit;
2547 pl->limit = pf_pool_limits[pl->index].limit;
2552 case DIOCSETLIMIT: {
2553 struct pfioc_limit *pl = (struct pfioc_limit *)addr;
2556 if (pl->index < 0 || pl->index >= PF_LIMIT_MAX ||
2558 V_pf_pool_limits[pl->index].pp == NULL) {
2560 pf_pool_limits[pl->index].pp == NULL) {
2566 uma_zone_set_max(V_pf_pool_limits[pl->index].pp, pl->limit);
2567 old_limit = V_pf_pool_limits[pl->index].limit;
2568 V_pf_pool_limits[pl->index].limit = pl->limit;
2569 pl->limit = old_limit;
2571 if (pool_sethardlimit(pf_pool_limits[pl->index].pp,
2572 pl->limit, NULL, 0) != 0) {
2576 old_limit = pf_pool_limits[pl->index].limit;
2577 pf_pool_limits[pl->index].limit = pl->limit;
2578 pl->limit = old_limit;
2583 case DIOCSETDEBUG: {
2584 u_int32_t *level = (u_int32_t *)addr;
2587 V_pf_status.debug = *level;
2589 pf_status.debug = *level;
2594 case DIOCCLRRULECTRS: {
2595 /* obsoleted by DIOCGETRULE with action=PF_GET_CLR_CNTR */
2596 struct pf_ruleset *ruleset = &pf_main_ruleset;
2597 struct pf_rule *rule;
2600 ruleset->rules[PF_RULESET_FILTER].active.ptr, entries) {
2601 rule->evaluations = 0;
2602 rule->packets[0] = rule->packets[1] = 0;
2603 rule->bytes[0] = rule->bytes[1] = 0;
2609 case DIOCGIFSPEED: {
2610 struct pf_ifspeed *psp = (struct pf_ifspeed *)addr;
2611 struct pf_ifspeed ps;
2614 if (psp->ifname[0] != 0) {
2615 /* Can we completely trust user-land? */
2616 strlcpy(ps.ifname, psp->ifname, IFNAMSIZ);
2617 ifp = ifunit(ps.ifname);
2619 psp->baudrate = ifp->if_baudrate;
2626 #endif /* __FreeBSD__ */
2629 case DIOCSTARTALTQ: {
2630 struct pf_altq *altq;
2632 /* enable all altq interfaces on active list */
2634 TAILQ_FOREACH(altq, V_pf_altqs_active, entries) {
2635 if (altq->qname[0] == 0 && (altq->local_flags &
2636 PFALTQ_FLAG_IF_REMOVED) == 0) {
2638 TAILQ_FOREACH(altq, pf_altqs_active, entries) {
2639 if (altq->qname[0] == 0) {
2641 error = pf_enable_altq(altq);
2648 V_pf_altq_running = 1;
2650 pf_altq_running = 1;
2652 DPFPRINTF(PF_DEBUG_MISC, ("altq: started\n"));
2656 case DIOCSTOPALTQ: {
2657 struct pf_altq *altq;
2659 /* disable all altq interfaces on active list */
2661 TAILQ_FOREACH(altq, V_pf_altqs_active, entries) {
2662 if (altq->qname[0] == 0 && (altq->local_flags &
2663 PFALTQ_FLAG_IF_REMOVED) == 0) {
2665 TAILQ_FOREACH(altq, pf_altqs_active, entries) {
2666 if (altq->qname[0] == 0) {
2668 error = pf_disable_altq(altq);
2675 V_pf_altq_running = 0;
2677 pf_altq_running = 0;
2679 DPFPRINTF(PF_DEBUG_MISC, ("altq: stopped\n"));
2684 struct pfioc_altq *pa = (struct pfioc_altq *)addr;
2685 struct pf_altq *altq, *a;
2688 if (pa->ticket != V_ticket_altqs_inactive) {
2690 if (pa->ticket != ticket_altqs_inactive) {
2696 altq = pool_get(&V_pf_altq_pl, PR_NOWAIT);
2698 altq = pool_get(&pf_altq_pl, PR_WAITOK|PR_LIMITFAIL);
2704 bcopy(&pa->altq, altq, sizeof(struct pf_altq));
2706 altq->local_flags = 0;
2710 * if this is for a queue, find the discipline and
2711 * copy the necessary fields
2713 if (altq->qname[0] != 0) {
2714 if ((altq->qid = pf_qname2qid(altq->qname)) == 0) {
2717 pool_put(&V_pf_altq_pl, altq);
2719 pool_put(&pf_altq_pl, altq);
2723 altq->altq_disc = NULL;
2725 TAILQ_FOREACH(a, V_pf_altqs_inactive, entries) {
2727 TAILQ_FOREACH(a, pf_altqs_inactive, entries) {
2729 if (strncmp(a->ifname, altq->ifname,
2730 IFNAMSIZ) == 0 && a->qname[0] == 0) {
2731 altq->altq_disc = a->altq_disc;
2740 if ((ifp = ifunit(altq->ifname)) == NULL) {
2741 altq->local_flags |= PFALTQ_FLAG_IF_REMOVED;
2745 error = altq_add(altq);
2752 pool_put(&V_pf_altq_pl, altq);
2754 pool_put(&pf_altq_pl, altq);
2760 TAILQ_INSERT_TAIL(V_pf_altqs_inactive, altq, entries);
2762 TAILQ_INSERT_TAIL(pf_altqs_inactive, altq, entries);
2764 bcopy(altq, &pa->altq, sizeof(struct pf_altq));
2768 case DIOCGETALTQS: {
2769 struct pfioc_altq *pa = (struct pfioc_altq *)addr;
2770 struct pf_altq *altq;
2774 TAILQ_FOREACH(altq, V_pf_altqs_active, entries)
2776 pa->ticket = V_ticket_altqs_active;
2778 TAILQ_FOREACH(altq, pf_altqs_active, entries)
2780 pa->ticket = ticket_altqs_active;
2786 struct pfioc_altq *pa = (struct pfioc_altq *)addr;
2787 struct pf_altq *altq;
2791 if (pa->ticket != V_ticket_altqs_active) {
2793 if (pa->ticket != ticket_altqs_active) {
2800 altq = TAILQ_FIRST(V_pf_altqs_active);
2802 altq = TAILQ_FIRST(pf_altqs_active);
2804 while ((altq != NULL) && (nr < pa->nr)) {
2805 altq = TAILQ_NEXT(altq, entries);
2812 bcopy(altq, &pa->altq, sizeof(struct pf_altq));
2816 case DIOCCHANGEALTQ:
2817 /* CHANGEALTQ not supported yet! */
2821 case DIOCGETQSTATS: {
2822 struct pfioc_qstats *pq = (struct pfioc_qstats *)addr;
2823 struct pf_altq *altq;
2828 if (pq->ticket != V_ticket_altqs_active) {
2830 if (pq->ticket != ticket_altqs_active) {
2835 nbytes = pq->nbytes;
2838 altq = TAILQ_FIRST(V_pf_altqs_active);
2840 altq = TAILQ_FIRST(pf_altqs_active);
2842 while ((altq != NULL) && (nr < pq->nr)) {
2843 altq = TAILQ_NEXT(altq, entries);
2852 if ((altq->local_flags & PFALTQ_FLAG_IF_REMOVED) != 0) {
2858 error = altq_getqstats(altq, pq->buf, &nbytes);
2863 pq->scheduler = altq->scheduler;
2864 pq->nbytes = nbytes;
2870 case DIOCBEGINADDRS: {
2871 struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr;
2874 pf_empty_pool(&V_pf_pabuf);
2875 pp->ticket = ++V_ticket_pabuf;
2877 pf_empty_pool(&pf_pabuf);
2878 pp->ticket = ++ticket_pabuf;
2884 struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr;
2887 if (pp->ticket != V_ticket_pabuf) {
2889 if (pp->ticket != ticket_pabuf) {
2895 if (pp->af == AF_INET) {
2896 error = EAFNOSUPPORT;
2901 if (pp->af == AF_INET6) {
2902 error = EAFNOSUPPORT;
2906 if (pp->addr.addr.type != PF_ADDR_ADDRMASK &&
2907 pp->addr.addr.type != PF_ADDR_DYNIFTL &&
2908 pp->addr.addr.type != PF_ADDR_TABLE) {
2913 pa = pool_get(&V_pf_pooladdr_pl, PR_NOWAIT);
2915 pa = pool_get(&pf_pooladdr_pl, PR_WAITOK|PR_LIMITFAIL);
2921 bcopy(&pp->addr, pa, sizeof(struct pf_pooladdr));
2922 if (pa->ifname[0]) {
2923 pa->kif = pfi_kif_get(pa->ifname);
2924 if (pa->kif == NULL) {
2926 pool_put(&V_pf_pooladdr_pl, pa);
2928 pool_put(&pf_pooladdr_pl, pa);
2933 pfi_kif_ref(pa->kif, PFI_KIF_REF_RULE);
2935 if (pfi_dynaddr_setup(&pa->addr, pp->af)) {
2936 pfi_dynaddr_remove(&pa->addr);
2937 pfi_kif_unref(pa->kif, PFI_KIF_REF_RULE);
2939 pool_put(&V_pf_pooladdr_pl, pa);
2941 pool_put(&pf_pooladdr_pl, pa);
2947 TAILQ_INSERT_TAIL(&V_pf_pabuf, pa, entries);
2949 TAILQ_INSERT_TAIL(&pf_pabuf, pa, entries);
2954 case DIOCGETADDRS: {
2955 struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr;
2958 pool = pf_get_pool(pp->anchor, pp->ticket, pp->r_action,
2959 pp->r_num, 0, 1, 0);
2964 TAILQ_FOREACH(pa, &pool->list, entries)
2970 struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr;
2973 pool = pf_get_pool(pp->anchor, pp->ticket, pp->r_action,
2974 pp->r_num, 0, 1, 1);
2979 pa = TAILQ_FIRST(&pool->list);
2980 while ((pa != NULL) && (nr < pp->nr)) {
2981 pa = TAILQ_NEXT(pa, entries);
2988 bcopy(pa, &pp->addr, sizeof(struct pf_pooladdr));
2989 pf_addr_copyout(&pp->addr.addr);
2993 case DIOCCHANGEADDR: {
2994 struct pfioc_pooladdr *pca = (struct pfioc_pooladdr *)addr;
2995 struct pf_pooladdr *oldpa = NULL, *newpa = NULL;
2996 struct pf_ruleset *ruleset;
2998 if (pca->action < PF_CHANGE_ADD_HEAD ||
2999 pca->action > PF_CHANGE_REMOVE) {
3003 if (pca->addr.addr.type != PF_ADDR_ADDRMASK &&
3004 pca->addr.addr.type != PF_ADDR_DYNIFTL &&
3005 pca->addr.addr.type != PF_ADDR_TABLE) {
3010 ruleset = pf_find_ruleset(pca->anchor);
3011 if (ruleset == NULL) {
3015 pool = pf_get_pool(pca->anchor, pca->ticket, pca->r_action,
3016 pca->r_num, pca->r_last, 1, 1);
3021 if (pca->action != PF_CHANGE_REMOVE) {
3023 newpa = pool_get(&V_pf_pooladdr_pl,
3026 newpa = pool_get(&pf_pooladdr_pl,
3027 PR_WAITOK|PR_LIMITFAIL);
3029 if (newpa == NULL) {
3033 bcopy(&pca->addr, newpa, sizeof(struct pf_pooladdr));
3035 if (pca->af == AF_INET) {
3037 pool_put(&V_pf_pooladdr_pl, newpa);
3039 pool_put(&pf_pooladdr_pl, newpa);
3041 error = EAFNOSUPPORT;
3046 if (pca->af == AF_INET6) {
3048 pool_put(&V_pf_pooladdr_pl, newpa);
3050 pool_put(&pf_pooladdr_pl, newpa);
3052 error = EAFNOSUPPORT;
3056 if (newpa->ifname[0]) {
3057 newpa->kif = pfi_kif_get(newpa->ifname);
3058 if (newpa->kif == NULL) {
3060 pool_put(&V_pf_pooladdr_pl, newpa);
3062 pool_put(&pf_pooladdr_pl, newpa);
3067 pfi_kif_ref(newpa->kif, PFI_KIF_REF_RULE);
3070 if (pfi_dynaddr_setup(&newpa->addr, pca->af) ||
3071 pf_tbladdr_setup(ruleset, &newpa->addr)) {
3072 pfi_dynaddr_remove(&newpa->addr);
3073 pfi_kif_unref(newpa->kif, PFI_KIF_REF_RULE);
3075 pool_put(&V_pf_pooladdr_pl, newpa);
3077 pool_put(&pf_pooladdr_pl, newpa);
3084 if (pca->action == PF_CHANGE_ADD_HEAD)
3085 oldpa = TAILQ_FIRST(&pool->list);
3086 else if (pca->action == PF_CHANGE_ADD_TAIL)
3087 oldpa = TAILQ_LAST(&pool->list, pf_palist);
3091 oldpa = TAILQ_FIRST(&pool->list);
3092 while ((oldpa != NULL) && (i < pca->nr)) {
3093 oldpa = TAILQ_NEXT(oldpa, entries);
3096 if (oldpa == NULL) {
3102 if (pca->action == PF_CHANGE_REMOVE) {
3103 TAILQ_REMOVE(&pool->list, oldpa, entries);
3104 pfi_dynaddr_remove(&oldpa->addr);
3105 pf_tbladdr_remove(&oldpa->addr);
3106 pfi_kif_unref(oldpa->kif, PFI_KIF_REF_RULE);
3108 pool_put(&V_pf_pooladdr_pl, oldpa);
3110 pool_put(&pf_pooladdr_pl, oldpa);
3114 TAILQ_INSERT_TAIL(&pool->list, newpa, entries);
3115 else if (pca->action == PF_CHANGE_ADD_HEAD ||
3116 pca->action == PF_CHANGE_ADD_BEFORE)
3117 TAILQ_INSERT_BEFORE(oldpa, newpa, entries);
3119 TAILQ_INSERT_AFTER(&pool->list, oldpa,
3123 pool->cur = TAILQ_FIRST(&pool->list);
3124 PF_ACPY(&pool->counter, &pool->cur->addr.v.a.addr,
3129 case DIOCGETRULESETS: {
3130 struct pfioc_ruleset *pr = (struct pfioc_ruleset *)addr;
3131 struct pf_ruleset *ruleset;
3132 struct pf_anchor *anchor;
3134 pr->path[sizeof(pr->path) - 1] = 0;
3135 if ((ruleset = pf_find_ruleset(pr->path)) == NULL) {
3140 if (ruleset->anchor == NULL) {
3141 /* XXX kludge for pf_main_ruleset */
3143 RB_FOREACH(anchor, pf_anchor_global, &V_pf_anchors)
3145 RB_FOREACH(anchor, pf_anchor_global, &pf_anchors)
3147 if (anchor->parent == NULL)
3150 RB_FOREACH(anchor, pf_anchor_node,
3151 &ruleset->anchor->children)
3157 case DIOCGETRULESET: {
3158 struct pfioc_ruleset *pr = (struct pfioc_ruleset *)addr;
3159 struct pf_ruleset *ruleset;
3160 struct pf_anchor *anchor;
3163 pr->path[sizeof(pr->path) - 1] = 0;
3164 if ((ruleset = pf_find_ruleset(pr->path)) == NULL) {
3169 if (ruleset->anchor == NULL) {
3170 /* XXX kludge for pf_main_ruleset */
3172 RB_FOREACH(anchor, pf_anchor_global, &V_pf_anchors)
3174 RB_FOREACH(anchor, pf_anchor_global, &pf_anchors)
3176 if (anchor->parent == NULL && nr++ == pr->nr) {
3177 strlcpy(pr->name, anchor->name,
3182 RB_FOREACH(anchor, pf_anchor_node,
3183 &ruleset->anchor->children)
3184 if (nr++ == pr->nr) {
3185 strlcpy(pr->name, anchor->name,
3195 case DIOCRCLRTABLES: {
3196 struct pfioc_table *io = (struct pfioc_table *)addr;
3198 if (io->pfrio_esize != 0) {
3202 error = pfr_clr_tables(&io->pfrio_table, &io->pfrio_ndel,
3203 io->pfrio_flags | PFR_FLAG_USERIOCTL);
3207 case DIOCRADDTABLES: {
3208 struct pfioc_table *io = (struct pfioc_table *)addr;
3210 if (io->pfrio_esize != sizeof(struct pfr_table)) {
3214 error = pfr_add_tables(io->pfrio_buffer, io->pfrio_size,
3215 &io->pfrio_nadd, io->pfrio_flags | PFR_FLAG_USERIOCTL);
3219 case DIOCRDELTABLES: {
3220 struct pfioc_table *io = (struct pfioc_table *)addr;
3222 if (io->pfrio_esize != sizeof(struct pfr_table)) {
3226 error = pfr_del_tables(io->pfrio_buffer, io->pfrio_size,
3227 &io->pfrio_ndel, io->pfrio_flags | PFR_FLAG_USERIOCTL);
3231 case DIOCRGETTABLES: {
3232 struct pfioc_table *io = (struct pfioc_table *)addr;
3234 if (io->pfrio_esize != sizeof(struct pfr_table)) {
3238 error = pfr_get_tables(&io->pfrio_table, io->pfrio_buffer,
3239 &io->pfrio_size, io->pfrio_flags | PFR_FLAG_USERIOCTL);
3243 case DIOCRGETTSTATS: {
3244 struct pfioc_table *io = (struct pfioc_table *)addr;
3246 if (io->pfrio_esize != sizeof(struct pfr_tstats)) {
3250 error = pfr_get_tstats(&io->pfrio_table, io->pfrio_buffer,
3251 &io->pfrio_size, io->pfrio_flags | PFR_FLAG_USERIOCTL);
3255 case DIOCRCLRTSTATS: {
3256 struct pfioc_table *io = (struct pfioc_table *)addr;
3258 if (io->pfrio_esize != sizeof(struct pfr_table)) {
3262 error = pfr_clr_tstats(io->pfrio_buffer, io->pfrio_size,
3263 &io->pfrio_nzero, io->pfrio_flags | PFR_FLAG_USERIOCTL);
3267 case DIOCRSETTFLAGS: {
3268 struct pfioc_table *io = (struct pfioc_table *)addr;
3270 if (io->pfrio_esize != sizeof(struct pfr_table)) {
3274 error = pfr_set_tflags(io->pfrio_buffer, io->pfrio_size,
3275 io->pfrio_setflag, io->pfrio_clrflag, &io->pfrio_nchange,
3276 &io->pfrio_ndel, io->pfrio_flags | PFR_FLAG_USERIOCTL);
3280 case DIOCRCLRADDRS: {
3281 struct pfioc_table *io = (struct pfioc_table *)addr;
3283 if (io->pfrio_esize != 0) {
3287 error = pfr_clr_addrs(&io->pfrio_table, &io->pfrio_ndel,
3288 io->pfrio_flags | PFR_FLAG_USERIOCTL);
3292 case DIOCRADDADDRS: {
3293 struct pfioc_table *io = (struct pfioc_table *)addr;
3295 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
3299 error = pfr_add_addrs(&io->pfrio_table, io->pfrio_buffer,
3300 io->pfrio_size, &io->pfrio_nadd, io->pfrio_flags |
3301 PFR_FLAG_USERIOCTL);
3305 case DIOCRDELADDRS: {
3306 struct pfioc_table *io = (struct pfioc_table *)addr;
3308 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
3312 error = pfr_del_addrs(&io->pfrio_table, io->pfrio_buffer,
3313 io->pfrio_size, &io->pfrio_ndel, io->pfrio_flags |
3314 PFR_FLAG_USERIOCTL);
3318 case DIOCRSETADDRS: {
3319 struct pfioc_table *io = (struct pfioc_table *)addr;
3321 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
3325 error = pfr_set_addrs(&io->pfrio_table, io->pfrio_buffer,
3326 io->pfrio_size, &io->pfrio_size2, &io->pfrio_nadd,
3327 &io->pfrio_ndel, &io->pfrio_nchange, io->pfrio_flags |
3328 PFR_FLAG_USERIOCTL, 0);
3332 case DIOCRGETADDRS: {
3333 struct pfioc_table *io = (struct pfioc_table *)addr;
3335 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
3339 error = pfr_get_addrs(&io->pfrio_table, io->pfrio_buffer,
3340 &io->pfrio_size, io->pfrio_flags | PFR_FLAG_USERIOCTL);
3344 case DIOCRGETASTATS: {
3345 struct pfioc_table *io = (struct pfioc_table *)addr;
3347 if (io->pfrio_esize != sizeof(struct pfr_astats)) {
3351 error = pfr_get_astats(&io->pfrio_table, io->pfrio_buffer,
3352 &io->pfrio_size, io->pfrio_flags | PFR_FLAG_USERIOCTL);
3356 case DIOCRCLRASTATS: {
3357 struct pfioc_table *io = (struct pfioc_table *)addr;
3359 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
3363 error = pfr_clr_astats(&io->pfrio_table, io->pfrio_buffer,
3364 io->pfrio_size, &io->pfrio_nzero, io->pfrio_flags |
3365 PFR_FLAG_USERIOCTL);
3369 case DIOCRTSTADDRS: {
3370 struct pfioc_table *io = (struct pfioc_table *)addr;
3372 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
3376 error = pfr_tst_addrs(&io->pfrio_table, io->pfrio_buffer,
3377 io->pfrio_size, &io->pfrio_nmatch, io->pfrio_flags |
3378 PFR_FLAG_USERIOCTL);
3382 case DIOCRINADEFINE: {
3383 struct pfioc_table *io = (struct pfioc_table *)addr;
3385 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
3389 error = pfr_ina_define(&io->pfrio_table, io->pfrio_buffer,
3390 io->pfrio_size, &io->pfrio_nadd, &io->pfrio_naddr,
3391 io->pfrio_ticket, io->pfrio_flags | PFR_FLAG_USERIOCTL);
3396 struct pf_osfp_ioctl *io = (struct pf_osfp_ioctl *)addr;
3397 error = pf_osfp_add(io);
3402 struct pf_osfp_ioctl *io = (struct pf_osfp_ioctl *)addr;
3403 error = pf_osfp_get(io);
3408 struct pfioc_trans *io = (struct pfioc_trans *)addr;
3409 struct pfioc_trans_e *ioe;
3410 struct pfr_table *table;
3413 if (io->esize != sizeof(*ioe)) {
3420 ioe = malloc(sizeof(*ioe), M_TEMP, M_WAITOK);
3421 table = malloc(sizeof(*table), M_TEMP, M_WAITOK);
3425 for (i = 0; i < io->size; i++) {
3427 PF_COPYIN(io->array+i, ioe, sizeof(*ioe), error);
3430 if (copyin(io->array+i, ioe, sizeof(*ioe))) {
3432 free(table, M_TEMP);
3437 switch (ioe->rs_num) {
3439 case PF_RULESET_ALTQ:
3440 if (ioe->anchor[0]) {
3441 free(table, M_TEMP);
3446 if ((error = pf_begin_altq(&ioe->ticket))) {
3447 free(table, M_TEMP);
3453 case PF_RULESET_TABLE:
3454 bzero(table, sizeof(*table));
3455 strlcpy(table->pfrt_anchor, ioe->anchor,
3456 sizeof(table->pfrt_anchor));
3457 if ((error = pfr_ina_begin(table,
3458 &ioe->ticket, NULL, 0))) {
3459 free(table, M_TEMP);
3465 if ((error = pf_begin_rules(&ioe->ticket,
3466 ioe->rs_num, ioe->anchor))) {
3467 free(table, M_TEMP);
3474 PF_COPYOUT(ioe, io->array+i, sizeof(io->array[i]),
3478 if (copyout(ioe, io->array+i, sizeof(io->array[i]))) {
3480 free(table, M_TEMP);
3486 free(table, M_TEMP);
3491 case DIOCXROLLBACK: {
3492 struct pfioc_trans *io = (struct pfioc_trans *)addr;
3493 struct pfioc_trans_e *ioe;
3494 struct pfr_table *table;
3497 if (io->esize != sizeof(*ioe)) {
3504 ioe = malloc(sizeof(*ioe), M_TEMP, M_WAITOK);
3505 table = malloc(sizeof(*table), M_TEMP, M_WAITOK);
3509 for (i = 0; i < io->size; i++) {
3511 PF_COPYIN(io->array+i, ioe, sizeof(*ioe), error);
3514 if (copyin(io->array+i, ioe, sizeof(*ioe))) {
3516 free(table, M_TEMP);
3521 switch (ioe->rs_num) {
3523 case PF_RULESET_ALTQ:
3524 if (ioe->anchor[0]) {
3525 free(table, M_TEMP);
3530 if ((error = pf_rollback_altq(ioe->ticket))) {
3531 free(table, M_TEMP);
3533 goto fail; /* really bad */
3537 case PF_RULESET_TABLE:
3538 bzero(table, sizeof(*table));
3539 strlcpy(table->pfrt_anchor, ioe->anchor,
3540 sizeof(table->pfrt_anchor));
3541 if ((error = pfr_ina_rollback(table,
3542 ioe->ticket, NULL, 0))) {
3543 free(table, M_TEMP);
3545 goto fail; /* really bad */
3549 if ((error = pf_rollback_rules(ioe->ticket,
3550 ioe->rs_num, ioe->anchor))) {
3551 free(table, M_TEMP);
3553 goto fail; /* really bad */
3558 free(table, M_TEMP);
3564 struct pfioc_trans *io = (struct pfioc_trans *)addr;
3565 struct pfioc_trans_e *ioe;
3566 struct pfr_table *table;
3567 struct pf_ruleset *rs;
3570 if (io->esize != sizeof(*ioe)) {
3577 ioe = malloc(sizeof(*ioe), M_TEMP, M_WAITOK);
3578 table = malloc(sizeof(*table), M_TEMP, M_WAITOK);
3582 /* first makes sure everything will succeed */
3583 for (i = 0; i < io->size; i++) {
3585 PF_COPYIN(io->array+i, ioe, sizeof(*ioe), error);
3588 if (copyin(io->array+i, ioe, sizeof(*ioe))) {
3590 free(table, M_TEMP);
3595 switch (ioe->rs_num) {
3597 case PF_RULESET_ALTQ:
3598 if (ioe->anchor[0]) {
3599 free(table, M_TEMP);
3605 if (!V_altqs_inactive_open || ioe->ticket !=
3606 V_ticket_altqs_inactive) {
3608 if (!altqs_inactive_open || ioe->ticket !=
3609 ticket_altqs_inactive) {
3611 free(table, M_TEMP);
3618 case PF_RULESET_TABLE:
3619 rs = pf_find_ruleset(ioe->anchor);
3620 if (rs == NULL || !rs->topen || ioe->ticket !=
3622 free(table, M_TEMP);
3629 if (ioe->rs_num < 0 || ioe->rs_num >=
3631 free(table, M_TEMP);
3636 rs = pf_find_ruleset(ioe->anchor);
3638 !rs->rules[ioe->rs_num].inactive.open ||
3639 rs->rules[ioe->rs_num].inactive.ticket !=
3641 free(table, M_TEMP);
3649 /* now do the commit - no errors should happen here */
3650 for (i = 0; i < io->size; i++) {
3652 PF_COPYIN(io->array+i, ioe, sizeof(*ioe), error);
3655 if (copyin(io->array+i, ioe, sizeof(*ioe))) {
3657 free(table, M_TEMP);
3662 switch (ioe->rs_num) {
3664 case PF_RULESET_ALTQ:
3665 if ((error = pf_commit_altq(ioe->ticket))) {
3666 free(table, M_TEMP);
3668 goto fail; /* really bad */
3672 case PF_RULESET_TABLE:
3673 bzero(table, sizeof(*table));
3674 strlcpy(table->pfrt_anchor, ioe->anchor,
3675 sizeof(table->pfrt_anchor));
3676 if ((error = pfr_ina_commit(table, ioe->ticket,
3678 free(table, M_TEMP);
3680 goto fail; /* really bad */
3684 if ((error = pf_commit_rules(ioe->ticket,
3685 ioe->rs_num, ioe->anchor))) {
3686 free(table, M_TEMP);
3688 goto fail; /* really bad */
3693 free(table, M_TEMP);
3698 case DIOCGETSRCNODES: {
3699 struct pfioc_src_nodes *psn = (struct pfioc_src_nodes *)addr;
3700 struct pf_src_node *n, *p, *pstore;
3702 int space = psn->psn_len;
3706 RB_FOREACH(n, pf_src_tree, &V_tree_src_tracking)
3708 RB_FOREACH(n, pf_src_tree, &tree_src_tracking)
3711 psn->psn_len = sizeof(struct pf_src_node) * nr;
3718 pstore = malloc(sizeof(*pstore), M_TEMP, M_WAITOK);
3722 p = psn->psn_src_nodes;
3724 RB_FOREACH(n, pf_src_tree, &V_tree_src_tracking) {
3726 RB_FOREACH(n, pf_src_tree, &tree_src_tracking) {
3728 int secs = time_second, diff;
3730 if ((nr + 1) * sizeof(*p) > (unsigned)psn->psn_len)
3733 bcopy(n, pstore, sizeof(*pstore));
3734 if (n->rule.ptr != NULL)
3735 pstore->rule.nr = n->rule.ptr->nr;
3736 pstore->creation = secs - pstore->creation;
3737 if (pstore->expire > secs)
3738 pstore->expire -= secs;
3742 /* adjust the connection rate estimate */
3743 diff = secs - n->conn_rate.last;
3744 if (diff >= n->conn_rate.seconds)
3745 pstore->conn_rate.count = 0;
3747 pstore->conn_rate.count -=
3748 n->conn_rate.count * diff /
3749 n->conn_rate.seconds;
3752 PF_COPYOUT(pstore, p, sizeof(*p), error);
3754 error = copyout(pstore, p, sizeof(*p));
3757 free(pstore, M_TEMP);
3763 psn->psn_len = sizeof(struct pf_src_node) * nr;
3765 free(pstore, M_TEMP);
3769 case DIOCCLRSRCNODES: {
3770 struct pf_src_node *n;
3771 struct pf_state *state;
3774 RB_FOREACH(state, pf_state_tree_id, &V_tree_id) {
3776 RB_FOREACH(state, pf_state_tree_id, &tree_id) {
3778 state->src_node = NULL;
3779 state->nat_src_node = NULL;
3782 RB_FOREACH(n, pf_src_tree, &V_tree_src_tracking) {
3784 RB_FOREACH(n, pf_src_tree, &tree_src_tracking) {
3789 pf_purge_expired_src_nodes(1);
3791 V_pf_status.src_nodes = 0;
3793 pf_status.src_nodes = 0;
3798 case DIOCKILLSRCNODES: {
3799 struct pf_src_node *sn;
3801 struct pfioc_src_node_kill *psnk =
3802 (struct pfioc_src_node_kill *)addr;
3806 RB_FOREACH(sn, pf_src_tree, &V_tree_src_tracking) {
3808 RB_FOREACH(sn, pf_src_tree, &tree_src_tracking) {
3810 if (PF_MATCHA(psnk->psnk_src.neg,
3811 &psnk->psnk_src.addr.v.a.addr,
3812 &psnk->psnk_src.addr.v.a.mask,
3813 &sn->addr, sn->af) &&
3814 PF_MATCHA(psnk->psnk_dst.neg,
3815 &psnk->psnk_dst.addr.v.a.addr,
3816 &psnk->psnk_dst.addr.v.a.mask,
3817 &sn->raddr, sn->af)) {
3818 /* Handle state to src_node linkage */
3819 if (sn->states != 0) {
3820 RB_FOREACH(s, pf_state_tree_id,
3826 if (s->src_node == sn)
3828 if (s->nat_src_node == sn)
3829 s->nat_src_node = NULL;
3839 pf_purge_expired_src_nodes(1);
3841 psnk->psnk_killed = killed;
3845 case DIOCSETHOSTID: {
3846 u_int32_t *hostid = (u_int32_t *)addr;
3850 V_pf_status.hostid = arc4random();
3852 V_pf_status.hostid = *hostid;
3855 pf_status.hostid = arc4random();
3857 pf_status.hostid = *hostid;
3866 case DIOCIGETIFACES: {
3867 struct pfioc_iface *io = (struct pfioc_iface *)addr;
3869 if (io->pfiio_esize != sizeof(struct pfi_kif)) {
3873 error = pfi_get_ifaces(io->pfiio_name, io->pfiio_buffer,
3878 case DIOCSETIFFLAG: {
3879 struct pfioc_iface *io = (struct pfioc_iface *)addr;
3881 error = pfi_set_flags(io->pfiio_name, io->pfiio_flags);
3885 case DIOCCLRIFFLAG: {
3886 struct pfioc_iface *io = (struct pfioc_iface *)addr;
3888 error = pfi_clear_flags(io->pfiio_name, io->pfiio_flags);
3901 sx_xunlock(&V_pf_consistency_lock);
3903 sx_sunlock(&V_pf_consistency_lock);
3907 rw_exit_write(&pf_consistency_lock);
3909 rw_exit_read(&pf_consistency_lock);
3919 pfsync_state_export(struct pfsync_state *sp, struct pf_state *st)
3921 bzero(sp, sizeof(struct pfsync_state));
3923 /* copy from state key */
3924 sp->key[PF_SK_WIRE].addr[0] = st->key[PF_SK_WIRE]->addr[0];
3925 sp->key[PF_SK_WIRE].addr[1] = st->key[PF_SK_WIRE]->addr[1];
3926 sp->key[PF_SK_WIRE].port[0] = st->key[PF_SK_WIRE]->port[0];
3927 sp->key[PF_SK_WIRE].port[1] = st->key[PF_SK_WIRE]->port[1];
3928 sp->key[PF_SK_STACK].addr[0] = st->key[PF_SK_STACK]->addr[0];
3929 sp->key[PF_SK_STACK].addr[1] = st->key[PF_SK_STACK]->addr[1];
3930 sp->key[PF_SK_STACK].port[0] = st->key[PF_SK_STACK]->port[0];
3931 sp->key[PF_SK_STACK].port[1] = st->key[PF_SK_STACK]->port[1];
3932 sp->proto = st->key[PF_SK_WIRE]->proto;
3933 sp->af = st->key[PF_SK_WIRE]->af;
3935 /* copy from state */
3936 strlcpy(sp->ifname, st->kif->pfik_name, sizeof(sp->ifname));
3937 bcopy(&st->rt_addr, &sp->rt_addr, sizeof(sp->rt_addr));
3938 sp->creation = htonl(time_second - st->creation);
3939 sp->expire = pf_state_expires(st);
3940 if (sp->expire <= time_second)
3941 sp->expire = htonl(0);
3943 sp->expire = htonl(sp->expire - time_second);
3945 sp->direction = st->direction;
3947 sp->timeout = st->timeout;
3948 sp->state_flags = st->state_flags;
3950 sp->sync_flags |= PFSYNC_FLAG_SRCNODE;
3951 if (st->nat_src_node)
3952 sp->sync_flags |= PFSYNC_FLAG_NATSRCNODE;
3954 bcopy(&st->id, &sp->id, sizeof(sp->id));
3955 sp->creatorid = st->creatorid;
3956 pf_state_peer_hton(&st->src, &sp->src);
3957 pf_state_peer_hton(&st->dst, &sp->dst);
3959 if (st->rule.ptr == NULL)
3960 sp->rule = htonl(-1);
3962 sp->rule = htonl(st->rule.ptr->nr);
3963 if (st->anchor.ptr == NULL)
3964 sp->anchor = htonl(-1);
3966 sp->anchor = htonl(st->anchor.ptr->nr);
3967 if (st->nat_rule.ptr == NULL)
3968 sp->nat_rule = htonl(-1);
3970 sp->nat_rule = htonl(st->nat_rule.ptr->nr);
3972 pf_state_counter_hton(st->packets[0], sp->packets[0]);
3973 pf_state_counter_hton(st->packets[1], sp->packets[1]);
3974 pf_state_counter_hton(st->bytes[0], sp->bytes[0]);
3975 pf_state_counter_hton(st->bytes[1], sp->bytes[1]);
3980 * XXX - Check for version missmatch!!!
3983 pf_clear_states(void)
3985 struct pf_state *state;
3988 RB_FOREACH(state, pf_state_tree_id, &V_tree_id) {
3990 RB_FOREACH(state, pf_state_tree_id, &tree_id) {
3992 state->timeout = PFTM_PURGE;
3994 /* don't send out individual delete messages */
3995 state->sync_state = PFSTATE_NOSYNC;
3997 pf_unlink_state(state);
4002 * XXX This is called on module unload, we do not want to sync that over? */
4004 pfsync_clear_states(V_pf_status.hostid, psk->psk_ifname);
4009 pf_clear_tables(void)
4011 struct pfioc_table io;
4014 bzero(&io, sizeof(io));
4016 error = pfr_clr_tables(&io.pfrio_table, &io.pfrio_ndel,
4023 pf_clear_srcnodes(void)
4025 struct pf_src_node *n;
4026 struct pf_state *state;
4029 RB_FOREACH(state, pf_state_tree_id, &V_tree_id) {
4031 RB_FOREACH(state, pf_state_tree_id, &tree_id) {
4033 state->src_node = NULL;
4034 state->nat_src_node = NULL;
4037 RB_FOREACH(n, pf_src_tree, &V_tree_src_tracking) {
4039 RB_FOREACH(n, pf_src_tree, &tree_src_tracking) {
4046 * XXX - Check for version missmatch!!!
4050 * Duplicate pfctl -Fa operation to get rid of as much as we can.
4059 V_pf_status.running = 0;
4061 if ((error = pf_begin_rules(&t[0], PF_RULESET_SCRUB, &nn))
4063 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: SCRUB\n"));
4066 if ((error = pf_begin_rules(&t[1], PF_RULESET_FILTER, &nn))
4068 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: FILTER\n"));
4069 break; /* XXX: rollback? */
4071 if ((error = pf_begin_rules(&t[2], PF_RULESET_NAT, &nn))
4073 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: NAT\n"));
4074 break; /* XXX: rollback? */
4076 if ((error = pf_begin_rules(&t[3], PF_RULESET_BINAT, &nn))
4078 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: BINAT\n"));
4079 break; /* XXX: rollback? */
4081 if ((error = pf_begin_rules(&t[4], PF_RULESET_RDR, &nn))
4083 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: RDR\n"));
4084 break; /* XXX: rollback? */
4087 /* XXX: these should always succeed here */
4088 pf_commit_rules(t[0], PF_RULESET_SCRUB, &nn);
4089 pf_commit_rules(t[1], PF_RULESET_FILTER, &nn);
4090 pf_commit_rules(t[2], PF_RULESET_NAT, &nn);
4091 pf_commit_rules(t[3], PF_RULESET_BINAT, &nn);
4092 pf_commit_rules(t[4], PF_RULESET_RDR, &nn);
4094 if ((error = pf_clear_tables()) != 0)
4098 if ((error = pf_begin_altq(&t[0])) != 0) {
4099 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: ALTQ\n"));
4102 pf_commit_altq(t[0]);
4107 pf_clear_srcnodes();
4109 /* status does not use malloced mem so no need to cleanup */
4110 /* fingerprints and interfaces have thier own cleanup code */
4118 pf_check_in(void *arg, struct mbuf **m, struct ifnet *ifp, int dir,
4122 * XXX Wed Jul 9 22:03:16 2003 UTC
4123 * OpenBSD has changed its byte ordering convention on ip_len/ip_off
4124 * in network stack. OpenBSD's network stack have converted
4125 * ip_len/ip_off to host byte order frist as FreeBSD.
4126 * Now this is not true anymore , so we should convert back to network
4129 struct ip *h = NULL;
4132 if ((*m)->m_pkthdr.len >= (int)sizeof(struct ip)) {
4133 /* if m_pkthdr.len is less than ip header, pf will handle. */
4134 h = mtod(*m, struct ip *);
4138 CURVNET_SET(ifp->if_vnet);
4139 chk = pf_test(PF_IN, ifp, m, NULL, inp);
4146 /* pf_test can change ip header location */
4147 h = mtod(*m, struct ip *);
4155 pf_check_out(void *arg, struct mbuf **m, struct ifnet *ifp, int dir,
4159 * XXX Wed Jul 9 22:03:16 2003 UTC
4160 * OpenBSD has changed its byte ordering convention on ip_len/ip_off
4161 * in network stack. OpenBSD's network stack have converted
4162 * ip_len/ip_off to host byte order frist as FreeBSD.
4163 * Now this is not true anymore , so we should convert back to network
4166 struct ip *h = NULL;
4169 /* We need a proper CSUM befor we start (s. OpenBSD ip_output) */
4170 if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
4171 in_delayed_cksum(*m);
4172 (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
4174 if ((*m)->m_pkthdr.len >= (int)sizeof(*h)) {
4175 /* if m_pkthdr.len is less than ip header, pf will handle. */
4176 h = mtod(*m, struct ip *);
4180 CURVNET_SET(ifp->if_vnet);
4181 chk = pf_test(PF_OUT, ifp, m, NULL, inp);
4188 /* pf_test can change ip header location */
4189 h = mtod(*m, struct ip *);
4199 pf_check6_in(void *arg, struct mbuf **m, struct ifnet *ifp, int dir,
4204 * IPv6 is not affected by ip_len/ip_off byte order changes.
4209 * In case of loopback traffic IPv6 uses the real interface in
4210 * order to support scoped addresses. In order to support stateful
4211 * filtering we have change this to lo0 as it is the case in IPv4.
4213 CURVNET_SET(ifp->if_vnet);
4214 chk = pf_test6(PF_IN, (*m)->m_flags & M_LOOP ? V_loif : ifp, m,
4225 pf_check6_out(void *arg, struct mbuf **m, struct ifnet *ifp, int dir,
4229 * IPv6 does not affected ip_len/ip_off byte order changes.
4233 /* We need a proper CSUM before we start (s. OpenBSD ip_output) */
4234 if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
4236 /* XXX-BZ copy&paste error from r126261? */
4237 in_delayed_cksum(*m);
4239 (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
4241 CURVNET_SET(ifp->if_vnet);
4242 chk = pf_test6(PF_OUT, ifp, m, NULL, inp);
4256 struct pfil_head *pfh_inet;
4259 struct pfil_head *pfh_inet6;
4264 if (V_pf_pfil_hooked)
4268 pfh_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
4269 if (pfh_inet == NULL)
4270 return (ESRCH); /* XXX */
4271 pfil_add_hook(pf_check_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet);
4272 pfil_add_hook(pf_check_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet);
4275 pfh_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
4276 if (pfh_inet6 == NULL) {
4278 pfil_remove_hook(pf_check_in, NULL, PFIL_IN | PFIL_WAITOK,
4280 pfil_remove_hook(pf_check_out, NULL, PFIL_OUT | PFIL_WAITOK,
4283 return (ESRCH); /* XXX */
4285 pfil_add_hook(pf_check6_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet6);
4286 pfil_add_hook(pf_check6_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet6);
4289 V_pf_pfil_hooked = 1;
4297 struct pfil_head *pfh_inet;
4300 struct pfil_head *pfh_inet6;
4305 if (V_pf_pfil_hooked == 0)
4309 pfh_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
4310 if (pfh_inet == NULL)
4311 return (ESRCH); /* XXX */
4312 pfil_remove_hook(pf_check_in, NULL, PFIL_IN | PFIL_WAITOK,
4314 pfil_remove_hook(pf_check_out, NULL, PFIL_OUT | PFIL_WAITOK,
4318 pfh_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
4319 if (pfh_inet6 == NULL)
4320 return (ESRCH); /* XXX */
4321 pfil_remove_hook(pf_check6_in, NULL, PFIL_IN | PFIL_WAITOK,
4323 pfil_remove_hook(pf_check6_out, NULL, PFIL_OUT | PFIL_WAITOK,
4327 V_pf_pfil_hooked = 0;
4331 /* Vnet accessors */
4333 vnet_pf_init(const void *unused)
4336 V_pf_pfil_hooked = 0;
4337 V_pf_end_threads = 0;
4339 V_debug_pfugidhack = 0;
4341 TAILQ_INIT(&V_pf_tags);
4342 TAILQ_INIT(&V_pf_qids);
4350 vnet_pf_uninit(const void *unused)
4358 /* Define startup order. */
4359 #define PF_SYSINIT_ORDER SI_SUB_PROTO_BEGIN
4360 #define PF_MODEVENT_ORDER (SI_ORDER_FIRST) /* On boot slot in here. */
4361 #define PF_VNET_ORDER (PF_MODEVENT_ORDER + 2) /* Later still. */
4365 * VNET_SYSINIT is called for each existing vnet and each new vnet.
4367 VNET_SYSINIT(vnet_pf_init, PF_SYSINIT_ORDER, PF_VNET_ORDER,
4368 vnet_pf_init, NULL);
4371 * Closing up shop. These are done in REVERSE ORDER,
4372 * Not called on reboot.
4373 * VNET_SYSUNINIT is called for each exiting vnet as it exits.
4375 VNET_SYSUNINIT(vnet_pf_uninit, PF_SYSINIT_ORDER, PF_VNET_ORDER,
4376 vnet_pf_uninit, NULL);
4383 sx_init(&V_pf_consistency_lock, "pf_statetbl_lock");
4396 V_pf_status.running = 0;
4398 error = dehook_pf();
4401 * Should not happen!
4402 * XXX Due to error code ESRCH, kldunload will show
4403 * a message like 'No such process'.
4405 printf("%s : pfil unregisteration fail\n", __FUNCTION__);
4410 V_pf_end_threads = 1;
4411 while (V_pf_end_threads < 2) {
4412 wakeup_one(pf_purge_thread);
4413 msleep(pf_purge_thread, &pf_task_mtx, 0, "pftmo", hz);
4420 sx_destroy(&V_pf_consistency_lock);
4425 pf_modevent(module_t mod, int type, void *data)
4432 pf_dev = make_dev(&pf_cdevsw, 0, 0, 0, 0600, PF_NAME);
4435 destroy_dev(pf_dev);
4445 static moduledata_t pf_mod = {
4451 DECLARE_MODULE(pf, pf_mod, SI_SUB_PSEUDO, SI_ORDER_FIRST);
4452 MODULE_VERSION(pf, PF_MODVER);
4453 #endif /* __FreeBSD__ */
projects / FreeBSD / releng / 9.0.git / blob