2 /* $OpenBSD: pf_ioctl.c,v 1.139 2005/03/03 07:13:39 dhartmei Exp $ */
3 /* add: $OpenBSD: pf_ioctl.c,v 1.168 2006/07/21 01:21:17 dhartmei Exp $ */
6 * Copyright (c) 2001 Daniel Hartmeier
7 * Copyright (c) 2002,2003 Henning Brauer
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
14 * - Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * - Redistributions in binary form must reproduce the above
17 * copyright notice, this list of conditions and the following
18 * disclaimer in the documentation and/or other materials provided
19 * with the distribution.
21 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
22 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
23 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
24 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
25 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
26 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
27 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
28 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
29 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
31 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
32 * POSSIBILITY OF SUCH DAMAGE.
34 * Effort sponsored in part by the Defense Advanced Research Projects
35 * Agency (DARPA) and Air Force Research Laboratory, Air Force
36 * Materiel Command, USAF, under agreement number F30602-01-2-0537.
42 #include "opt_inet6.h"
48 #define NBPFILTER DEV_BPF
49 #define NPFLOG DEV_PFLOG
50 #define NPFSYNC DEV_PFSYNC
57 #include <sys/param.h>
58 #include <sys/systm.h>
60 #include <sys/filio.h>
61 #include <sys/fcntl.h>
62 #include <sys/socket.h>
63 #include <sys/socketvar.h>
64 #include <sys/kernel.h>
66 #include <sys/malloc.h>
68 #include <sys/module.h>
72 #include <sys/timeout.h>
77 #include <net/if_types.h>
78 #include <net/route.h>
80 #include <netinet/in.h>
81 #include <netinet/in_var.h>
82 #include <netinet/in_systm.h>
83 #include <netinet/ip.h>
84 #include <netinet/ip_var.h>
85 #include <netinet/ip_icmp.h>
88 #include <dev/rndvar.h>
90 #include <net/pfvar.h>
93 #include <net/if_pfsync.h>
94 #endif /* NPFSYNC > 0 */
97 #include <net/if_pflog.h>
101 #include <netinet/ip6.h>
102 #include <netinet/in_pcb.h>
106 #include <altq/altq.h>
110 #include <sys/limits.h>
111 #include <sys/lock.h>
112 #include <sys/mutex.h>
113 #include <net/pfil.h>
114 #endif /* __FreeBSD__ */
117 void init_zone_var(void);
118 void cleanup_pf_zone(void);
122 int pfopen(dev_t, int, int, struct proc *);
123 int pfclose(dev_t, int, int, struct proc *);
125 struct pf_pool *pf_get_pool(char *, u_int32_t, u_int8_t, u_int32_t,
126 u_int8_t, u_int8_t, u_int8_t);
127 int pf_get_ruleset_number(u_int8_t);
128 void pf_init_ruleset(struct pf_ruleset *);
129 int pf_anchor_setup(struct pf_rule *,
130 const struct pf_ruleset *, const char *);
131 int pf_anchor_copyout(const struct pf_ruleset *,
132 const struct pf_rule *, struct pfioc_rule *);
133 void pf_anchor_remove(struct pf_rule *);
135 void pf_mv_pool(struct pf_palist *, struct pf_palist *);
136 void pf_empty_pool(struct pf_palist *);
138 int pfioctl(struct cdev *, u_long, caddr_t, int, struct thread *);
140 int pfioctl(struct cdev *, u_long, caddr_t, int, struct proc *);
143 int pf_begin_altq(u_int32_t *);
144 int pf_rollback_altq(u_int32_t);
145 int pf_commit_altq(u_int32_t);
146 int pf_enable_altq(struct pf_altq *);
147 int pf_disable_altq(struct pf_altq *);
149 int pf_begin_rules(u_int32_t *, int, const char *);
150 int pf_rollback_rules(u_int32_t, int, char *);
151 int pf_commit_rules(u_int32_t, int, char *);
154 extern struct callout pf_expire_to;
156 extern struct timeout pf_expire_to;
159 struct pf_rule pf_default_rule;
161 static int pf_altq_running;
164 #define TAGID_MAX 50000
165 TAILQ_HEAD(pf_tags, pf_tagname) pf_tags = TAILQ_HEAD_INITIALIZER(pf_tags),
166 pf_qids = TAILQ_HEAD_INITIALIZER(pf_qids);
168 #if (PF_QNAME_SIZE != PF_TAG_NAME_SIZE)
169 #error PF_QNAME_SIZE must be equal to PF_TAG_NAME_SIZE
171 static u_int16_t tagname2tag(struct pf_tags *, char *);
172 static void tag2tagname(struct pf_tags *, u_int16_t, char *);
173 static void tag_unref(struct pf_tags *, u_int16_t);
174 int pf_rtlabel_add(struct pf_addr_wrap *);
175 void pf_rtlabel_remove(struct pf_addr_wrap *);
176 void pf_rtlabel_copyout(struct pf_addr_wrap *);
178 #define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x
182 static struct cdev *pf_dev;
185 * XXX - These are new and need to be checked when moveing to a new version
187 static void pf_clear_states(void);
188 static int pf_clear_tables(void);
189 static void pf_clear_srcnodes(void);
191 * XXX - These are new and need to be checked when moveing to a new version
195 * Wrapper functions for pfil(9) hooks
197 static int pf_check_in(void *arg, struct mbuf **m, struct ifnet *ifp,
198 int dir, struct inpcb *inp);
199 static int pf_check_out(void *arg, struct mbuf **m, struct ifnet *ifp,
200 int dir, struct inpcb *inp);
202 static int pf_check6_in(void *arg, struct mbuf **m, struct ifnet *ifp,
203 int dir, struct inpcb *inp);
204 static int pf_check6_out(void *arg, struct mbuf **m, struct ifnet *ifp,
205 int dir, struct inpcb *inp);
208 static int hook_pf(void);
209 static int dehook_pf(void);
210 static int shutdown_pf(void);
211 static int pf_load(void);
212 static int pf_unload(void);
214 static struct cdevsw pf_cdevsw = {
217 .d_version = D_VERSION,
220 static volatile int pf_pfil_hooked = 0;
221 struct mtx pf_task_mtx;
222 pflog_packet_t *pflog_packet_ptr = NULL;
227 mtx_init(&pf_task_mtx, "pf task mtx", NULL, MTX_DEF);
231 destroy_pf_mutex(void)
233 mtx_destroy(&pf_task_mtx);
239 pf_src_tree_pl = pf_rule_pl = NULL;
240 pf_state_pl = pf_altq_pl = pf_pooladdr_pl = NULL;
241 pf_frent_pl = pf_frag_pl = pf_cache_pl = pf_cent_pl = NULL;
242 pf_state_scrub_pl = NULL;
243 pfr_ktable_pl = pfr_kentry_pl = NULL;
247 cleanup_pf_zone(void)
249 UMA_DESTROY(pf_src_tree_pl);
250 UMA_DESTROY(pf_rule_pl);
251 UMA_DESTROY(pf_state_pl);
252 UMA_DESTROY(pf_altq_pl);
253 UMA_DESTROY(pf_pooladdr_pl);
254 UMA_DESTROY(pf_frent_pl);
255 UMA_DESTROY(pf_frag_pl);
256 UMA_DESTROY(pf_cache_pl);
257 UMA_DESTROY(pf_cent_pl);
258 UMA_DESTROY(pfr_ktable_pl);
259 UMA_DESTROY(pfr_kentry_pl2);
260 UMA_DESTROY(pfr_kentry_pl);
261 UMA_DESTROY(pf_state_scrub_pl);
262 UMA_DESTROY(pfi_addr_pl);
268 u_int32_t *my_timeout = pf_default_rule.timeout;
272 UMA_CREATE(pf_src_tree_pl,struct pf_src_node, "pfsrctrpl");
273 UMA_CREATE(pf_rule_pl, struct pf_rule, "pfrulepl");
274 UMA_CREATE(pf_state_pl, struct pf_state, "pfstatepl");
275 UMA_CREATE(pf_altq_pl, struct pf_altq, "pfaltqpl");
276 UMA_CREATE(pf_pooladdr_pl, struct pf_pooladdr, "pfpooladdrpl");
277 UMA_CREATE(pfr_ktable_pl, struct pfr_ktable, "pfrktable");
278 UMA_CREATE(pfr_kentry_pl, struct pfr_kentry, "pfrkentry");
279 UMA_CREATE(pfr_kentry_pl2, struct pfr_kentry, "pfrkentry2");
280 UMA_CREATE(pf_frent_pl, struct pf_frent, "pffrent");
281 UMA_CREATE(pf_frag_pl, struct pf_fragment, "pffrag");
282 UMA_CREATE(pf_cache_pl, struct pf_fragment, "pffrcache");
283 UMA_CREATE(pf_cent_pl, struct pf_frcache, "pffrcent");
284 UMA_CREATE(pf_state_scrub_pl, struct pf_state_scrub,
286 UMA_CREATE(pfi_addr_pl, struct pfi_dynaddr, "pfiaddrpl");
295 if ( (error = pf_osfp_initialize()) ) {
301 pf_pool_limits[PF_LIMIT_STATES].pp = pf_state_pl;
302 pf_pool_limits[PF_LIMIT_STATES].limit = PFSTATE_HIWAT;
303 pf_pool_limits[PF_LIMIT_SRC_NODES].pp = pf_src_tree_pl;
304 pf_pool_limits[PF_LIMIT_SRC_NODES].limit = PFSNODE_HIWAT;
305 pf_pool_limits[PF_LIMIT_FRAGS].pp = pf_frent_pl;
306 pf_pool_limits[PF_LIMIT_FRAGS].limit = PFFRAG_FRENT_HIWAT;
307 uma_zone_set_max(pf_pool_limits[PF_LIMIT_STATES].pp,
308 pf_pool_limits[PF_LIMIT_STATES].limit);
310 RB_INIT(&tree_src_tracking);
311 RB_INIT(&pf_anchors);
312 pf_init_ruleset(&pf_main_ruleset);
313 TAILQ_INIT(&pf_altqs[0]);
314 TAILQ_INIT(&pf_altqs[1]);
315 TAILQ_INIT(&pf_pabuf);
316 pf_altqs_active = &pf_altqs[0];
317 pf_altqs_inactive = &pf_altqs[1];
318 TAILQ_INIT(&state_updates);
320 /* default rule should never be garbage collected */
321 pf_default_rule.entries.tqe_prev = &pf_default_rule.entries.tqe_next;
322 pf_default_rule.action = PF_PASS;
323 pf_default_rule.nr = -1;
325 /* initialize default timeouts */
326 my_timeout[PFTM_TCP_FIRST_PACKET] = PFTM_TCP_FIRST_PACKET_VAL;
327 my_timeout[PFTM_TCP_OPENING] = PFTM_TCP_OPENING_VAL;
328 my_timeout[PFTM_TCP_ESTABLISHED] = PFTM_TCP_ESTABLISHED_VAL;
329 my_timeout[PFTM_TCP_CLOSING] = PFTM_TCP_CLOSING_VAL;
330 my_timeout[PFTM_TCP_FIN_WAIT] = PFTM_TCP_FIN_WAIT_VAL;
331 my_timeout[PFTM_TCP_CLOSED] = PFTM_TCP_CLOSED_VAL;
332 my_timeout[PFTM_UDP_FIRST_PACKET] = PFTM_UDP_FIRST_PACKET_VAL;
333 my_timeout[PFTM_UDP_SINGLE] = PFTM_UDP_SINGLE_VAL;
334 my_timeout[PFTM_UDP_MULTIPLE] = PFTM_UDP_MULTIPLE_VAL;
335 my_timeout[PFTM_ICMP_FIRST_PACKET] = PFTM_ICMP_FIRST_PACKET_VAL;
336 my_timeout[PFTM_ICMP_ERROR_REPLY] = PFTM_ICMP_ERROR_REPLY_VAL;
337 my_timeout[PFTM_OTHER_FIRST_PACKET] = PFTM_OTHER_FIRST_PACKET_VAL;
338 my_timeout[PFTM_OTHER_SINGLE] = PFTM_OTHER_SINGLE_VAL;
339 my_timeout[PFTM_OTHER_MULTIPLE] = PFTM_OTHER_MULTIPLE_VAL;
340 my_timeout[PFTM_FRAG] = PFTM_FRAG_VAL;
341 my_timeout[PFTM_INTERVAL] = PFTM_INTERVAL_VAL;
342 my_timeout[PFTM_SRC_NODE] = PFTM_SRC_NODE_VAL;
343 my_timeout[PFTM_TS_DIFF] = PFTM_TS_DIFF_VAL;
345 callout_init(&pf_expire_to, NET_CALLOUT_MPSAFE);
346 callout_reset(&pf_expire_to, my_timeout[PFTM_INTERVAL] * hz,
347 pf_purge_timeout, &pf_expire_to);
350 bzero(&pf_status, sizeof(pf_status));
353 /* XXX do our best to avoid a conflict */
354 pf_status.hostid = arc4random();
358 #else /* !__FreeBSD__ */
362 u_int32_t *timeout = pf_default_rule.timeout;
364 pool_init(&pf_rule_pl, sizeof(struct pf_rule), 0, 0, 0, "pfrulepl",
365 &pool_allocator_nointr);
366 pool_init(&pf_src_tree_pl, sizeof(struct pf_src_node), 0, 0, 0,
368 pool_init(&pf_state_pl, sizeof(struct pf_state), 0, 0, 0, "pfstatepl",
370 pool_init(&pf_altq_pl, sizeof(struct pf_altq), 0, 0, 0, "pfaltqpl",
371 &pool_allocator_nointr);
372 pool_init(&pf_pooladdr_pl, sizeof(struct pf_pooladdr), 0, 0, 0,
373 "pfpooladdrpl", &pool_allocator_nointr);
376 pf_osfp_initialize();
378 pool_sethardlimit(pf_pool_limits[PF_LIMIT_STATES].pp,
379 pf_pool_limits[PF_LIMIT_STATES].limit, NULL, 0);
381 RB_INIT(&tree_src_tracking);
382 RB_INIT(&pf_anchors);
383 pf_init_ruleset(&pf_main_ruleset);
384 TAILQ_INIT(&pf_altqs[0]);
385 TAILQ_INIT(&pf_altqs[1]);
386 TAILQ_INIT(&pf_pabuf);
387 pf_altqs_active = &pf_altqs[0];
388 pf_altqs_inactive = &pf_altqs[1];
389 TAILQ_INIT(&state_updates);
391 /* default rule should never be garbage collected */
392 pf_default_rule.entries.tqe_prev = &pf_default_rule.entries.tqe_next;
393 pf_default_rule.action = PF_PASS;
394 pf_default_rule.nr = -1;
396 /* initialize default timeouts */
397 timeout[PFTM_TCP_FIRST_PACKET] = PFTM_TCP_FIRST_PACKET_VAL;
398 timeout[PFTM_TCP_OPENING] = PFTM_TCP_OPENING_VAL;
399 timeout[PFTM_TCP_ESTABLISHED] = PFTM_TCP_ESTABLISHED_VAL;
400 timeout[PFTM_TCP_CLOSING] = PFTM_TCP_CLOSING_VAL;
401 timeout[PFTM_TCP_FIN_WAIT] = PFTM_TCP_FIN_WAIT_VAL;
402 timeout[PFTM_TCP_CLOSED] = PFTM_TCP_CLOSED_VAL;
403 timeout[PFTM_UDP_FIRST_PACKET] = PFTM_UDP_FIRST_PACKET_VAL;
404 timeout[PFTM_UDP_SINGLE] = PFTM_UDP_SINGLE_VAL;
405 timeout[PFTM_UDP_MULTIPLE] = PFTM_UDP_MULTIPLE_VAL;
406 timeout[PFTM_ICMP_FIRST_PACKET] = PFTM_ICMP_FIRST_PACKET_VAL;
407 timeout[PFTM_ICMP_ERROR_REPLY] = PFTM_ICMP_ERROR_REPLY_VAL;
408 timeout[PFTM_OTHER_FIRST_PACKET] = PFTM_OTHER_FIRST_PACKET_VAL;
409 timeout[PFTM_OTHER_SINGLE] = PFTM_OTHER_SINGLE_VAL;
410 timeout[PFTM_OTHER_MULTIPLE] = PFTM_OTHER_MULTIPLE_VAL;
411 timeout[PFTM_FRAG] = PFTM_FRAG_VAL;
412 timeout[PFTM_INTERVAL] = PFTM_INTERVAL_VAL;
413 timeout[PFTM_SRC_NODE] = PFTM_SRC_NODE_VAL;
414 timeout[PFTM_TS_DIFF] = PFTM_TS_DIFF_VAL;
416 timeout_set(&pf_expire_to, pf_purge_timeout, &pf_expire_to);
417 timeout_add(&pf_expire_to, timeout[PFTM_INTERVAL] * hz);
420 bzero(&pf_status, sizeof(pf_status));
421 pf_status.debug = PF_DEBUG_URGENT;
423 /* XXX do our best to avoid a conflict */
424 pf_status.hostid = arc4random();
428 pfopen(struct cdev *dev, int flags, int fmt, struct proc *p)
436 pfclose(struct cdev *dev, int flags, int fmt, struct proc *p)
442 #endif /* __FreeBSD__ */
445 pf_get_pool(char *anchor, u_int32_t ticket, u_int8_t rule_action,
446 u_int32_t rule_number, u_int8_t r_last, u_int8_t active,
447 u_int8_t check_ticket)
449 struct pf_ruleset *ruleset;
450 struct pf_rule *rule;
453 ruleset = pf_find_ruleset(anchor);
456 rs_num = pf_get_ruleset_number(rule_action);
457 if (rs_num >= PF_RULESET_MAX)
460 if (check_ticket && ticket !=
461 ruleset->rules[rs_num].active.ticket)
464 rule = TAILQ_LAST(ruleset->rules[rs_num].active.ptr,
467 rule = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr);
469 if (check_ticket && ticket !=
470 ruleset->rules[rs_num].inactive.ticket)
473 rule = TAILQ_LAST(ruleset->rules[rs_num].inactive.ptr,
476 rule = TAILQ_FIRST(ruleset->rules[rs_num].inactive.ptr);
479 while ((rule != NULL) && (rule->nr != rule_number))
480 rule = TAILQ_NEXT(rule, entries);
485 return (&rule->rpool);
489 pf_get_ruleset_number(u_int8_t action)
494 return (PF_RULESET_SCRUB);
498 return (PF_RULESET_FILTER);
502 return (PF_RULESET_NAT);
506 return (PF_RULESET_BINAT);
510 return (PF_RULESET_RDR);
513 return (PF_RULESET_MAX);
519 pf_init_ruleset(struct pf_ruleset *ruleset)
523 memset(ruleset, 0, sizeof(struct pf_ruleset));
524 for (i = 0; i < PF_RULESET_MAX; i++) {
525 TAILQ_INIT(&ruleset->rules[i].queues[0]);
526 TAILQ_INIT(&ruleset->rules[i].queues[1]);
527 ruleset->rules[i].active.ptr = &ruleset->rules[i].queues[0];
528 ruleset->rules[i].inactive.ptr = &ruleset->rules[i].queues[1];
533 pf_find_anchor(const char *path)
535 static struct pf_anchor key;
537 memset(&key, 0, sizeof(key));
538 strlcpy(key.path, path, sizeof(key.path));
539 return (RB_FIND(pf_anchor_global, &pf_anchors, &key));
543 pf_find_ruleset(const char *path)
545 struct pf_anchor *anchor;
550 return (&pf_main_ruleset);
551 anchor = pf_find_anchor(path);
555 return (&anchor->ruleset);
559 pf_find_or_create_ruleset(const char *path)
561 static char p[MAXPATHLEN];
562 char *q = NULL, *r; /* make the compiler happy */
563 struct pf_ruleset *ruleset;
564 struct pf_anchor *anchor = NULL, *dup, *parent = NULL;
568 ruleset = pf_find_ruleset(path);
571 strlcpy(p, path, sizeof(p));
573 while (parent == NULL && (q = rindex(p, '/')) != NULL) {
575 while (parent == NULL && (q = strrchr(p, '/')) != NULL) {
578 if ((ruleset = pf_find_ruleset(p)) != NULL) {
579 parent = ruleset->anchor;
587 strlcpy(p, path, sizeof(p));
591 while ((r = index(q, '/')) != NULL || *q) {
593 while ((r = strchr(q, '/')) != NULL || *q) {
597 if (!*q || strlen(q) >= PF_ANCHOR_NAME_SIZE ||
598 (parent != NULL && strlen(parent->path) >=
599 MAXPATHLEN - PF_ANCHOR_NAME_SIZE - 1))
601 anchor = (struct pf_anchor *)malloc(sizeof(*anchor), M_TEMP,
605 memset(anchor, 0, sizeof(*anchor));
606 RB_INIT(&anchor->children);
607 strlcpy(anchor->name, q, sizeof(anchor->name));
608 if (parent != NULL) {
609 strlcpy(anchor->path, parent->path,
610 sizeof(anchor->path));
611 strlcat(anchor->path, "/", sizeof(anchor->path));
613 strlcat(anchor->path, anchor->name, sizeof(anchor->path));
614 if ((dup = RB_INSERT(pf_anchor_global, &pf_anchors, anchor)) !=
616 printf("pf_find_or_create_ruleset: RB_INSERT1 "
617 "'%s' '%s' collides with '%s' '%s'\n",
618 anchor->path, anchor->name, dup->path, dup->name);
619 free(anchor, M_TEMP);
622 if (parent != NULL) {
623 anchor->parent = parent;
624 if ((dup = RB_INSERT(pf_anchor_node, &parent->children,
626 printf("pf_find_or_create_ruleset: "
627 "RB_INSERT2 '%s' '%s' collides with "
628 "'%s' '%s'\n", anchor->path, anchor->name,
629 dup->path, dup->name);
630 RB_REMOVE(pf_anchor_global, &pf_anchors,
632 free(anchor, M_TEMP);
636 pf_init_ruleset(&anchor->ruleset);
637 anchor->ruleset.anchor = anchor;
644 return (&anchor->ruleset);
648 pf_remove_if_empty_ruleset(struct pf_ruleset *ruleset)
650 struct pf_anchor *parent;
653 while (ruleset != NULL) {
654 if (ruleset == &pf_main_ruleset || ruleset->anchor == NULL ||
655 !RB_EMPTY(&ruleset->anchor->children) ||
656 ruleset->anchor->refcnt > 0 || ruleset->tables > 0 ||
659 for (i = 0; i < PF_RULESET_MAX; ++i)
660 if (!TAILQ_EMPTY(ruleset->rules[i].active.ptr) ||
661 !TAILQ_EMPTY(ruleset->rules[i].inactive.ptr) ||
662 ruleset->rules[i].inactive.open)
664 RB_REMOVE(pf_anchor_global, &pf_anchors, ruleset->anchor);
665 if ((parent = ruleset->anchor->parent) != NULL)
666 RB_REMOVE(pf_anchor_node, &parent->children,
668 free(ruleset->anchor, M_TEMP);
671 ruleset = &parent->ruleset;
676 pf_anchor_setup(struct pf_rule *r, const struct pf_ruleset *s,
679 static char *p, path[MAXPATHLEN];
680 struct pf_ruleset *ruleset;
683 r->anchor_relative = 0;
684 r->anchor_wildcard = 0;
688 strlcpy(path, name + 1, sizeof(path));
691 r->anchor_relative = 1;
692 if (s->anchor == NULL || !s->anchor->path[0])
695 strlcpy(path, s->anchor->path, sizeof(path));
696 while (name[0] == '.' && name[1] == '.' && name[2] == '/') {
698 printf("pf_anchor_setup: .. beyond root\n");
702 if ((p = rindex(path, '/')) != NULL)
704 if ((p = strrchr(path, '/')) != NULL)
709 r->anchor_relative++;
713 strlcat(path, "/", sizeof(path));
714 strlcat(path, name, sizeof(path));
717 if ((p = rindex(path, '/')) != NULL && !strcmp(p, "/*")) {
719 if ((p = strrchr(path, '/')) != NULL && !strcmp(p, "/*")) {
721 r->anchor_wildcard = 1;
724 ruleset = pf_find_or_create_ruleset(path);
725 if (ruleset == NULL || ruleset->anchor == NULL) {
726 printf("pf_anchor_setup: ruleset\n");
729 r->anchor = ruleset->anchor;
735 pf_anchor_copyout(const struct pf_ruleset *rs, const struct pf_rule *r,
736 struct pfioc_rule *pr)
738 pr->anchor_call[0] = 0;
739 if (r->anchor == NULL)
741 if (!r->anchor_relative) {
742 strlcpy(pr->anchor_call, "/", sizeof(pr->anchor_call));
743 strlcat(pr->anchor_call, r->anchor->path,
744 sizeof(pr->anchor_call));
746 char a[MAXPATHLEN], b[MAXPATHLEN], *p;
749 if (rs->anchor == NULL)
752 strlcpy(a, rs->anchor->path, sizeof(a));
753 strlcpy(b, r->anchor->path, sizeof(b));
754 for (i = 1; i < r->anchor_relative; ++i) {
756 if ((p = rindex(a, '/')) == NULL)
758 if ((p = strrchr(a, '/')) == NULL)
762 strlcat(pr->anchor_call, "../",
763 sizeof(pr->anchor_call));
765 if (strncmp(a, b, strlen(a))) {
766 printf("pf_anchor_copyout: '%s' '%s'\n", a, b);
769 if (strlen(b) > strlen(a))
770 strlcat(pr->anchor_call, b + (a[0] ? strlen(a) + 1 : 0),
771 sizeof(pr->anchor_call));
773 if (r->anchor_wildcard)
774 strlcat(pr->anchor_call, pr->anchor_call[0] ? "/*" : "*",
775 sizeof(pr->anchor_call));
780 pf_anchor_remove(struct pf_rule *r)
782 if (r->anchor == NULL)
784 if (r->anchor->refcnt <= 0) {
785 printf("pf_anchor_remove: broken refcount");
789 if (!--r->anchor->refcnt)
790 pf_remove_if_empty_ruleset(&r->anchor->ruleset);
795 pf_mv_pool(struct pf_palist *poola, struct pf_palist *poolb)
797 struct pf_pooladdr *mv_pool_pa;
799 while ((mv_pool_pa = TAILQ_FIRST(poola)) != NULL) {
800 TAILQ_REMOVE(poola, mv_pool_pa, entries);
801 TAILQ_INSERT_TAIL(poolb, mv_pool_pa, entries);
806 pf_empty_pool(struct pf_palist *poola)
808 struct pf_pooladdr *empty_pool_pa;
810 while ((empty_pool_pa = TAILQ_FIRST(poola)) != NULL) {
811 pfi_dynaddr_remove(&empty_pool_pa->addr);
812 pf_tbladdr_remove(&empty_pool_pa->addr);
813 pfi_detach_rule(empty_pool_pa->kif);
814 TAILQ_REMOVE(poola, empty_pool_pa, entries);
815 pool_put(&pf_pooladdr_pl, empty_pool_pa);
820 pf_rm_rule(struct pf_rulequeue *rulequeue, struct pf_rule *rule)
822 if (rulequeue != NULL) {
823 if (rule->states <= 0) {
825 * XXX - we need to remove the table *before* detaching
826 * the rule to make sure the table code does not delete
827 * the anchor under our feet.
829 pf_tbladdr_remove(&rule->src.addr);
830 pf_tbladdr_remove(&rule->dst.addr);
831 if (rule->overload_tbl)
832 pfr_detach_table(rule->overload_tbl);
834 TAILQ_REMOVE(rulequeue, rule, entries);
835 rule->entries.tqe_prev = NULL;
839 if (rule->states > 0 || rule->src_nodes > 0 ||
840 rule->entries.tqe_prev != NULL)
842 pf_tag_unref(rule->tag);
843 pf_tag_unref(rule->match_tag);
845 if (rule->pqid != rule->qid)
846 pf_qid_unref(rule->pqid);
847 pf_qid_unref(rule->qid);
849 pf_rtlabel_remove(&rule->src.addr);
850 pf_rtlabel_remove(&rule->dst.addr);
851 pfi_dynaddr_remove(&rule->src.addr);
852 pfi_dynaddr_remove(&rule->dst.addr);
853 if (rulequeue == NULL) {
854 pf_tbladdr_remove(&rule->src.addr);
855 pf_tbladdr_remove(&rule->dst.addr);
856 if (rule->overload_tbl)
857 pfr_detach_table(rule->overload_tbl);
859 pfi_detach_rule(rule->kif);
860 pf_anchor_remove(rule);
861 pf_empty_pool(&rule->rpool.list);
862 pool_put(&pf_rule_pl, rule);
866 tagname2tag(struct pf_tags *head, char *tagname)
868 struct pf_tagname *tag, *p = NULL;
869 u_int16_t new_tagid = 1;
871 TAILQ_FOREACH(tag, head, entries)
872 if (strcmp(tagname, tag->name) == 0) {
878 * to avoid fragmentation, we do a linear search from the beginning
879 * and take the first free slot we find. if there is none or the list
880 * is empty, append a new entry at the end.
884 if (!TAILQ_EMPTY(head))
885 for (p = TAILQ_FIRST(head); p != NULL &&
886 p->tag == new_tagid; p = TAILQ_NEXT(p, entries))
887 new_tagid = p->tag + 1;
889 if (new_tagid > TAGID_MAX)
892 /* allocate and fill new struct pf_tagname */
893 tag = (struct pf_tagname *)malloc(sizeof(struct pf_tagname),
897 bzero(tag, sizeof(struct pf_tagname));
898 strlcpy(tag->name, tagname, sizeof(tag->name));
899 tag->tag = new_tagid;
902 if (p != NULL) /* insert new entry before p */
903 TAILQ_INSERT_BEFORE(p, tag, entries);
904 else /* either list empty or no free slot in between */
905 TAILQ_INSERT_TAIL(head, tag, entries);
911 tag2tagname(struct pf_tags *head, u_int16_t tagid, char *p)
913 struct pf_tagname *tag;
915 TAILQ_FOREACH(tag, head, entries)
916 if (tag->tag == tagid) {
917 strlcpy(p, tag->name, PF_TAG_NAME_SIZE);
923 tag_unref(struct pf_tags *head, u_int16_t tag)
925 struct pf_tagname *p, *next;
930 for (p = TAILQ_FIRST(head); p != NULL; p = next) {
931 next = TAILQ_NEXT(p, entries);
934 TAILQ_REMOVE(head, p, entries);
943 pf_tagname2tag(char *tagname)
945 return (tagname2tag(&pf_tags, tagname));
949 pf_tag2tagname(u_int16_t tagid, char *p)
951 return (tag2tagname(&pf_tags, tagid, p));
955 pf_tag_ref(u_int16_t tag)
957 struct pf_tagname *t;
959 TAILQ_FOREACH(t, &pf_tags, entries)
967 pf_tag_unref(u_int16_t tag)
969 return (tag_unref(&pf_tags, tag));
973 pf_rtlabel_add(struct pf_addr_wrap *a)
976 /* XXX_IMPORT: later */
979 if (a->type == PF_ADDR_RTLABEL &&
980 (a->v.rtlabel = rtlabel_name2id(a->v.rtlabelname)) == 0)
987 pf_rtlabel_remove(struct pf_addr_wrap *a)
990 /* XXX_IMPORT: later */
992 if (a->type == PF_ADDR_RTLABEL)
993 rtlabel_unref(a->v.rtlabel);
998 pf_rtlabel_copyout(struct pf_addr_wrap *a)
1001 /* XXX_IMPORT: later */
1002 if (a->type == PF_ADDR_RTLABEL && a->v.rtlabel)
1003 strlcpy(a->v.rtlabelname, "?", sizeof(a->v.rtlabelname));
1007 if (a->type == PF_ADDR_RTLABEL && a->v.rtlabel) {
1008 if ((name = rtlabel_id2name(a->v.rtlabel)) == NULL)
1009 strlcpy(a->v.rtlabelname, "?",
1010 sizeof(a->v.rtlabelname));
1012 strlcpy(a->v.rtlabelname, name,
1013 sizeof(a->v.rtlabelname));
1020 pf_qname2qid(char *qname)
1022 return ((u_int32_t)tagname2tag(&pf_qids, qname));
1026 pf_qid2qname(u_int32_t qid, char *p)
1028 return (tag2tagname(&pf_qids, (u_int16_t)qid, p));
1032 pf_qid_unref(u_int32_t qid)
1034 return (tag_unref(&pf_qids, (u_int16_t)qid));
1038 pf_begin_altq(u_int32_t *ticket)
1040 struct pf_altq *altq;
1043 /* Purge the old altq list */
1044 while ((altq = TAILQ_FIRST(pf_altqs_inactive)) != NULL) {
1045 TAILQ_REMOVE(pf_altqs_inactive, altq, entries);
1047 if (altq->qname[0] == 0 &&
1048 (altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
1050 if (altq->qname[0] == 0) {
1052 /* detach and destroy the discipline */
1053 error = altq_remove(altq);
1055 pf_qid_unref(altq->qid);
1056 pool_put(&pf_altq_pl, altq);
1060 *ticket = ++ticket_altqs_inactive;
1061 altqs_inactive_open = 1;
1066 pf_rollback_altq(u_int32_t ticket)
1068 struct pf_altq *altq;
1071 if (!altqs_inactive_open || ticket != ticket_altqs_inactive)
1073 /* Purge the old altq list */
1074 while ((altq = TAILQ_FIRST(pf_altqs_inactive)) != NULL) {
1075 TAILQ_REMOVE(pf_altqs_inactive, altq, entries);
1077 if (altq->qname[0] == 0 &&
1078 (altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
1080 if (altq->qname[0] == 0) {
1082 /* detach and destroy the discipline */
1083 error = altq_remove(altq);
1085 pf_qid_unref(altq->qid);
1086 pool_put(&pf_altq_pl, altq);
1088 altqs_inactive_open = 0;
1093 pf_commit_altq(u_int32_t ticket)
1095 struct pf_altqqueue *old_altqs;
1096 struct pf_altq *altq;
1097 int s, err, error = 0;
1099 if (!altqs_inactive_open || ticket != ticket_altqs_inactive)
1102 /* swap altqs, keep the old. */
1104 old_altqs = pf_altqs_active;
1105 pf_altqs_active = pf_altqs_inactive;
1106 pf_altqs_inactive = old_altqs;
1107 ticket_altqs_active = ticket_altqs_inactive;
1109 /* Attach new disciplines */
1110 TAILQ_FOREACH(altq, pf_altqs_active, entries) {
1112 if (altq->qname[0] == 0 &&
1113 (altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
1115 if (altq->qname[0] == 0) {
1117 /* attach the discipline */
1118 error = altq_pfattach(altq);
1119 if (error == 0 && pf_altq_running)
1120 error = pf_enable_altq(altq);
1128 /* Purge the old altq list */
1129 while ((altq = TAILQ_FIRST(pf_altqs_inactive)) != NULL) {
1130 TAILQ_REMOVE(pf_altqs_inactive, altq, entries);
1132 if (altq->qname[0] == 0 &&
1133 (altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
1135 if (altq->qname[0] == 0) {
1137 /* detach and destroy the discipline */
1138 if (pf_altq_running)
1139 error = pf_disable_altq(altq);
1140 err = altq_pfdetach(altq);
1141 if (err != 0 && error == 0)
1143 err = altq_remove(altq);
1144 if (err != 0 && error == 0)
1147 pf_qid_unref(altq->qid);
1148 pool_put(&pf_altq_pl, altq);
1152 altqs_inactive_open = 0;
1157 pf_enable_altq(struct pf_altq *altq)
1160 struct tb_profile tb;
1163 if ((ifp = ifunit(altq->ifname)) == NULL)
1166 if (ifp->if_snd.altq_type != ALTQT_NONE)
1167 error = altq_enable(&ifp->if_snd);
1169 /* set tokenbucket regulator */
1170 if (error == 0 && ifp != NULL && ALTQ_IS_ENABLED(&ifp->if_snd)) {
1171 tb.rate = altq->ifbandwidth;
1172 tb.depth = altq->tbrsize;
1177 error = tbr_set(&ifp->if_snd, &tb);
1188 pf_disable_altq(struct pf_altq *altq)
1191 struct tb_profile tb;
1194 if ((ifp = ifunit(altq->ifname)) == NULL)
1198 * when the discipline is no longer referenced, it was overridden
1199 * by a new one. if so, just return.
1201 if (altq->altq_disc != ifp->if_snd.altq_disc)
1204 error = altq_disable(&ifp->if_snd);
1207 /* clear tokenbucket regulator */
1213 error = tbr_set(&ifp->if_snd, &tb);
1225 pf_altq_ifnet_event(struct ifnet *ifp, int remove)
1228 struct pf_altq *a1, *a2, *a3;
1232 /* Interrupt userland queue modifications */
1233 if (altqs_inactive_open)
1234 pf_rollback_altq(ticket_altqs_inactive);
1236 /* Start new altq ruleset */
1237 if (pf_begin_altq(&ticket))
1240 /* Copy the current active set */
1241 TAILQ_FOREACH(a1, pf_altqs_active, entries) {
1242 a2 = pool_get(&pf_altq_pl, PR_NOWAIT);
1247 bcopy(a1, a2, sizeof(struct pf_altq));
1249 if (a2->qname[0] != 0) {
1250 if ((a2->qid = pf_qname2qid(a2->qname)) == 0) {
1252 pool_put(&pf_altq_pl, a2);
1255 a2->altq_disc = NULL;
1256 TAILQ_FOREACH(a3, pf_altqs_inactive, entries) {
1257 if (strncmp(a3->ifname, a2->ifname,
1258 IFNAMSIZ) == 0 && a3->qname[0] == 0) {
1259 a2->altq_disc = a3->altq_disc;
1264 /* Deactivate the interface in question */
1265 a2->local_flags &= ~PFALTQ_FLAG_IF_REMOVED;
1266 if ((ifp1 = ifunit(a2->ifname)) == NULL ||
1267 (remove && ifp1 == ifp)) {
1268 a2->local_flags |= PFALTQ_FLAG_IF_REMOVED;
1271 error = altq_add(a2);
1274 if (ticket != ticket_altqs_inactive)
1278 pool_put(&pf_altq_pl, a2);
1283 TAILQ_INSERT_TAIL(pf_altqs_inactive, a2, entries);
1287 pf_rollback_altq(ticket);
1289 pf_commit_altq(ticket);
1295 pf_begin_rules(u_int32_t *ticket, int rs_num, const char *anchor)
1297 struct pf_ruleset *rs;
1298 struct pf_rule *rule;
1300 if (rs_num < 0 || rs_num >= PF_RULESET_MAX)
1302 rs = pf_find_or_create_ruleset(anchor);
1305 while ((rule = TAILQ_FIRST(rs->rules[rs_num].inactive.ptr)) != NULL)
1306 pf_rm_rule(rs->rules[rs_num].inactive.ptr, rule);
1307 *ticket = ++rs->rules[rs_num].inactive.ticket;
1308 rs->rules[rs_num].inactive.open = 1;
1313 pf_rollback_rules(u_int32_t ticket, int rs_num, char *anchor)
1315 struct pf_ruleset *rs;
1316 struct pf_rule *rule;
1318 if (rs_num < 0 || rs_num >= PF_RULESET_MAX)
1320 rs = pf_find_ruleset(anchor);
1321 if (rs == NULL || !rs->rules[rs_num].inactive.open ||
1322 rs->rules[rs_num].inactive.ticket != ticket)
1324 while ((rule = TAILQ_FIRST(rs->rules[rs_num].inactive.ptr)) != NULL)
1325 pf_rm_rule(rs->rules[rs_num].inactive.ptr, rule);
1326 rs->rules[rs_num].inactive.open = 0;
1331 pf_commit_rules(u_int32_t ticket, int rs_num, char *anchor)
1333 struct pf_ruleset *rs;
1334 struct pf_rule *rule;
1335 struct pf_rulequeue *old_rules;
1338 if (rs_num < 0 || rs_num >= PF_RULESET_MAX)
1340 rs = pf_find_ruleset(anchor);
1341 if (rs == NULL || !rs->rules[rs_num].inactive.open ||
1342 ticket != rs->rules[rs_num].inactive.ticket)
1345 /* Swap rules, keep the old. */
1347 old_rules = rs->rules[rs_num].active.ptr;
1348 rs->rules[rs_num].active.ptr =
1349 rs->rules[rs_num].inactive.ptr;
1350 rs->rules[rs_num].inactive.ptr = old_rules;
1351 rs->rules[rs_num].active.ticket =
1352 rs->rules[rs_num].inactive.ticket;
1353 pf_calc_skip_steps(rs->rules[rs_num].active.ptr);
1355 /* Purge the old rule list. */
1356 while ((rule = TAILQ_FIRST(old_rules)) != NULL)
1357 pf_rm_rule(old_rules, rule);
1358 rs->rules[rs_num].inactive.open = 0;
1359 pf_remove_if_empty_ruleset(rs);
1366 pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td)
1369 pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
1372 struct pf_pooladdr *pa = NULL;
1373 struct pf_pool *pool = NULL;
1379 /* XXX keep in sync with switch() below */
1381 if (securelevel_gt(td->td_ucred, 2))
1383 if (securelevel > 1)
1391 case DIOCSETSTATUSIF:
1397 case DIOCGETTIMEOUT:
1398 case DIOCCLRRULECTRS:
1403 case DIOCGETRULESETS:
1404 case DIOCGETRULESET:
1405 case DIOCRGETTABLES:
1406 case DIOCRGETTSTATS:
1407 case DIOCRCLRTSTATS:
1413 case DIOCRGETASTATS:
1414 case DIOCRCLRASTATS:
1417 case DIOCGETSRCNODES:
1418 case DIOCCLRSRCNODES:
1419 case DIOCIGETIFACES:
1420 case DIOCICLRISTATS:
1427 case DIOCRCLRTABLES:
1428 case DIOCRADDTABLES:
1429 case DIOCRDELTABLES:
1430 case DIOCRSETTFLAGS:
1431 if (((struct pfioc_table *)addr)->pfrio_flags &
1433 break; /* dummy operation ok */
1439 if (!(flags & FWRITE))
1448 case DIOCGETTIMEOUT:
1453 case DIOCGETRULESETS:
1454 case DIOCGETRULESET:
1455 case DIOCRGETTABLES:
1456 case DIOCRGETTSTATS:
1458 case DIOCRGETASTATS:
1461 case DIOCGETSRCNODES:
1462 case DIOCIGETIFACES:
1467 case DIOCRCLRTABLES:
1468 case DIOCRADDTABLES:
1469 case DIOCRDELTABLES:
1470 case DIOCRCLRTSTATS:
1475 case DIOCRSETTFLAGS:
1476 if (((struct pfioc_table *)addr)->pfrio_flags &
1478 break; /* dummy operation ok */
1492 if (pf_status.running)
1500 DPFPRINTF(PF_DEBUG_MISC,
1501 ("pf: pfil registeration fail\n"));
1505 pf_status.running = 1;
1506 pf_status.since = time_second;
1507 if (pf_status.stateid == 0) {
1508 pf_status.stateid = time_second;
1509 pf_status.stateid = pf_status.stateid << 32;
1511 DPFPRINTF(PF_DEBUG_MISC, ("pf: started\n"));
1516 if (!pf_status.running)
1519 pf_status.running = 0;
1522 error = dehook_pf();
1525 pf_status.running = 1;
1526 DPFPRINTF(PF_DEBUG_MISC,
1527 ("pf: pfil unregisteration failed\n"));
1530 pf_status.since = time_second;
1531 DPFPRINTF(PF_DEBUG_MISC, ("pf: stopped\n"));
1536 struct pfioc_rule *pr = (struct pfioc_rule *)addr;
1537 struct pf_ruleset *ruleset;
1538 struct pf_rule *rule, *tail;
1539 struct pf_pooladdr *pa;
1542 pr->anchor[sizeof(pr->anchor) - 1] = 0;
1543 ruleset = pf_find_ruleset(pr->anchor);
1544 if (ruleset == NULL) {
1548 rs_num = pf_get_ruleset_number(pr->rule.action);
1549 if (rs_num >= PF_RULESET_MAX) {
1553 if (pr->rule.return_icmp >> 8 > ICMP_MAXTYPE) {
1557 if (pr->ticket != ruleset->rules[rs_num].inactive.ticket) {
1558 printf("ticket: %d != [%d]%d\n", pr->ticket,
1559 rs_num, ruleset->rules[rs_num].inactive.ticket);
1563 if (pr->pool_ticket != ticket_pabuf) {
1564 printf("pool_ticket: %d != %d\n", pr->pool_ticket,
1569 rule = pool_get(&pf_rule_pl, PR_NOWAIT);
1574 bcopy(&pr->rule, rule, sizeof(struct pf_rule));
1575 rule->anchor = NULL;
1577 TAILQ_INIT(&rule->rpool.list);
1578 /* initialize refcounting */
1580 rule->src_nodes = 0;
1581 rule->entries.tqe_prev = NULL;
1583 if (rule->af == AF_INET) {
1584 pool_put(&pf_rule_pl, rule);
1585 error = EAFNOSUPPORT;
1590 if (rule->af == AF_INET6) {
1591 pool_put(&pf_rule_pl, rule);
1592 error = EAFNOSUPPORT;
1596 tail = TAILQ_LAST(ruleset->rules[rs_num].inactive.ptr,
1599 rule->nr = tail->nr + 1;
1602 if (rule->ifname[0]) {
1603 rule->kif = pfi_attach_rule(rule->ifname);
1604 if (rule->kif == NULL) {
1605 pool_put(&pf_rule_pl, rule);
1613 if (rule->qname[0] != 0) {
1614 if ((rule->qid = pf_qname2qid(rule->qname)) == 0)
1616 else if (rule->pqname[0] != 0) {
1618 pf_qname2qid(rule->pqname)) == 0)
1621 rule->pqid = rule->qid;
1624 if (rule->tagname[0])
1625 if ((rule->tag = pf_tagname2tag(rule->tagname)) == 0)
1627 if (rule->match_tagname[0])
1628 if ((rule->match_tag =
1629 pf_tagname2tag(rule->match_tagname)) == 0)
1631 if (rule->rt && !rule->direction)
1633 if (pf_rtlabel_add(&rule->src.addr) ||
1634 pf_rtlabel_add(&rule->dst.addr))
1636 if (pfi_dynaddr_setup(&rule->src.addr, rule->af))
1638 if (pfi_dynaddr_setup(&rule->dst.addr, rule->af))
1640 if (pf_tbladdr_setup(ruleset, &rule->src.addr))
1642 if (pf_tbladdr_setup(ruleset, &rule->dst.addr))
1644 if (pf_anchor_setup(rule, ruleset, pr->anchor_call))
1646 TAILQ_FOREACH(pa, &pf_pabuf, entries)
1647 if (pf_tbladdr_setup(ruleset, &pa->addr))
1650 if (rule->overload_tblname[0]) {
1651 if ((rule->overload_tbl = pfr_attach_table(ruleset,
1652 rule->overload_tblname)) == NULL)
1655 rule->overload_tbl->pfrkt_flags |=
1659 pf_mv_pool(&pf_pabuf, &rule->rpool.list);
1660 if (((((rule->action == PF_NAT) || (rule->action == PF_RDR) ||
1661 (rule->action == PF_BINAT)) && rule->anchor == NULL) ||
1662 (rule->rt > PF_FASTROUTE)) &&
1663 (TAILQ_FIRST(&rule->rpool.list) == NULL))
1667 pf_rm_rule(NULL, rule);
1670 rule->rpool.cur = TAILQ_FIRST(&rule->rpool.list);
1671 rule->evaluations = rule->packets = rule->bytes = 0;
1672 TAILQ_INSERT_TAIL(ruleset->rules[rs_num].inactive.ptr,
1677 case DIOCGETRULES: {
1678 struct pfioc_rule *pr = (struct pfioc_rule *)addr;
1679 struct pf_ruleset *ruleset;
1680 struct pf_rule *tail;
1683 pr->anchor[sizeof(pr->anchor) - 1] = 0;
1684 ruleset = pf_find_ruleset(pr->anchor);
1685 if (ruleset == NULL) {
1689 rs_num = pf_get_ruleset_number(pr->rule.action);
1690 if (rs_num >= PF_RULESET_MAX) {
1694 tail = TAILQ_LAST(ruleset->rules[rs_num].active.ptr,
1697 pr->nr = tail->nr + 1;
1700 pr->ticket = ruleset->rules[rs_num].active.ticket;
1705 struct pfioc_rule *pr = (struct pfioc_rule *)addr;
1706 struct pf_ruleset *ruleset;
1707 struct pf_rule *rule;
1710 pr->anchor[sizeof(pr->anchor) - 1] = 0;
1711 ruleset = pf_find_ruleset(pr->anchor);
1712 if (ruleset == NULL) {
1716 rs_num = pf_get_ruleset_number(pr->rule.action);
1717 if (rs_num >= PF_RULESET_MAX) {
1721 if (pr->ticket != ruleset->rules[rs_num].active.ticket) {
1725 rule = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr);
1726 while ((rule != NULL) && (rule->nr != pr->nr))
1727 rule = TAILQ_NEXT(rule, entries);
1732 bcopy(rule, &pr->rule, sizeof(struct pf_rule));
1733 if (pf_anchor_copyout(ruleset, rule, pr)) {
1737 pfi_dynaddr_copyout(&pr->rule.src.addr);
1738 pfi_dynaddr_copyout(&pr->rule.dst.addr);
1739 pf_tbladdr_copyout(&pr->rule.src.addr);
1740 pf_tbladdr_copyout(&pr->rule.dst.addr);
1741 pf_rtlabel_copyout(&pr->rule.src.addr);
1742 pf_rtlabel_copyout(&pr->rule.dst.addr);
1743 for (i = 0; i < PF_SKIP_COUNT; ++i)
1744 if (rule->skip[i].ptr == NULL)
1745 pr->rule.skip[i].nr = -1;
1747 pr->rule.skip[i].nr =
1748 rule->skip[i].ptr->nr;
1752 case DIOCCHANGERULE: {
1753 struct pfioc_rule *pcr = (struct pfioc_rule *)addr;
1754 struct pf_ruleset *ruleset;
1755 struct pf_rule *oldrule = NULL, *newrule = NULL;
1759 if (!(pcr->action == PF_CHANGE_REMOVE ||
1760 pcr->action == PF_CHANGE_GET_TICKET) &&
1761 pcr->pool_ticket != ticket_pabuf) {
1766 if (pcr->action < PF_CHANGE_ADD_HEAD ||
1767 pcr->action > PF_CHANGE_GET_TICKET) {
1771 ruleset = pf_find_ruleset(pcr->anchor);
1772 if (ruleset == NULL) {
1776 rs_num = pf_get_ruleset_number(pcr->rule.action);
1777 if (rs_num >= PF_RULESET_MAX) {
1782 if (pcr->action == PF_CHANGE_GET_TICKET) {
1783 pcr->ticket = ++ruleset->rules[rs_num].active.ticket;
1787 ruleset->rules[rs_num].active.ticket) {
1791 if (pcr->rule.return_icmp >> 8 > ICMP_MAXTYPE) {
1797 if (pcr->action != PF_CHANGE_REMOVE) {
1798 newrule = pool_get(&pf_rule_pl, PR_NOWAIT);
1799 if (newrule == NULL) {
1803 bcopy(&pcr->rule, newrule, sizeof(struct pf_rule));
1804 TAILQ_INIT(&newrule->rpool.list);
1805 /* initialize refcounting */
1806 newrule->states = 0;
1807 newrule->entries.tqe_prev = NULL;
1809 if (newrule->af == AF_INET) {
1810 pool_put(&pf_rule_pl, newrule);
1811 error = EAFNOSUPPORT;
1816 if (newrule->af == AF_INET6) {
1817 pool_put(&pf_rule_pl, newrule);
1818 error = EAFNOSUPPORT;
1822 if (newrule->ifname[0]) {
1823 newrule->kif = pfi_attach_rule(newrule->ifname);
1824 if (newrule->kif == NULL) {
1825 pool_put(&pf_rule_pl, newrule);
1830 newrule->kif = NULL;
1834 if (newrule->qname[0] != 0) {
1836 pf_qname2qid(newrule->qname)) == 0)
1838 else if (newrule->pqname[0] != 0) {
1839 if ((newrule->pqid =
1840 pf_qname2qid(newrule->pqname)) == 0)
1843 newrule->pqid = newrule->qid;
1846 if (newrule->tagname[0])
1848 pf_tagname2tag(newrule->tagname)) == 0)
1850 if (newrule->match_tagname[0])
1851 if ((newrule->match_tag = pf_tagname2tag(
1852 newrule->match_tagname)) == 0)
1854 if (newrule->rt && !newrule->direction)
1856 if (pf_rtlabel_add(&newrule->src.addr) ||
1857 pf_rtlabel_add(&newrule->dst.addr))
1859 if (pfi_dynaddr_setup(&newrule->src.addr, newrule->af))
1861 if (pfi_dynaddr_setup(&newrule->dst.addr, newrule->af))
1863 if (pf_tbladdr_setup(ruleset, &newrule->src.addr))
1865 if (pf_tbladdr_setup(ruleset, &newrule->dst.addr))
1867 if (pf_anchor_setup(newrule, ruleset, pcr->anchor_call))
1869 TAILQ_FOREACH(pa, &pf_pabuf, entries)
1870 if (pf_tbladdr_setup(ruleset, &pa->addr))
1873 if (newrule->overload_tblname[0]) {
1874 if ((newrule->overload_tbl = pfr_attach_table(
1875 ruleset, newrule->overload_tblname)) ==
1879 newrule->overload_tbl->pfrkt_flags |=
1883 pf_mv_pool(&pf_pabuf, &newrule->rpool.list);
1884 if (((((newrule->action == PF_NAT) ||
1885 (newrule->action == PF_RDR) ||
1886 (newrule->action == PF_BINAT) ||
1887 (newrule->rt > PF_FASTROUTE)) &&
1888 !newrule->anchor)) &&
1889 (TAILQ_FIRST(&newrule->rpool.list) == NULL))
1893 pf_rm_rule(NULL, newrule);
1896 newrule->rpool.cur = TAILQ_FIRST(&newrule->rpool.list);
1897 newrule->evaluations = newrule->packets = 0;
1900 pf_empty_pool(&pf_pabuf);
1902 if (pcr->action == PF_CHANGE_ADD_HEAD)
1903 oldrule = TAILQ_FIRST(
1904 ruleset->rules[rs_num].active.ptr);
1905 else if (pcr->action == PF_CHANGE_ADD_TAIL)
1906 oldrule = TAILQ_LAST(
1907 ruleset->rules[rs_num].active.ptr, pf_rulequeue);
1909 oldrule = TAILQ_FIRST(
1910 ruleset->rules[rs_num].active.ptr);
1911 while ((oldrule != NULL) && (oldrule->nr != pcr->nr))
1912 oldrule = TAILQ_NEXT(oldrule, entries);
1913 if (oldrule == NULL) {
1914 if (newrule != NULL)
1915 pf_rm_rule(NULL, newrule);
1921 if (pcr->action == PF_CHANGE_REMOVE)
1922 pf_rm_rule(ruleset->rules[rs_num].active.ptr, oldrule);
1924 if (oldrule == NULL)
1926 ruleset->rules[rs_num].active.ptr,
1928 else if (pcr->action == PF_CHANGE_ADD_HEAD ||
1929 pcr->action == PF_CHANGE_ADD_BEFORE)
1930 TAILQ_INSERT_BEFORE(oldrule, newrule, entries);
1933 ruleset->rules[rs_num].active.ptr,
1934 oldrule, newrule, entries);
1938 TAILQ_FOREACH(oldrule,
1939 ruleset->rules[rs_num].active.ptr, entries)
1942 ruleset->rules[rs_num].active.ticket++;
1944 pf_calc_skip_steps(ruleset->rules[rs_num].active.ptr);
1945 pf_remove_if_empty_ruleset(ruleset);
1950 case DIOCCLRSTATES: {
1951 struct pf_state *state;
1952 struct pfioc_state_kill *psk = (struct pfioc_state_kill *)addr;
1955 RB_FOREACH(state, pf_state_tree_id, &tree_id) {
1956 if (!psk->psk_ifname[0] || !strcmp(psk->psk_ifname,
1957 state->u.s.kif->pfik_name)) {
1958 state->timeout = PFTM_PURGE;
1960 /* don't send out individual delete messages */
1961 state->sync_flags = PFSTATE_NOSYNC;
1966 pf_purge_expired_states();
1967 pf_status.states = 0;
1968 psk->psk_af = killed;
1970 pfsync_clear_states(pf_status.hostid, psk->psk_ifname);
1975 case DIOCKILLSTATES: {
1976 struct pf_state *state;
1977 struct pfioc_state_kill *psk = (struct pfioc_state_kill *)addr;
1980 RB_FOREACH(state, pf_state_tree_id, &tree_id) {
1981 if ((!psk->psk_af || state->af == psk->psk_af)
1982 && (!psk->psk_proto || psk->psk_proto ==
1984 PF_MATCHA(psk->psk_src.neg,
1985 &psk->psk_src.addr.v.a.addr,
1986 &psk->psk_src.addr.v.a.mask,
1987 &state->lan.addr, state->af) &&
1988 PF_MATCHA(psk->psk_dst.neg,
1989 &psk->psk_dst.addr.v.a.addr,
1990 &psk->psk_dst.addr.v.a.mask,
1991 &state->ext.addr, state->af) &&
1992 (psk->psk_src.port_op == 0 ||
1993 pf_match_port(psk->psk_src.port_op,
1994 psk->psk_src.port[0], psk->psk_src.port[1],
1995 state->lan.port)) &&
1996 (psk->psk_dst.port_op == 0 ||
1997 pf_match_port(psk->psk_dst.port_op,
1998 psk->psk_dst.port[0], psk->psk_dst.port[1],
1999 state->ext.port)) &&
2000 (!psk->psk_ifname[0] || !strcmp(psk->psk_ifname,
2001 state->u.s.kif->pfik_name))) {
2002 state->timeout = PFTM_PURGE;
2006 pf_purge_expired_states();
2007 psk->psk_af = killed;
2011 case DIOCADDSTATE: {
2012 struct pfioc_state *ps = (struct pfioc_state *)addr;
2013 struct pf_state *state;
2014 struct pfi_kif *kif;
2016 if (ps->state.timeout >= PFTM_MAX &&
2017 ps->state.timeout != PFTM_UNTIL_PACKET) {
2021 state = pool_get(&pf_state_pl, PR_NOWAIT);
2022 if (state == NULL) {
2026 kif = pfi_lookup_create(ps->state.u.ifname);
2028 pool_put(&pf_state_pl, state);
2032 bcopy(&ps->state, state, sizeof(struct pf_state));
2033 bzero(&state->u, sizeof(state->u));
2034 state->rule.ptr = &pf_default_rule;
2035 state->nat_rule.ptr = NULL;
2036 state->anchor.ptr = NULL;
2037 state->rt_kif = NULL;
2038 state->creation = time_second;
2039 state->pfsync_time = 0;
2040 state->packets[0] = state->packets[1] = 0;
2041 state->bytes[0] = state->bytes[1] = 0;
2043 if (pf_insert_state(kif, state)) {
2044 pfi_maybe_destroy(kif);
2045 pool_put(&pf_state_pl, state);
2051 case DIOCGETSTATE: {
2052 struct pfioc_state *ps = (struct pfioc_state *)addr;
2053 struct pf_state *state;
2057 RB_FOREACH(state, pf_state_tree_id, &tree_id) {
2062 if (state == NULL) {
2066 bcopy(state, &ps->state, sizeof(struct pf_state));
2067 ps->state.rule.nr = state->rule.ptr->nr;
2068 ps->state.nat_rule.nr = (state->nat_rule.ptr == NULL) ?
2069 -1 : state->nat_rule.ptr->nr;
2070 ps->state.anchor.nr = (state->anchor.ptr == NULL) ?
2071 -1 : state->anchor.ptr->nr;
2072 ps->state.expire = pf_state_expires(state);
2073 if (ps->state.expire > time_second)
2074 ps->state.expire -= time_second;
2076 ps->state.expire = 0;
2080 case DIOCGETSTATES: {
2081 struct pfioc_states *ps = (struct pfioc_states *)addr;
2082 struct pf_state *state;
2083 struct pf_state *p, pstore;
2084 struct pfi_kif *kif;
2086 int space = ps->ps_len;
2089 TAILQ_FOREACH(kif, &pfi_statehead, pfik_w_states)
2090 nr += kif->pfik_states;
2091 ps->ps_len = sizeof(struct pf_state) * nr;
2096 TAILQ_FOREACH(kif, &pfi_statehead, pfik_w_states)
2097 RB_FOREACH(state, pf_state_tree_ext_gwy,
2098 &kif->pfik_ext_gwy) {
2099 int secs = time_second;
2101 if ((nr+1) * sizeof(*p) > (unsigned)ps->ps_len)
2104 bcopy(state, &pstore, sizeof(pstore));
2105 strlcpy(pstore.u.ifname, kif->pfik_name,
2106 sizeof(pstore.u.ifname));
2107 pstore.rule.nr = state->rule.ptr->nr;
2108 pstore.nat_rule.nr = (state->nat_rule.ptr ==
2109 NULL) ? -1 : state->nat_rule.ptr->nr;
2110 pstore.anchor.nr = (state->anchor.ptr ==
2111 NULL) ? -1 : state->anchor.ptr->nr;
2112 pstore.creation = secs - pstore.creation;
2113 pstore.expire = pf_state_expires(state);
2114 if (pstore.expire > secs)
2115 pstore.expire -= secs;
2119 PF_COPYOUT(&pstore, p, sizeof(*p), error);
2121 error = copyout(&pstore, p, sizeof(*p));
2128 ps->ps_len = sizeof(struct pf_state) * nr;
2132 case DIOCGETSTATUS: {
2133 struct pf_status *s = (struct pf_status *)addr;
2134 bcopy(&pf_status, s, sizeof(struct pf_status));
2135 pfi_fill_oldstatus(s);
2139 case DIOCSETSTATUSIF: {
2140 struct pfioc_if *pi = (struct pfioc_if *)addr;
2142 if (pi->ifname[0] == 0) {
2143 bzero(pf_status.ifname, IFNAMSIZ);
2146 if (ifunit(pi->ifname) == NULL) {
2150 strlcpy(pf_status.ifname, pi->ifname, IFNAMSIZ);
2154 case DIOCCLRSTATUS: {
2155 bzero(pf_status.counters, sizeof(pf_status.counters));
2156 bzero(pf_status.fcounters, sizeof(pf_status.fcounters));
2157 bzero(pf_status.scounters, sizeof(pf_status.scounters));
2158 if (*pf_status.ifname)
2159 pfi_clr_istats(pf_status.ifname, NULL,
2165 struct pfioc_natlook *pnl = (struct pfioc_natlook *)addr;
2166 struct pf_state *state;
2167 struct pf_state key;
2168 int m = 0, direction = pnl->direction;
2171 key.proto = pnl->proto;
2174 PF_AZERO(&pnl->saddr, pnl->af) ||
2175 PF_AZERO(&pnl->daddr, pnl->af) ||
2176 !pnl->dport || !pnl->sport)
2180 * userland gives us source and dest of connection,
2181 * reverse the lookup so we ask for what happens with
2182 * the return traffic, enabling us to find it in the
2185 if (direction == PF_IN) {
2186 PF_ACPY(&key.ext.addr, &pnl->daddr, pnl->af);
2187 key.ext.port = pnl->dport;
2188 PF_ACPY(&key.gwy.addr, &pnl->saddr, pnl->af);
2189 key.gwy.port = pnl->sport;
2190 state = pf_find_state_all(&key, PF_EXT_GWY, &m);
2192 PF_ACPY(&key.lan.addr, &pnl->daddr, pnl->af);
2193 key.lan.port = pnl->dport;
2194 PF_ACPY(&key.ext.addr, &pnl->saddr, pnl->af);
2195 key.ext.port = pnl->sport;
2196 state = pf_find_state_all(&key, PF_LAN_EXT, &m);
2199 error = E2BIG; /* more than one state */
2200 else if (state != NULL) {
2201 if (direction == PF_IN) {
2202 PF_ACPY(&pnl->rsaddr, &state->lan.addr,
2204 pnl->rsport = state->lan.port;
2205 PF_ACPY(&pnl->rdaddr, &pnl->daddr,
2207 pnl->rdport = pnl->dport;
2209 PF_ACPY(&pnl->rdaddr, &state->gwy.addr,
2211 pnl->rdport = state->gwy.port;
2212 PF_ACPY(&pnl->rsaddr, &pnl->saddr,
2214 pnl->rsport = pnl->sport;
2222 case DIOCSETTIMEOUT: {
2223 struct pfioc_tm *pt = (struct pfioc_tm *)addr;
2226 if (pt->timeout < 0 || pt->timeout >= PFTM_MAX ||
2231 old = pf_default_rule.timeout[pt->timeout];
2232 pf_default_rule.timeout[pt->timeout] = pt->seconds;
2237 case DIOCGETTIMEOUT: {
2238 struct pfioc_tm *pt = (struct pfioc_tm *)addr;
2240 if (pt->timeout < 0 || pt->timeout >= PFTM_MAX) {
2244 pt->seconds = pf_default_rule.timeout[pt->timeout];
2248 case DIOCGETLIMIT: {
2249 struct pfioc_limit *pl = (struct pfioc_limit *)addr;
2251 if (pl->index < 0 || pl->index >= PF_LIMIT_MAX) {
2255 pl->limit = pf_pool_limits[pl->index].limit;
2259 case DIOCSETLIMIT: {
2260 struct pfioc_limit *pl = (struct pfioc_limit *)addr;
2263 if (pl->index < 0 || pl->index >= PF_LIMIT_MAX ||
2264 pf_pool_limits[pl->index].pp == NULL) {
2269 uma_zone_set_max(pf_pool_limits[pl->index].pp, pl->limit);
2271 if (pool_sethardlimit(pf_pool_limits[pl->index].pp,
2272 pl->limit, NULL, 0) != 0) {
2277 old_limit = pf_pool_limits[pl->index].limit;
2278 pf_pool_limits[pl->index].limit = pl->limit;
2279 pl->limit = old_limit;
2283 case DIOCSETDEBUG: {
2284 u_int32_t *level = (u_int32_t *)addr;
2286 pf_status.debug = *level;
2290 case DIOCCLRRULECTRS: {
2291 struct pf_ruleset *ruleset = &pf_main_ruleset;
2292 struct pf_rule *rule;
2295 ruleset->rules[PF_RULESET_FILTER].active.ptr, entries)
2296 rule->evaluations = rule->packets =
2302 case DIOCGIFSPEED: {
2303 struct pf_ifspeed *psp = (struct pf_ifspeed *)addr;
2304 struct pf_ifspeed ps;
2307 if (psp->ifname[0] != 0) {
2308 /* Can we completely trust user-land? */
2309 strlcpy(ps.ifname, psp->ifname, IFNAMSIZ);
2310 ifp = ifunit(ps.ifname);
2312 psp->baudrate = ifp->if_baudrate;
2319 #endif /* __FreeBSD__ */
2322 case DIOCSTARTALTQ: {
2323 struct pf_altq *altq;
2325 /* enable all altq interfaces on active list */
2326 TAILQ_FOREACH(altq, pf_altqs_active, entries) {
2328 if (altq->qname[0] == 0 && (altq->local_flags &
2329 PFALTQ_FLAG_IF_REMOVED) == 0) {
2331 if (altq->qname[0] == 0) {
2333 error = pf_enable_altq(altq);
2339 pf_altq_running = 1;
2340 DPFPRINTF(PF_DEBUG_MISC, ("altq: started\n"));
2344 case DIOCSTOPALTQ: {
2345 struct pf_altq *altq;
2347 /* disable all altq interfaces on active list */
2348 TAILQ_FOREACH(altq, pf_altqs_active, entries) {
2350 if (altq->qname[0] == 0 && (altq->local_flags &
2351 PFALTQ_FLAG_IF_REMOVED) == 0) {
2353 if (altq->qname[0] == 0) {
2355 error = pf_disable_altq(altq);
2361 pf_altq_running = 0;
2362 DPFPRINTF(PF_DEBUG_MISC, ("altq: stopped\n"));
2367 struct pfioc_altq *pa = (struct pfioc_altq *)addr;
2368 struct pf_altq *altq, *a;
2370 if (pa->ticket != ticket_altqs_inactive) {
2374 altq = pool_get(&pf_altq_pl, PR_NOWAIT);
2379 bcopy(&pa->altq, altq, sizeof(struct pf_altq));
2381 altq->local_flags = 0;
2385 * if this is for a queue, find the discipline and
2386 * copy the necessary fields
2388 if (altq->qname[0] != 0) {
2389 if ((altq->qid = pf_qname2qid(altq->qname)) == 0) {
2391 pool_put(&pf_altq_pl, altq);
2394 altq->altq_disc = NULL;
2395 TAILQ_FOREACH(a, pf_altqs_inactive, entries) {
2396 if (strncmp(a->ifname, altq->ifname,
2397 IFNAMSIZ) == 0 && a->qname[0] == 0) {
2398 altq->altq_disc = a->altq_disc;
2407 if ((ifp = ifunit(altq->ifname)) == NULL) {
2408 altq->local_flags |= PFALTQ_FLAG_IF_REMOVED;
2412 error = altq_add(altq);
2418 pool_put(&pf_altq_pl, altq);
2422 TAILQ_INSERT_TAIL(pf_altqs_inactive, altq, entries);
2423 bcopy(altq, &pa->altq, sizeof(struct pf_altq));
2427 case DIOCGETALTQS: {
2428 struct pfioc_altq *pa = (struct pfioc_altq *)addr;
2429 struct pf_altq *altq;
2432 TAILQ_FOREACH(altq, pf_altqs_active, entries)
2434 pa->ticket = ticket_altqs_active;
2439 struct pfioc_altq *pa = (struct pfioc_altq *)addr;
2440 struct pf_altq *altq;
2443 if (pa->ticket != ticket_altqs_active) {
2448 altq = TAILQ_FIRST(pf_altqs_active);
2449 while ((altq != NULL) && (nr < pa->nr)) {
2450 altq = TAILQ_NEXT(altq, entries);
2457 bcopy(altq, &pa->altq, sizeof(struct pf_altq));
2461 case DIOCCHANGEALTQ:
2462 /* CHANGEALTQ not supported yet! */
2466 case DIOCGETQSTATS: {
2467 struct pfioc_qstats *pq = (struct pfioc_qstats *)addr;
2468 struct pf_altq *altq;
2472 if (pq->ticket != ticket_altqs_active) {
2476 nbytes = pq->nbytes;
2478 altq = TAILQ_FIRST(pf_altqs_active);
2479 while ((altq != NULL) && (nr < pq->nr)) {
2480 altq = TAILQ_NEXT(altq, entries);
2488 if ((altq->local_flags & PFALTQ_FLAG_IF_REMOVED) != 0) {
2494 error = altq_getqstats(altq, pq->buf, &nbytes);
2499 pq->scheduler = altq->scheduler;
2500 pq->nbytes = nbytes;
2506 case DIOCBEGINADDRS: {
2507 struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr;
2509 pf_empty_pool(&pf_pabuf);
2510 pp->ticket = ++ticket_pabuf;
2515 struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr;
2517 if (pp->ticket != ticket_pabuf) {
2522 if (pp->af == AF_INET) {
2523 error = EAFNOSUPPORT;
2528 if (pp->af == AF_INET6) {
2529 error = EAFNOSUPPORT;
2533 if (pp->addr.addr.type != PF_ADDR_ADDRMASK &&
2534 pp->addr.addr.type != PF_ADDR_DYNIFTL &&
2535 pp->addr.addr.type != PF_ADDR_TABLE) {
2539 pa = pool_get(&pf_pooladdr_pl, PR_NOWAIT);
2544 bcopy(&pp->addr, pa, sizeof(struct pf_pooladdr));
2545 if (pa->ifname[0]) {
2546 pa->kif = pfi_attach_rule(pa->ifname);
2547 if (pa->kif == NULL) {
2548 pool_put(&pf_pooladdr_pl, pa);
2553 if (pfi_dynaddr_setup(&pa->addr, pp->af)) {
2554 pfi_dynaddr_remove(&pa->addr);
2555 pfi_detach_rule(pa->kif);
2556 pool_put(&pf_pooladdr_pl, pa);
2560 TAILQ_INSERT_TAIL(&pf_pabuf, pa, entries);
2564 case DIOCGETADDRS: {
2565 struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr;
2568 pool = pf_get_pool(pp->anchor, pp->ticket, pp->r_action,
2569 pp->r_num, 0, 1, 0);
2574 TAILQ_FOREACH(pa, &pool->list, entries)
2580 struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr;
2583 pool = pf_get_pool(pp->anchor, pp->ticket, pp->r_action,
2584 pp->r_num, 0, 1, 1);
2589 pa = TAILQ_FIRST(&pool->list);
2590 while ((pa != NULL) && (nr < pp->nr)) {
2591 pa = TAILQ_NEXT(pa, entries);
2598 bcopy(pa, &pp->addr, sizeof(struct pf_pooladdr));
2599 pfi_dynaddr_copyout(&pp->addr.addr);
2600 pf_tbladdr_copyout(&pp->addr.addr);
2601 pf_rtlabel_copyout(&pp->addr.addr);
2605 case DIOCCHANGEADDR: {
2606 struct pfioc_pooladdr *pca = (struct pfioc_pooladdr *)addr;
2607 struct pf_pooladdr *oldpa = NULL, *newpa = NULL;
2608 struct pf_ruleset *ruleset;
2610 if (pca->action < PF_CHANGE_ADD_HEAD ||
2611 pca->action > PF_CHANGE_REMOVE) {
2615 if (pca->addr.addr.type != PF_ADDR_ADDRMASK &&
2616 pca->addr.addr.type != PF_ADDR_DYNIFTL &&
2617 pca->addr.addr.type != PF_ADDR_TABLE) {
2622 ruleset = pf_find_ruleset(pca->anchor);
2623 if (ruleset == NULL) {
2627 pool = pf_get_pool(pca->anchor, pca->ticket, pca->r_action,
2628 pca->r_num, pca->r_last, 1, 1);
2633 if (pca->action != PF_CHANGE_REMOVE) {
2634 newpa = pool_get(&pf_pooladdr_pl, PR_NOWAIT);
2635 if (newpa == NULL) {
2639 bcopy(&pca->addr, newpa, sizeof(struct pf_pooladdr));
2641 if (pca->af == AF_INET) {
2642 pool_put(&pf_pooladdr_pl, newpa);
2643 error = EAFNOSUPPORT;
2648 if (pca->af == AF_INET6) {
2649 pool_put(&pf_pooladdr_pl, newpa);
2650 error = EAFNOSUPPORT;
2654 if (newpa->ifname[0]) {
2655 newpa->kif = pfi_attach_rule(newpa->ifname);
2656 if (newpa->kif == NULL) {
2657 pool_put(&pf_pooladdr_pl, newpa);
2663 if (pfi_dynaddr_setup(&newpa->addr, pca->af) ||
2664 pf_tbladdr_setup(ruleset, &newpa->addr)) {
2665 pfi_dynaddr_remove(&newpa->addr);
2666 pfi_detach_rule(newpa->kif);
2667 pool_put(&pf_pooladdr_pl, newpa);
2673 if (pca->action == PF_CHANGE_ADD_HEAD)
2674 oldpa = TAILQ_FIRST(&pool->list);
2675 else if (pca->action == PF_CHANGE_ADD_TAIL)
2676 oldpa = TAILQ_LAST(&pool->list, pf_palist);
2680 oldpa = TAILQ_FIRST(&pool->list);
2681 while ((oldpa != NULL) && (i < pca->nr)) {
2682 oldpa = TAILQ_NEXT(oldpa, entries);
2685 if (oldpa == NULL) {
2691 if (pca->action == PF_CHANGE_REMOVE) {
2692 TAILQ_REMOVE(&pool->list, oldpa, entries);
2693 pfi_dynaddr_remove(&oldpa->addr);
2694 pf_tbladdr_remove(&oldpa->addr);
2695 pfi_detach_rule(oldpa->kif);
2696 pool_put(&pf_pooladdr_pl, oldpa);
2699 TAILQ_INSERT_TAIL(&pool->list, newpa, entries);
2700 else if (pca->action == PF_CHANGE_ADD_HEAD ||
2701 pca->action == PF_CHANGE_ADD_BEFORE)
2702 TAILQ_INSERT_BEFORE(oldpa, newpa, entries);
2704 TAILQ_INSERT_AFTER(&pool->list, oldpa,
2708 pool->cur = TAILQ_FIRST(&pool->list);
2709 PF_ACPY(&pool->counter, &pool->cur->addr.v.a.addr,
2714 case DIOCGETRULESETS: {
2715 struct pfioc_ruleset *pr = (struct pfioc_ruleset *)addr;
2716 struct pf_ruleset *ruleset;
2717 struct pf_anchor *anchor;
2719 pr->path[sizeof(pr->path) - 1] = 0;
2720 if ((ruleset = pf_find_ruleset(pr->path)) == NULL) {
2725 if (ruleset->anchor == NULL) {
2726 /* XXX kludge for pf_main_ruleset */
2727 RB_FOREACH(anchor, pf_anchor_global, &pf_anchors)
2728 if (anchor->parent == NULL)
2731 RB_FOREACH(anchor, pf_anchor_node,
2732 &ruleset->anchor->children)
2738 case DIOCGETRULESET: {
2739 struct pfioc_ruleset *pr = (struct pfioc_ruleset *)addr;
2740 struct pf_ruleset *ruleset;
2741 struct pf_anchor *anchor;
2744 pr->path[sizeof(pr->path) - 1] = 0;
2745 if ((ruleset = pf_find_ruleset(pr->path)) == NULL) {
2750 if (ruleset->anchor == NULL) {
2751 /* XXX kludge for pf_main_ruleset */
2752 RB_FOREACH(anchor, pf_anchor_global, &pf_anchors)
2753 if (anchor->parent == NULL && nr++ == pr->nr) {
2754 strlcpy(pr->name, anchor->name,
2759 RB_FOREACH(anchor, pf_anchor_node,
2760 &ruleset->anchor->children)
2761 if (nr++ == pr->nr) {
2762 strlcpy(pr->name, anchor->name,
2772 case DIOCRCLRTABLES: {
2773 struct pfioc_table *io = (struct pfioc_table *)addr;
2775 if (io->pfrio_esize != 0) {
2779 error = pfr_clr_tables(&io->pfrio_table, &io->pfrio_ndel,
2780 io->pfrio_flags | PFR_FLAG_USERIOCTL);
2784 case DIOCRADDTABLES: {
2785 struct pfioc_table *io = (struct pfioc_table *)addr;
2787 if (io->pfrio_esize != sizeof(struct pfr_table)) {
2791 error = pfr_add_tables(io->pfrio_buffer, io->pfrio_size,
2792 &io->pfrio_nadd, io->pfrio_flags | PFR_FLAG_USERIOCTL);
2796 case DIOCRDELTABLES: {
2797 struct pfioc_table *io = (struct pfioc_table *)addr;
2799 if (io->pfrio_esize != sizeof(struct pfr_table)) {
2803 error = pfr_del_tables(io->pfrio_buffer, io->pfrio_size,
2804 &io->pfrio_ndel, io->pfrio_flags | PFR_FLAG_USERIOCTL);
2808 case DIOCRGETTABLES: {
2809 struct pfioc_table *io = (struct pfioc_table *)addr;
2811 if (io->pfrio_esize != sizeof(struct pfr_table)) {
2815 error = pfr_get_tables(&io->pfrio_table, io->pfrio_buffer,
2816 &io->pfrio_size, io->pfrio_flags | PFR_FLAG_USERIOCTL);
2820 case DIOCRGETTSTATS: {
2821 struct pfioc_table *io = (struct pfioc_table *)addr;
2823 if (io->pfrio_esize != sizeof(struct pfr_tstats)) {
2827 error = pfr_get_tstats(&io->pfrio_table, io->pfrio_buffer,
2828 &io->pfrio_size, io->pfrio_flags | PFR_FLAG_USERIOCTL);
2832 case DIOCRCLRTSTATS: {
2833 struct pfioc_table *io = (struct pfioc_table *)addr;
2835 if (io->pfrio_esize != sizeof(struct pfr_table)) {
2839 error = pfr_clr_tstats(io->pfrio_buffer, io->pfrio_size,
2840 &io->pfrio_nzero, io->pfrio_flags | PFR_FLAG_USERIOCTL);
2844 case DIOCRSETTFLAGS: {
2845 struct pfioc_table *io = (struct pfioc_table *)addr;
2847 if (io->pfrio_esize != sizeof(struct pfr_table)) {
2851 error = pfr_set_tflags(io->pfrio_buffer, io->pfrio_size,
2852 io->pfrio_setflag, io->pfrio_clrflag, &io->pfrio_nchange,
2853 &io->pfrio_ndel, io->pfrio_flags | PFR_FLAG_USERIOCTL);
2857 case DIOCRCLRADDRS: {
2858 struct pfioc_table *io = (struct pfioc_table *)addr;
2860 if (io->pfrio_esize != 0) {
2864 error = pfr_clr_addrs(&io->pfrio_table, &io->pfrio_ndel,
2865 io->pfrio_flags | PFR_FLAG_USERIOCTL);
2869 case DIOCRADDADDRS: {
2870 struct pfioc_table *io = (struct pfioc_table *)addr;
2872 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
2876 error = pfr_add_addrs(&io->pfrio_table, io->pfrio_buffer,
2877 io->pfrio_size, &io->pfrio_nadd, io->pfrio_flags |
2878 PFR_FLAG_USERIOCTL);
2882 case DIOCRDELADDRS: {
2883 struct pfioc_table *io = (struct pfioc_table *)addr;
2885 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
2889 error = pfr_del_addrs(&io->pfrio_table, io->pfrio_buffer,
2890 io->pfrio_size, &io->pfrio_ndel, io->pfrio_flags |
2891 PFR_FLAG_USERIOCTL);
2895 case DIOCRSETADDRS: {
2896 struct pfioc_table *io = (struct pfioc_table *)addr;
2898 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
2902 error = pfr_set_addrs(&io->pfrio_table, io->pfrio_buffer,
2903 io->pfrio_size, &io->pfrio_size2, &io->pfrio_nadd,
2904 &io->pfrio_ndel, &io->pfrio_nchange, io->pfrio_flags |
2905 PFR_FLAG_USERIOCTL);
2909 case DIOCRGETADDRS: {
2910 struct pfioc_table *io = (struct pfioc_table *)addr;
2912 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
2916 error = pfr_get_addrs(&io->pfrio_table, io->pfrio_buffer,
2917 &io->pfrio_size, io->pfrio_flags | PFR_FLAG_USERIOCTL);
2921 case DIOCRGETASTATS: {
2922 struct pfioc_table *io = (struct pfioc_table *)addr;
2924 if (io->pfrio_esize != sizeof(struct pfr_astats)) {
2928 error = pfr_get_astats(&io->pfrio_table, io->pfrio_buffer,
2929 &io->pfrio_size, io->pfrio_flags | PFR_FLAG_USERIOCTL);
2933 case DIOCRCLRASTATS: {
2934 struct pfioc_table *io = (struct pfioc_table *)addr;
2936 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
2940 error = pfr_clr_astats(&io->pfrio_table, io->pfrio_buffer,
2941 io->pfrio_size, &io->pfrio_nzero, io->pfrio_flags |
2942 PFR_FLAG_USERIOCTL);
2946 case DIOCRTSTADDRS: {
2947 struct pfioc_table *io = (struct pfioc_table *)addr;
2949 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
2953 error = pfr_tst_addrs(&io->pfrio_table, io->pfrio_buffer,
2954 io->pfrio_size, &io->pfrio_nmatch, io->pfrio_flags |
2955 PFR_FLAG_USERIOCTL);
2959 case DIOCRINADEFINE: {
2960 struct pfioc_table *io = (struct pfioc_table *)addr;
2962 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
2966 error = pfr_ina_define(&io->pfrio_table, io->pfrio_buffer,
2967 io->pfrio_size, &io->pfrio_nadd, &io->pfrio_naddr,
2968 io->pfrio_ticket, io->pfrio_flags | PFR_FLAG_USERIOCTL);
2973 struct pf_osfp_ioctl *io = (struct pf_osfp_ioctl *)addr;
2974 error = pf_osfp_add(io);
2979 struct pf_osfp_ioctl *io = (struct pf_osfp_ioctl *)addr;
2980 error = pf_osfp_get(io);
2985 struct pfioc_trans *io = (struct pfioc_trans *)
2987 static struct pfioc_trans_e ioe;
2988 static struct pfr_table table;
2991 if (io->esize != sizeof(ioe)) {
2995 for (i = 0; i < io->size; i++) {
2997 PF_COPYIN(io->array+i, &ioe, sizeof(ioe), error);
3000 if (copyin(io->array+i, &ioe, sizeof(ioe))) {
3005 switch (ioe.rs_num) {
3007 case PF_RULESET_ALTQ:
3008 if (ioe.anchor[0]) {
3012 if ((error = pf_begin_altq(&ioe.ticket)))
3016 case PF_RULESET_TABLE:
3017 bzero(&table, sizeof(table));
3018 strlcpy(table.pfrt_anchor, ioe.anchor,
3019 sizeof(table.pfrt_anchor));
3020 if ((error = pfr_ina_begin(&table,
3021 &ioe.ticket, NULL, 0)))
3025 if ((error = pf_begin_rules(&ioe.ticket,
3026 ioe.rs_num, ioe.anchor)))
3031 PF_COPYOUT(&ioe, io->array+i, sizeof(io->array[i]),
3035 if (copyout(&ioe, io->array+i, sizeof(io->array[i]))) {
3044 case DIOCXROLLBACK: {
3045 struct pfioc_trans *io = (struct pfioc_trans *)
3047 static struct pfioc_trans_e ioe;
3048 static struct pfr_table table;
3051 if (io->esize != sizeof(ioe)) {
3055 for (i = 0; i < io->size; i++) {
3057 PF_COPYIN(io->array+i, &ioe, sizeof(ioe), error);
3060 if (copyin(io->array+i, &ioe, sizeof(ioe))) {
3065 switch (ioe.rs_num) {
3067 case PF_RULESET_ALTQ:
3068 if (ioe.anchor[0]) {
3072 if ((error = pf_rollback_altq(ioe.ticket)))
3073 goto fail; /* really bad */
3076 case PF_RULESET_TABLE:
3077 bzero(&table, sizeof(table));
3078 strlcpy(table.pfrt_anchor, ioe.anchor,
3079 sizeof(table.pfrt_anchor));
3080 if ((error = pfr_ina_rollback(&table,
3081 ioe.ticket, NULL, 0)))
3082 goto fail; /* really bad */
3085 if ((error = pf_rollback_rules(ioe.ticket,
3086 ioe.rs_num, ioe.anchor)))
3087 goto fail; /* really bad */
3095 struct pfioc_trans *io = (struct pfioc_trans *)
3097 static struct pfioc_trans_e ioe;
3098 static struct pfr_table table;
3099 struct pf_ruleset *rs;
3102 if (io->esize != sizeof(ioe)) {
3106 /* first makes sure everything will succeed */
3107 for (i = 0; i < io->size; i++) {
3109 PF_COPYIN(io->array+i, &ioe, sizeof(ioe), error);
3112 if (copyin(io->array+i, &ioe, sizeof(ioe))) {
3117 switch (ioe.rs_num) {
3119 case PF_RULESET_ALTQ:
3120 if (ioe.anchor[0]) {
3124 if (!altqs_inactive_open || ioe.ticket !=
3125 ticket_altqs_inactive) {
3131 case PF_RULESET_TABLE:
3132 rs = pf_find_ruleset(ioe.anchor);
3133 if (rs == NULL || !rs->topen || ioe.ticket !=
3140 if (ioe.rs_num < 0 || ioe.rs_num >=
3145 rs = pf_find_ruleset(ioe.anchor);
3147 !rs->rules[ioe.rs_num].inactive.open ||
3148 rs->rules[ioe.rs_num].inactive.ticket !=
3156 /* now do the commit - no errors should happen here */
3157 for (i = 0; i < io->size; i++) {
3159 PF_COPYIN(io->array+i, &ioe, sizeof(ioe), error);
3162 if (copyin(io->array+i, &ioe, sizeof(ioe))) {
3167 switch (ioe.rs_num) {
3169 case PF_RULESET_ALTQ:
3170 if ((error = pf_commit_altq(ioe.ticket)))
3171 goto fail; /* really bad */
3174 case PF_RULESET_TABLE:
3175 bzero(&table, sizeof(table));
3176 strlcpy(table.pfrt_anchor, ioe.anchor,
3177 sizeof(table.pfrt_anchor));
3178 if ((error = pfr_ina_commit(&table, ioe.ticket,
3180 goto fail; /* really bad */
3183 if ((error = pf_commit_rules(ioe.ticket,
3184 ioe.rs_num, ioe.anchor)))
3185 goto fail; /* really bad */
3192 case DIOCGETSRCNODES: {
3193 struct pfioc_src_nodes *psn = (struct pfioc_src_nodes *)addr;
3194 struct pf_src_node *n;
3195 struct pf_src_node *p, pstore;
3197 int space = psn->psn_len;
3200 RB_FOREACH(n, pf_src_tree, &tree_src_tracking)
3202 psn->psn_len = sizeof(struct pf_src_node) * nr;
3206 p = psn->psn_src_nodes;
3207 RB_FOREACH(n, pf_src_tree, &tree_src_tracking) {
3208 int secs = time_second, diff;
3210 if ((nr + 1) * sizeof(*p) > (unsigned)psn->psn_len)
3213 bcopy(n, &pstore, sizeof(pstore));
3214 if (n->rule.ptr != NULL)
3215 pstore.rule.nr = n->rule.ptr->nr;
3216 pstore.creation = secs - pstore.creation;
3217 if (pstore.expire > secs)
3218 pstore.expire -= secs;
3222 /* adjust the connection rate estimate */
3223 diff = secs - n->conn_rate.last;
3224 if (diff >= n->conn_rate.seconds)
3225 pstore.conn_rate.count = 0;
3227 pstore.conn_rate.count -=
3228 n->conn_rate.count * diff /
3229 n->conn_rate.seconds;
3232 PF_COPYOUT(&pstore, p, sizeof(*p), error);
3234 error = copyout(&pstore, p, sizeof(*p));
3241 psn->psn_len = sizeof(struct pf_src_node) * nr;
3245 case DIOCCLRSRCNODES: {
3246 struct pf_src_node *n;
3247 struct pf_state *state;
3249 RB_FOREACH(state, pf_state_tree_id, &tree_id) {
3250 state->src_node = NULL;
3251 state->nat_src_node = NULL;
3253 RB_FOREACH(n, pf_src_tree, &tree_src_tracking) {
3257 pf_purge_expired_src_nodes();
3258 pf_status.src_nodes = 0;
3262 case DIOCSETHOSTID: {
3263 u_int32_t *hostid = (u_int32_t *)addr;
3266 pf_status.hostid = arc4random();
3268 pf_status.hostid = *hostid;
3276 case DIOCIGETIFACES: {
3277 struct pfioc_iface *io = (struct pfioc_iface *)addr;
3279 if (io->pfiio_esize != sizeof(struct pfi_if)) {
3283 error = pfi_get_ifaces(io->pfiio_name, io->pfiio_buffer,
3284 &io->pfiio_size, io->pfiio_flags);
3288 case DIOCICLRISTATS: {
3289 struct pfioc_iface *io = (struct pfioc_iface *)addr;
3291 error = pfi_clr_istats(io->pfiio_name, &io->pfiio_nzero,
3296 case DIOCSETIFFLAG: {
3297 struct pfioc_iface *io = (struct pfioc_iface *)addr;
3299 error = pfi_set_flags(io->pfiio_name, io->pfiio_flags);
3303 case DIOCCLRIFFLAG: {
3304 struct pfioc_iface *io = (struct pfioc_iface *)addr;
3306 error = pfi_clear_flags(io->pfiio_name, io->pfiio_flags);
3325 * XXX - Check for version missmatch!!!
3328 pf_clear_states(void)
3330 struct pf_state *state;
3332 RB_FOREACH(state, pf_state_tree_id, &tree_id) {
3333 state->timeout = PFTM_PURGE;
3335 /* don't send out individual delete messages */
3336 state->sync_flags = PFSTATE_NOSYNC;
3339 pf_purge_expired_states();
3340 pf_status.states = 0;
3343 * XXX This is called on module unload, we do not want to sync that over? */
3345 pfsync_clear_states(pf_status.hostid, psk->psk_ifname);
3350 pf_clear_tables(void)
3352 struct pfioc_table io;
3355 bzero(&io, sizeof(io));
3357 error = pfr_clr_tables(&io.pfrio_table, &io.pfrio_ndel,
3364 pf_clear_srcnodes(void)
3366 struct pf_src_node *n;
3367 struct pf_state *state;
3369 RB_FOREACH(state, pf_state_tree_id, &tree_id) {
3370 state->src_node = NULL;
3371 state->nat_src_node = NULL;
3373 RB_FOREACH(n, pf_src_tree, &tree_src_tracking) {
3377 pf_purge_expired_src_nodes();
3378 pf_status.src_nodes = 0;
3381 * XXX - Check for version missmatch!!!
3385 * Duplicate pfctl -Fa operation to get rid of as much as we can.
3394 callout_stop(&pf_expire_to);
3396 pf_status.running = 0;
3398 if ((error = pf_begin_rules(&t[0], PF_RULESET_SCRUB, &nn))
3400 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: SCRUB\n"));
3403 if ((error = pf_begin_rules(&t[1], PF_RULESET_FILTER, &nn))
3405 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: FILTER\n"));
3406 break; /* XXX: rollback? */
3408 if ((error = pf_begin_rules(&t[2], PF_RULESET_NAT, &nn))
3410 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: NAT\n"));
3411 break; /* XXX: rollback? */
3413 if ((error = pf_begin_rules(&t[3], PF_RULESET_BINAT, &nn))
3415 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: BINAT\n"));
3416 break; /* XXX: rollback? */
3418 if ((error = pf_begin_rules(&t[4], PF_RULESET_RDR, &nn))
3420 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: RDR\n"));
3421 break; /* XXX: rollback? */
3424 /* XXX: these should always succeed here */
3425 pf_commit_rules(t[0], PF_RULESET_SCRUB, &nn);
3426 pf_commit_rules(t[1], PF_RULESET_FILTER, &nn);
3427 pf_commit_rules(t[2], PF_RULESET_NAT, &nn);
3428 pf_commit_rules(t[3], PF_RULESET_BINAT, &nn);
3429 pf_commit_rules(t[4], PF_RULESET_RDR, &nn);
3431 if ((error = pf_clear_tables()) != 0)
3435 if ((error = pf_begin_altq(&t[0])) != 0) {
3436 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: ALTQ\n"));
3439 pf_commit_altq(t[0]);
3444 pf_clear_srcnodes();
3446 /* status does not use malloced mem so no need to cleanup */
3447 /* fingerprints and interfaces have thier own cleanup code */
3454 pf_check_in(void *arg, struct mbuf **m, struct ifnet *ifp, int dir,
3458 * XXX Wed Jul 9 22:03:16 2003 UTC
3459 * OpenBSD has changed its byte ordering convention on ip_len/ip_off
3460 * in network stack. OpenBSD's network stack have converted
3461 * ip_len/ip_off to host byte order frist as FreeBSD.
3462 * Now this is not true anymore , so we should convert back to network
3465 struct ip *h = NULL;
3468 if ((*m)->m_pkthdr.len >= (int)sizeof(struct ip)) {
3469 /* if m_pkthdr.len is less than ip header, pf will handle. */
3470 h = mtod(*m, struct ip *);
3474 chk = pf_test(PF_IN, ifp, m, NULL, inp);
3480 /* pf_test can change ip header location */
3481 h = mtod(*m, struct ip *);
3489 pf_check_out(void *arg, struct mbuf **m, struct ifnet *ifp, int dir,
3493 * XXX Wed Jul 9 22:03:16 2003 UTC
3494 * OpenBSD has changed its byte ordering convention on ip_len/ip_off
3495 * in network stack. OpenBSD's network stack have converted
3496 * ip_len/ip_off to host byte order frist as FreeBSD.
3497 * Now this is not true anymore , so we should convert back to network
3500 struct ip *h = NULL;
3503 /* We need a proper CSUM befor we start (s. OpenBSD ip_output) */
3504 if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
3505 in_delayed_cksum(*m);
3506 (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
3508 if ((*m)->m_pkthdr.len >= (int)sizeof(*h)) {
3509 /* if m_pkthdr.len is less than ip header, pf will handle. */
3510 h = mtod(*m, struct ip *);
3514 chk = pf_test(PF_OUT, ifp, m, NULL, inp);
3520 /* pf_test can change ip header location */
3521 h = mtod(*m, struct ip *);
3530 pf_check6_in(void *arg, struct mbuf **m, struct ifnet *ifp, int dir,
3534 * IPv6 is not affected by ip_len/ip_off byte order changes.
3539 * In case of loopback traffic IPv6 uses the real interface in
3540 * order to support scoped addresses. In order to support stateful
3541 * filtering we have change this to lo0 as it is the case in IPv4.
3543 chk = pf_test6(PF_IN, (*m)->m_flags & M_LOOP ? &loif[0] : ifp, m,
3553 pf_check6_out(void *arg, struct mbuf **m, struct ifnet *ifp, int dir,
3557 * IPv6 does not affected ip_len/ip_off byte order changes.
3561 /* We need a proper CSUM befor we start (s. OpenBSD ip_output) */
3562 if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
3563 in_delayed_cksum(*m);
3564 (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
3566 chk = pf_test6(PF_OUT, ifp, m, NULL, inp);
3578 struct pfil_head *pfh_inet;
3580 struct pfil_head *pfh_inet6;
3583 PF_ASSERT(MA_NOTOWNED);
3588 pfh_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
3589 if (pfh_inet == NULL)
3590 return (ESRCH); /* XXX */
3591 pfil_add_hook(pf_check_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet);
3592 pfil_add_hook(pf_check_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet);
3594 pfh_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
3595 if (pfh_inet6 == NULL) {
3596 pfil_remove_hook(pf_check_in, NULL, PFIL_IN | PFIL_WAITOK,
3598 pfil_remove_hook(pf_check_out, NULL, PFIL_OUT | PFIL_WAITOK,
3600 return (ESRCH); /* XXX */
3602 pfil_add_hook(pf_check6_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet6);
3603 pfil_add_hook(pf_check6_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet6);
3613 struct pfil_head *pfh_inet;
3615 struct pfil_head *pfh_inet6;
3618 PF_ASSERT(MA_NOTOWNED);
3620 if (pf_pfil_hooked == 0)
3623 pfh_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
3624 if (pfh_inet == NULL)
3625 return (ESRCH); /* XXX */
3626 pfil_remove_hook(pf_check_in, NULL, PFIL_IN | PFIL_WAITOK,
3628 pfil_remove_hook(pf_check_out, NULL, PFIL_OUT | PFIL_WAITOK,
3631 pfh_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
3632 if (pfh_inet6 == NULL)
3633 return (ESRCH); /* XXX */
3634 pfil_remove_hook(pf_check6_in, NULL, PFIL_IN | PFIL_WAITOK,
3636 pfil_remove_hook(pf_check6_out, NULL, PFIL_OUT | PFIL_WAITOK,
3649 pf_dev = make_dev(&pf_cdevsw, 0, 0, 0, 0600, PF_NAME);
3650 if (pfattach() < 0) {
3651 destroy_dev(pf_dev);
3664 pf_status.running = 0;
3666 error = dehook_pf();
3669 * Should not happen!
3670 * XXX Due to error code ESRCH, kldunload will show
3671 * a message like 'No such process'.
3673 printf("%s : pfil unregisteration fail\n", __FUNCTION__);
3683 destroy_dev(pf_dev);
3689 pf_modevent(module_t mod, int type, void *data)
3699 error = pf_unload();
3708 static moduledata_t pf_mod = {
3714 DECLARE_MODULE(pf, pf_mod, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_FIRST);
3715 MODULE_VERSION(pf, PF_MODVER);
3716 #endif /* __FreeBSD__ */
projects / FreeBSD / FreeBSD.git / blob