2 * SPDX-License-Identifier: BSD-2-Clause
4 * Copyright (c) 2001 Daniel Hartmeier
5 * Copyright (c) 2002,2003 Henning Brauer
6 * Copyright (c) 2012 Gleb Smirnoff <glebius@FreeBSD.org>
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
13 * - Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * - Redistributions in binary form must reproduce the above
16 * copyright notice, this list of conditions and the following
17 * disclaimer in the documentation and/or other materials provided
18 * with the distribution.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
23 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
24 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
26 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
27 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
28 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
30 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31 * POSSIBILITY OF SUCH DAMAGE.
33 * Effort sponsored in part by the Defense Advanced Research Projects
34 * Agency (DARPA) and Air Force Research Laboratory, Air Force
35 * Materiel Command, USAF, under agreement number F30602-01-2-0537.
37 * $OpenBSD: pf_ioctl.c,v 1.213 2009/02/15 21:46:12 mbalmer Exp $
40 #include <sys/cdefs.h>
41 __FBSDID("$FreeBSD$");
44 #include "opt_inet6.h"
48 #include <sys/param.h>
49 #include <sys/_bitset.h>
50 #include <sys/bitset.h>
53 #include <sys/endian.h>
54 #include <sys/fcntl.h>
55 #include <sys/filio.h>
57 #include <sys/interrupt.h>
59 #include <sys/kernel.h>
60 #include <sys/kthread.h>
63 #include <sys/module.h>
67 #include <sys/socket.h>
68 #include <sys/sysctl.h>
70 #include <sys/ucred.h>
73 #include <net/if_var.h>
75 #include <net/route.h>
77 #include <net/pfvar.h>
78 #include <net/if_pfsync.h>
79 #include <net/if_pflog.h>
81 #include <netinet/in.h>
82 #include <netinet/ip.h>
83 #include <netinet/ip_var.h>
84 #include <netinet6/ip6_var.h>
85 #include <netinet/ip_icmp.h>
86 #include <netpfil/pf/pf_nv.h>
89 #include <netinet/ip6.h>
93 #include <net/altq/altq.h>
96 static struct pf_kpool *pf_get_kpool(char *, u_int32_t, u_int8_t, u_int32_t,
97 u_int8_t, u_int8_t, u_int8_t);
99 static void pf_mv_kpool(struct pf_kpalist *, struct pf_kpalist *);
100 static void pf_empty_kpool(struct pf_kpalist *);
101 static int pfioctl(struct cdev *, u_long, caddr_t, int,
104 static int pf_begin_altq(u_int32_t *);
105 static int pf_rollback_altq(u_int32_t);
106 static int pf_commit_altq(u_int32_t);
107 static int pf_enable_altq(struct pf_altq *);
108 static int pf_disable_altq(struct pf_altq *);
109 static u_int32_t pf_qname2qid(char *);
110 static void pf_qid_unref(u_int32_t);
112 static int pf_begin_rules(u_int32_t *, int, const char *);
113 static int pf_rollback_rules(u_int32_t, int, char *);
114 static int pf_setup_pfsync_matching(struct pf_kruleset *);
115 static void pf_hash_rule(MD5_CTX *, struct pf_krule *);
116 static void pf_hash_rule_addr(MD5_CTX *, struct pf_rule_addr *);
117 static int pf_commit_rules(u_int32_t, int, char *);
118 static int pf_addr_setup(struct pf_kruleset *,
119 struct pf_addr_wrap *, sa_family_t);
120 static void pf_addr_copyout(struct pf_addr_wrap *);
121 static void pf_src_node_copy(const struct pf_ksrc_node *,
122 struct pf_src_node *);
124 static int pf_export_kaltq(struct pf_altq *,
125 struct pfioc_altq_v1 *, size_t);
126 static int pf_import_kaltq(struct pfioc_altq_v1 *,
127 struct pf_altq *, size_t);
130 VNET_DEFINE(struct pf_krule, pf_default_rule);
133 VNET_DEFINE_STATIC(int, pf_altq_running);
134 #define V_pf_altq_running VNET(pf_altq_running)
137 #define TAGID_MAX 50000
139 TAILQ_ENTRY(pf_tagname) namehash_entries;
140 TAILQ_ENTRY(pf_tagname) taghash_entries;
141 char name[PF_TAG_NAME_SIZE];
147 TAILQ_HEAD(, pf_tagname) *namehash;
148 TAILQ_HEAD(, pf_tagname) *taghash;
151 BITSET_DEFINE(, TAGID_MAX) avail;
154 VNET_DEFINE(struct pf_tagset, pf_tags);
155 #define V_pf_tags VNET(pf_tags)
156 static unsigned int pf_rule_tag_hashsize;
157 #define PF_RULE_TAG_HASH_SIZE_DEFAULT 128
158 SYSCTL_UINT(_net_pf, OID_AUTO, rule_tag_hashsize, CTLFLAG_RDTUN,
159 &pf_rule_tag_hashsize, PF_RULE_TAG_HASH_SIZE_DEFAULT,
160 "Size of pf(4) rule tag hashtable");
163 VNET_DEFINE(struct pf_tagset, pf_qids);
164 #define V_pf_qids VNET(pf_qids)
165 static unsigned int pf_queue_tag_hashsize;
166 #define PF_QUEUE_TAG_HASH_SIZE_DEFAULT 128
167 SYSCTL_UINT(_net_pf, OID_AUTO, queue_tag_hashsize, CTLFLAG_RDTUN,
168 &pf_queue_tag_hashsize, PF_QUEUE_TAG_HASH_SIZE_DEFAULT,
169 "Size of pf(4) queue tag hashtable");
171 VNET_DEFINE(uma_zone_t, pf_tag_z);
172 #define V_pf_tag_z VNET(pf_tag_z)
173 static MALLOC_DEFINE(M_PFALTQ, "pf_altq", "pf(4) altq configuration db");
174 static MALLOC_DEFINE(M_PFRULE, "pf_rule", "pf(4) rules");
176 #if (PF_QNAME_SIZE != PF_TAG_NAME_SIZE)
177 #error PF_QNAME_SIZE must be equal to PF_TAG_NAME_SIZE
180 static void pf_init_tagset(struct pf_tagset *, unsigned int *,
182 static void pf_cleanup_tagset(struct pf_tagset *);
183 static uint16_t tagname2hashindex(const struct pf_tagset *, const char *);
184 static uint16_t tag2hashindex(const struct pf_tagset *, uint16_t);
185 static u_int16_t tagname2tag(struct pf_tagset *, char *);
186 static u_int16_t pf_tagname2tag(char *);
187 static void tag_unref(struct pf_tagset *, u_int16_t);
189 #define DPFPRINTF(n, x) if (V_pf_status.debug >= (n)) printf x
194 * XXX - These are new and need to be checked when moveing to a new version
196 static void pf_clear_states(void);
197 static int pf_clear_tables(void);
198 static void pf_clear_srcnodes(struct pf_ksrc_node *);
199 static void pf_kill_srcnodes(struct pfioc_src_node_kill *);
200 static void pf_tbladdr_copyout(struct pf_addr_wrap *);
203 * Wrapper functions for pfil(9) hooks
206 static int pf_check_in(void *arg, struct mbuf **m, struct ifnet *ifp,
207 int dir, int flags, struct inpcb *inp);
208 static int pf_check_out(void *arg, struct mbuf **m, struct ifnet *ifp,
209 int dir, int flags, struct inpcb *inp);
212 static int pf_check6_in(void *arg, struct mbuf **m, struct ifnet *ifp,
213 int dir, int flags, struct inpcb *inp);
214 static int pf_check6_out(void *arg, struct mbuf **m, struct ifnet *ifp,
215 int dir, int flags, struct inpcb *inp);
218 static int hook_pf(void);
219 static int dehook_pf(void);
220 static int shutdown_pf(void);
221 static int pf_load(void);
222 static void pf_unload(void);
224 static struct cdevsw pf_cdevsw = {
227 .d_version = D_VERSION,
230 volatile VNET_DEFINE_STATIC(int, pf_pfil_hooked);
231 #define V_pf_pfil_hooked VNET(pf_pfil_hooked)
234 * We need a flag that is neither hooked nor running to know when
235 * the VNET is "valid". We primarily need this to control (global)
236 * external event, e.g., eventhandlers.
238 VNET_DEFINE(int, pf_vnet_active);
239 #define V_pf_vnet_active VNET(pf_vnet_active)
242 struct proc *pf_purge_proc;
244 struct rmlock pf_rules_lock;
245 struct sx pf_ioctl_lock;
246 struct sx pf_end_lock;
249 VNET_DEFINE(pfsync_state_import_t *, pfsync_state_import_ptr);
250 VNET_DEFINE(pfsync_insert_state_t *, pfsync_insert_state_ptr);
251 VNET_DEFINE(pfsync_update_state_t *, pfsync_update_state_ptr);
252 VNET_DEFINE(pfsync_delete_state_t *, pfsync_delete_state_ptr);
253 VNET_DEFINE(pfsync_clear_states_t *, pfsync_clear_states_ptr);
254 VNET_DEFINE(pfsync_defer_t *, pfsync_defer_ptr);
255 pfsync_detach_ifnet_t *pfsync_detach_ifnet_ptr;
258 pflog_packet_t *pflog_packet_ptr = NULL;
260 extern u_long pf_ioctl_maxcount;
265 u_int32_t *my_timeout = V_pf_default_rule.timeout;
269 pfi_initialize_vnet();
272 V_pf_limits[PF_LIMIT_STATES].limit = PFSTATE_HIWAT;
273 V_pf_limits[PF_LIMIT_SRC_NODES].limit = PFSNODE_HIWAT;
275 RB_INIT(&V_pf_anchors);
276 pf_init_kruleset(&pf_main_ruleset);
278 /* default rule should never be garbage collected */
279 V_pf_default_rule.entries.tqe_prev = &V_pf_default_rule.entries.tqe_next;
280 #ifdef PF_DEFAULT_TO_DROP
281 V_pf_default_rule.action = PF_DROP;
283 V_pf_default_rule.action = PF_PASS;
285 V_pf_default_rule.nr = -1;
286 V_pf_default_rule.rtableid = -1;
288 V_pf_default_rule.evaluations = counter_u64_alloc(M_WAITOK);
289 for (int i = 0; i < 2; i++) {
290 V_pf_default_rule.packets[i] = counter_u64_alloc(M_WAITOK);
291 V_pf_default_rule.bytes[i] = counter_u64_alloc(M_WAITOK);
293 V_pf_default_rule.states_cur = counter_u64_alloc(M_WAITOK);
294 V_pf_default_rule.states_tot = counter_u64_alloc(M_WAITOK);
295 V_pf_default_rule.src_nodes = counter_u64_alloc(M_WAITOK);
297 /* initialize default timeouts */
298 my_timeout[PFTM_TCP_FIRST_PACKET] = PFTM_TCP_FIRST_PACKET_VAL;
299 my_timeout[PFTM_TCP_OPENING] = PFTM_TCP_OPENING_VAL;
300 my_timeout[PFTM_TCP_ESTABLISHED] = PFTM_TCP_ESTABLISHED_VAL;
301 my_timeout[PFTM_TCP_CLOSING] = PFTM_TCP_CLOSING_VAL;
302 my_timeout[PFTM_TCP_FIN_WAIT] = PFTM_TCP_FIN_WAIT_VAL;
303 my_timeout[PFTM_TCP_CLOSED] = PFTM_TCP_CLOSED_VAL;
304 my_timeout[PFTM_UDP_FIRST_PACKET] = PFTM_UDP_FIRST_PACKET_VAL;
305 my_timeout[PFTM_UDP_SINGLE] = PFTM_UDP_SINGLE_VAL;
306 my_timeout[PFTM_UDP_MULTIPLE] = PFTM_UDP_MULTIPLE_VAL;
307 my_timeout[PFTM_ICMP_FIRST_PACKET] = PFTM_ICMP_FIRST_PACKET_VAL;
308 my_timeout[PFTM_ICMP_ERROR_REPLY] = PFTM_ICMP_ERROR_REPLY_VAL;
309 my_timeout[PFTM_OTHER_FIRST_PACKET] = PFTM_OTHER_FIRST_PACKET_VAL;
310 my_timeout[PFTM_OTHER_SINGLE] = PFTM_OTHER_SINGLE_VAL;
311 my_timeout[PFTM_OTHER_MULTIPLE] = PFTM_OTHER_MULTIPLE_VAL;
312 my_timeout[PFTM_FRAG] = PFTM_FRAG_VAL;
313 my_timeout[PFTM_INTERVAL] = PFTM_INTERVAL_VAL;
314 my_timeout[PFTM_SRC_NODE] = PFTM_SRC_NODE_VAL;
315 my_timeout[PFTM_TS_DIFF] = PFTM_TS_DIFF_VAL;
316 my_timeout[PFTM_ADAPTIVE_START] = PFSTATE_ADAPT_START;
317 my_timeout[PFTM_ADAPTIVE_END] = PFSTATE_ADAPT_END;
319 bzero(&V_pf_status, sizeof(V_pf_status));
320 V_pf_status.debug = PF_DEBUG_URGENT;
322 V_pf_pfil_hooked = 0;
324 /* XXX do our best to avoid a conflict */
325 V_pf_status.hostid = arc4random();
327 for (int i = 0; i < PFRES_MAX; i++)
328 V_pf_status.counters[i] = counter_u64_alloc(M_WAITOK);
329 for (int i = 0; i < LCNT_MAX; i++)
330 V_pf_status.lcounters[i] = counter_u64_alloc(M_WAITOK);
331 for (int i = 0; i < FCNT_MAX; i++)
332 V_pf_status.fcounters[i] = counter_u64_alloc(M_WAITOK);
333 for (int i = 0; i < SCNT_MAX; i++)
334 V_pf_status.scounters[i] = counter_u64_alloc(M_WAITOK);
336 if (swi_add(&V_pf_swi_ie, "pf send", pf_intr, curvnet, SWI_NET,
337 INTR_MPSAFE, &V_pf_swi_cookie) != 0)
338 /* XXXGL: leaked all above. */
342 static struct pf_kpool *
343 pf_get_kpool(char *anchor, u_int32_t ticket, u_int8_t rule_action,
344 u_int32_t rule_number, u_int8_t r_last, u_int8_t active,
345 u_int8_t check_ticket)
347 struct pf_kruleset *ruleset;
348 struct pf_krule *rule;
351 ruleset = pf_find_kruleset(anchor);
354 rs_num = pf_get_ruleset_number(rule_action);
355 if (rs_num >= PF_RULESET_MAX)
358 if (check_ticket && ticket !=
359 ruleset->rules[rs_num].active.ticket)
362 rule = TAILQ_LAST(ruleset->rules[rs_num].active.ptr,
365 rule = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr);
367 if (check_ticket && ticket !=
368 ruleset->rules[rs_num].inactive.ticket)
371 rule = TAILQ_LAST(ruleset->rules[rs_num].inactive.ptr,
374 rule = TAILQ_FIRST(ruleset->rules[rs_num].inactive.ptr);
377 while ((rule != NULL) && (rule->nr != rule_number))
378 rule = TAILQ_NEXT(rule, entries);
383 return (&rule->rpool);
387 pf_mv_kpool(struct pf_kpalist *poola, struct pf_kpalist *poolb)
389 struct pf_kpooladdr *mv_pool_pa;
391 while ((mv_pool_pa = TAILQ_FIRST(poola)) != NULL) {
392 TAILQ_REMOVE(poola, mv_pool_pa, entries);
393 TAILQ_INSERT_TAIL(poolb, mv_pool_pa, entries);
398 pf_empty_kpool(struct pf_kpalist *poola)
400 struct pf_kpooladdr *pa;
402 while ((pa = TAILQ_FIRST(poola)) != NULL) {
403 switch (pa->addr.type) {
404 case PF_ADDR_DYNIFTL:
405 pfi_dynaddr_remove(pa->addr.p.dyn);
408 /* XXX: this could be unfinished pooladdr on pabuf */
409 if (pa->addr.p.tbl != NULL)
410 pfr_detach_table(pa->addr.p.tbl);
414 pfi_kkif_unref(pa->kif);
415 TAILQ_REMOVE(poola, pa, entries);
421 pf_unlink_rule(struct pf_krulequeue *rulequeue, struct pf_krule *rule)
426 TAILQ_REMOVE(rulequeue, rule, entries);
428 PF_UNLNKDRULES_LOCK();
429 rule->rule_ref |= PFRULE_REFS;
430 TAILQ_INSERT_TAIL(&V_pf_unlinked_rules, rule, entries);
431 PF_UNLNKDRULES_UNLOCK();
435 pf_free_rule(struct pf_krule *rule)
441 tag_unref(&V_pf_tags, rule->tag);
443 tag_unref(&V_pf_tags, rule->match_tag);
445 if (rule->pqid != rule->qid)
446 pf_qid_unref(rule->pqid);
447 pf_qid_unref(rule->qid);
449 switch (rule->src.addr.type) {
450 case PF_ADDR_DYNIFTL:
451 pfi_dynaddr_remove(rule->src.addr.p.dyn);
454 pfr_detach_table(rule->src.addr.p.tbl);
457 switch (rule->dst.addr.type) {
458 case PF_ADDR_DYNIFTL:
459 pfi_dynaddr_remove(rule->dst.addr.p.dyn);
462 pfr_detach_table(rule->dst.addr.p.tbl);
465 if (rule->overload_tbl)
466 pfr_detach_table(rule->overload_tbl);
468 pfi_kkif_unref(rule->kif);
469 pf_kanchor_remove(rule);
470 pf_empty_kpool(&rule->rpool.list);
476 pf_init_tagset(struct pf_tagset *ts, unsigned int *tunable_size,
477 unsigned int default_size)
480 unsigned int hashsize;
482 if (*tunable_size == 0 || !powerof2(*tunable_size))
483 *tunable_size = default_size;
485 hashsize = *tunable_size;
486 ts->namehash = mallocarray(hashsize, sizeof(*ts->namehash), M_PFHASH,
488 ts->taghash = mallocarray(hashsize, sizeof(*ts->taghash), M_PFHASH,
490 ts->mask = hashsize - 1;
491 ts->seed = arc4random();
492 for (i = 0; i < hashsize; i++) {
493 TAILQ_INIT(&ts->namehash[i]);
494 TAILQ_INIT(&ts->taghash[i]);
496 BIT_FILL(TAGID_MAX, &ts->avail);
500 pf_cleanup_tagset(struct pf_tagset *ts)
503 unsigned int hashsize;
504 struct pf_tagname *t, *tmp;
507 * Only need to clean up one of the hashes as each tag is hashed
510 hashsize = ts->mask + 1;
511 for (i = 0; i < hashsize; i++)
512 TAILQ_FOREACH_SAFE(t, &ts->namehash[i], namehash_entries, tmp)
513 uma_zfree(V_pf_tag_z, t);
515 free(ts->namehash, M_PFHASH);
516 free(ts->taghash, M_PFHASH);
520 tagname2hashindex(const struct pf_tagset *ts, const char *tagname)
524 len = strnlen(tagname, PF_TAG_NAME_SIZE - 1);
525 return (murmur3_32_hash(tagname, len, ts->seed) & ts->mask);
529 tag2hashindex(const struct pf_tagset *ts, uint16_t tag)
532 return (tag & ts->mask);
536 tagname2tag(struct pf_tagset *ts, char *tagname)
538 struct pf_tagname *tag;
544 index = tagname2hashindex(ts, tagname);
545 TAILQ_FOREACH(tag, &ts->namehash[index], namehash_entries)
546 if (strcmp(tagname, tag->name) == 0) {
554 * to avoid fragmentation, we do a linear search from the beginning
555 * and take the first free slot we find.
557 new_tagid = BIT_FFS(TAGID_MAX, &ts->avail);
559 * Tags are 1-based, with valid tags in the range [1..TAGID_MAX].
560 * BIT_FFS() returns a 1-based bit number, with 0 indicating no bits
561 * set. It may also return a bit number greater than TAGID_MAX due
562 * to rounding of the number of bits in the vector up to a multiple
563 * of the vector word size at declaration/allocation time.
565 if ((new_tagid == 0) || (new_tagid > TAGID_MAX))
568 /* Mark the tag as in use. Bits are 0-based for BIT_CLR() */
569 BIT_CLR(TAGID_MAX, new_tagid - 1, &ts->avail);
571 /* allocate and fill new struct pf_tagname */
572 tag = uma_zalloc(V_pf_tag_z, M_NOWAIT);
575 strlcpy(tag->name, tagname, sizeof(tag->name));
576 tag->tag = new_tagid;
579 /* Insert into namehash */
580 TAILQ_INSERT_TAIL(&ts->namehash[index], tag, namehash_entries);
582 /* Insert into taghash */
583 index = tag2hashindex(ts, new_tagid);
584 TAILQ_INSERT_TAIL(&ts->taghash[index], tag, taghash_entries);
590 tag_unref(struct pf_tagset *ts, u_int16_t tag)
592 struct pf_tagname *t;
597 index = tag2hashindex(ts, tag);
598 TAILQ_FOREACH(t, &ts->taghash[index], taghash_entries)
601 TAILQ_REMOVE(&ts->taghash[index], t,
603 index = tagname2hashindex(ts, t->name);
604 TAILQ_REMOVE(&ts->namehash[index], t,
606 /* Bits are 0-based for BIT_SET() */
607 BIT_SET(TAGID_MAX, tag - 1, &ts->avail);
608 uma_zfree(V_pf_tag_z, t);
615 pf_tagname2tag(char *tagname)
617 return (tagname2tag(&V_pf_tags, tagname));
622 pf_qname2qid(char *qname)
624 return ((u_int32_t)tagname2tag(&V_pf_qids, qname));
628 pf_qid_unref(u_int32_t qid)
630 tag_unref(&V_pf_qids, (u_int16_t)qid);
634 pf_begin_altq(u_int32_t *ticket)
636 struct pf_altq *altq, *tmp;
641 /* Purge the old altq lists */
642 TAILQ_FOREACH_SAFE(altq, V_pf_altq_ifs_inactive, entries, tmp) {
643 if ((altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
644 /* detach and destroy the discipline */
645 error = altq_remove(altq);
647 free(altq, M_PFALTQ);
649 TAILQ_INIT(V_pf_altq_ifs_inactive);
650 TAILQ_FOREACH_SAFE(altq, V_pf_altqs_inactive, entries, tmp) {
651 pf_qid_unref(altq->qid);
652 free(altq, M_PFALTQ);
654 TAILQ_INIT(V_pf_altqs_inactive);
657 *ticket = ++V_ticket_altqs_inactive;
658 V_altqs_inactive_open = 1;
663 pf_rollback_altq(u_int32_t ticket)
665 struct pf_altq *altq, *tmp;
670 if (!V_altqs_inactive_open || ticket != V_ticket_altqs_inactive)
672 /* Purge the old altq lists */
673 TAILQ_FOREACH_SAFE(altq, V_pf_altq_ifs_inactive, entries, tmp) {
674 if ((altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
675 /* detach and destroy the discipline */
676 error = altq_remove(altq);
678 free(altq, M_PFALTQ);
680 TAILQ_INIT(V_pf_altq_ifs_inactive);
681 TAILQ_FOREACH_SAFE(altq, V_pf_altqs_inactive, entries, tmp) {
682 pf_qid_unref(altq->qid);
683 free(altq, M_PFALTQ);
685 TAILQ_INIT(V_pf_altqs_inactive);
686 V_altqs_inactive_open = 0;
691 pf_commit_altq(u_int32_t ticket)
693 struct pf_altqqueue *old_altqs, *old_altq_ifs;
694 struct pf_altq *altq, *tmp;
699 if (!V_altqs_inactive_open || ticket != V_ticket_altqs_inactive)
702 /* swap altqs, keep the old. */
703 old_altqs = V_pf_altqs_active;
704 old_altq_ifs = V_pf_altq_ifs_active;
705 V_pf_altqs_active = V_pf_altqs_inactive;
706 V_pf_altq_ifs_active = V_pf_altq_ifs_inactive;
707 V_pf_altqs_inactive = old_altqs;
708 V_pf_altq_ifs_inactive = old_altq_ifs;
709 V_ticket_altqs_active = V_ticket_altqs_inactive;
711 /* Attach new disciplines */
712 TAILQ_FOREACH(altq, V_pf_altq_ifs_active, entries) {
713 if ((altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
714 /* attach the discipline */
715 error = altq_pfattach(altq);
716 if (error == 0 && V_pf_altq_running)
717 error = pf_enable_altq(altq);
723 /* Purge the old altq lists */
724 TAILQ_FOREACH_SAFE(altq, V_pf_altq_ifs_inactive, entries, tmp) {
725 if ((altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
726 /* detach and destroy the discipline */
727 if (V_pf_altq_running)
728 error = pf_disable_altq(altq);
729 err = altq_pfdetach(altq);
730 if (err != 0 && error == 0)
732 err = altq_remove(altq);
733 if (err != 0 && error == 0)
736 free(altq, M_PFALTQ);
738 TAILQ_INIT(V_pf_altq_ifs_inactive);
739 TAILQ_FOREACH_SAFE(altq, V_pf_altqs_inactive, entries, tmp) {
740 pf_qid_unref(altq->qid);
741 free(altq, M_PFALTQ);
743 TAILQ_INIT(V_pf_altqs_inactive);
745 V_altqs_inactive_open = 0;
750 pf_enable_altq(struct pf_altq *altq)
753 struct tb_profile tb;
756 if ((ifp = ifunit(altq->ifname)) == NULL)
759 if (ifp->if_snd.altq_type != ALTQT_NONE)
760 error = altq_enable(&ifp->if_snd);
762 /* set tokenbucket regulator */
763 if (error == 0 && ifp != NULL && ALTQ_IS_ENABLED(&ifp->if_snd)) {
764 tb.rate = altq->ifbandwidth;
765 tb.depth = altq->tbrsize;
766 error = tbr_set(&ifp->if_snd, &tb);
773 pf_disable_altq(struct pf_altq *altq)
776 struct tb_profile tb;
779 if ((ifp = ifunit(altq->ifname)) == NULL)
783 * when the discipline is no longer referenced, it was overridden
784 * by a new one. if so, just return.
786 if (altq->altq_disc != ifp->if_snd.altq_disc)
789 error = altq_disable(&ifp->if_snd);
792 /* clear tokenbucket regulator */
794 error = tbr_set(&ifp->if_snd, &tb);
801 pf_altq_ifnet_event_add(struct ifnet *ifp, int remove, u_int32_t ticket,
802 struct pf_altq *altq)
807 /* Deactivate the interface in question */
808 altq->local_flags &= ~PFALTQ_FLAG_IF_REMOVED;
809 if ((ifp1 = ifunit(altq->ifname)) == NULL ||
810 (remove && ifp1 == ifp)) {
811 altq->local_flags |= PFALTQ_FLAG_IF_REMOVED;
813 error = altq_add(ifp1, altq);
815 if (ticket != V_ticket_altqs_inactive)
819 free(altq, M_PFALTQ);
826 pf_altq_ifnet_event(struct ifnet *ifp, int remove)
828 struct pf_altq *a1, *a2, *a3;
833 * No need to re-evaluate the configuration for events on interfaces
834 * that do not support ALTQ, as it's not possible for such
835 * interfaces to be part of the configuration.
837 if (!ALTQ_IS_READY(&ifp->if_snd))
840 /* Interrupt userland queue modifications */
841 if (V_altqs_inactive_open)
842 pf_rollback_altq(V_ticket_altqs_inactive);
844 /* Start new altq ruleset */
845 if (pf_begin_altq(&ticket))
848 /* Copy the current active set */
849 TAILQ_FOREACH(a1, V_pf_altq_ifs_active, entries) {
850 a2 = malloc(sizeof(*a2), M_PFALTQ, M_NOWAIT);
855 bcopy(a1, a2, sizeof(struct pf_altq));
857 error = pf_altq_ifnet_event_add(ifp, remove, ticket, a2);
861 TAILQ_INSERT_TAIL(V_pf_altq_ifs_inactive, a2, entries);
865 TAILQ_FOREACH(a1, V_pf_altqs_active, entries) {
866 a2 = malloc(sizeof(*a2), M_PFALTQ, M_NOWAIT);
871 bcopy(a1, a2, sizeof(struct pf_altq));
873 if ((a2->qid = pf_qname2qid(a2->qname)) == 0) {
878 a2->altq_disc = NULL;
879 TAILQ_FOREACH(a3, V_pf_altq_ifs_inactive, entries) {
880 if (strncmp(a3->ifname, a2->ifname,
882 a2->altq_disc = a3->altq_disc;
886 error = pf_altq_ifnet_event_add(ifp, remove, ticket, a2);
890 TAILQ_INSERT_TAIL(V_pf_altqs_inactive, a2, entries);
895 pf_rollback_altq(ticket);
897 pf_commit_altq(ticket);
902 pf_begin_rules(u_int32_t *ticket, int rs_num, const char *anchor)
904 struct pf_kruleset *rs;
905 struct pf_krule *rule;
909 if (rs_num < 0 || rs_num >= PF_RULESET_MAX)
911 rs = pf_find_or_create_kruleset(anchor);
914 while ((rule = TAILQ_FIRST(rs->rules[rs_num].inactive.ptr)) != NULL) {
915 pf_unlink_rule(rs->rules[rs_num].inactive.ptr, rule);
916 rs->rules[rs_num].inactive.rcount--;
918 *ticket = ++rs->rules[rs_num].inactive.ticket;
919 rs->rules[rs_num].inactive.open = 1;
924 pf_rollback_rules(u_int32_t ticket, int rs_num, char *anchor)
926 struct pf_kruleset *rs;
927 struct pf_krule *rule;
931 if (rs_num < 0 || rs_num >= PF_RULESET_MAX)
933 rs = pf_find_kruleset(anchor);
934 if (rs == NULL || !rs->rules[rs_num].inactive.open ||
935 rs->rules[rs_num].inactive.ticket != ticket)
937 while ((rule = TAILQ_FIRST(rs->rules[rs_num].inactive.ptr)) != NULL) {
938 pf_unlink_rule(rs->rules[rs_num].inactive.ptr, rule);
939 rs->rules[rs_num].inactive.rcount--;
941 rs->rules[rs_num].inactive.open = 0;
945 #define PF_MD5_UPD(st, elm) \
946 MD5Update(ctx, (u_int8_t *) &(st)->elm, sizeof((st)->elm))
948 #define PF_MD5_UPD_STR(st, elm) \
949 MD5Update(ctx, (u_int8_t *) (st)->elm, strlen((st)->elm))
951 #define PF_MD5_UPD_HTONL(st, elm, stor) do { \
952 (stor) = htonl((st)->elm); \
953 MD5Update(ctx, (u_int8_t *) &(stor), sizeof(u_int32_t));\
956 #define PF_MD5_UPD_HTONS(st, elm, stor) do { \
957 (stor) = htons((st)->elm); \
958 MD5Update(ctx, (u_int8_t *) &(stor), sizeof(u_int16_t));\
962 pf_hash_rule_addr(MD5_CTX *ctx, struct pf_rule_addr *pfr)
964 PF_MD5_UPD(pfr, addr.type);
965 switch (pfr->addr.type) {
966 case PF_ADDR_DYNIFTL:
967 PF_MD5_UPD(pfr, addr.v.ifname);
968 PF_MD5_UPD(pfr, addr.iflags);
971 PF_MD5_UPD(pfr, addr.v.tblname);
973 case PF_ADDR_ADDRMASK:
975 PF_MD5_UPD(pfr, addr.v.a.addr.addr32);
976 PF_MD5_UPD(pfr, addr.v.a.mask.addr32);
980 PF_MD5_UPD(pfr, port[0]);
981 PF_MD5_UPD(pfr, port[1]);
982 PF_MD5_UPD(pfr, neg);
983 PF_MD5_UPD(pfr, port_op);
987 pf_hash_rule(MD5_CTX *ctx, struct pf_krule *rule)
992 pf_hash_rule_addr(ctx, &rule->src);
993 pf_hash_rule_addr(ctx, &rule->dst);
994 for (int i = 0; i < PF_RULE_MAX_LABEL_COUNT; i++)
995 PF_MD5_UPD_STR(rule, label[i]);
996 PF_MD5_UPD_STR(rule, ifname);
997 PF_MD5_UPD_STR(rule, match_tagname);
998 PF_MD5_UPD_HTONS(rule, match_tag, x); /* dup? */
999 PF_MD5_UPD_HTONL(rule, os_fingerprint, y);
1000 PF_MD5_UPD_HTONL(rule, prob, y);
1001 PF_MD5_UPD_HTONL(rule, uid.uid[0], y);
1002 PF_MD5_UPD_HTONL(rule, uid.uid[1], y);
1003 PF_MD5_UPD(rule, uid.op);
1004 PF_MD5_UPD_HTONL(rule, gid.gid[0], y);
1005 PF_MD5_UPD_HTONL(rule, gid.gid[1], y);
1006 PF_MD5_UPD(rule, gid.op);
1007 PF_MD5_UPD_HTONL(rule, rule_flag, y);
1008 PF_MD5_UPD(rule, action);
1009 PF_MD5_UPD(rule, direction);
1010 PF_MD5_UPD(rule, af);
1011 PF_MD5_UPD(rule, quick);
1012 PF_MD5_UPD(rule, ifnot);
1013 PF_MD5_UPD(rule, match_tag_not);
1014 PF_MD5_UPD(rule, natpass);
1015 PF_MD5_UPD(rule, keep_state);
1016 PF_MD5_UPD(rule, proto);
1017 PF_MD5_UPD(rule, type);
1018 PF_MD5_UPD(rule, code);
1019 PF_MD5_UPD(rule, flags);
1020 PF_MD5_UPD(rule, flagset);
1021 PF_MD5_UPD(rule, allow_opts);
1022 PF_MD5_UPD(rule, rt);
1023 PF_MD5_UPD(rule, tos);
1027 pf_commit_rules(u_int32_t ticket, int rs_num, char *anchor)
1029 struct pf_kruleset *rs;
1030 struct pf_krule *rule, **old_array;
1031 struct pf_krulequeue *old_rules;
1033 u_int32_t old_rcount;
1037 if (rs_num < 0 || rs_num >= PF_RULESET_MAX)
1039 rs = pf_find_kruleset(anchor);
1040 if (rs == NULL || !rs->rules[rs_num].inactive.open ||
1041 ticket != rs->rules[rs_num].inactive.ticket)
1044 /* Calculate checksum for the main ruleset */
1045 if (rs == &pf_main_ruleset) {
1046 error = pf_setup_pfsync_matching(rs);
1051 /* Swap rules, keep the old. */
1052 old_rules = rs->rules[rs_num].active.ptr;
1053 old_rcount = rs->rules[rs_num].active.rcount;
1054 old_array = rs->rules[rs_num].active.ptr_array;
1056 rs->rules[rs_num].active.ptr =
1057 rs->rules[rs_num].inactive.ptr;
1058 rs->rules[rs_num].active.ptr_array =
1059 rs->rules[rs_num].inactive.ptr_array;
1060 rs->rules[rs_num].active.rcount =
1061 rs->rules[rs_num].inactive.rcount;
1062 rs->rules[rs_num].inactive.ptr = old_rules;
1063 rs->rules[rs_num].inactive.ptr_array = old_array;
1064 rs->rules[rs_num].inactive.rcount = old_rcount;
1066 rs->rules[rs_num].active.ticket =
1067 rs->rules[rs_num].inactive.ticket;
1068 pf_calc_skip_steps(rs->rules[rs_num].active.ptr);
1071 /* Purge the old rule list. */
1072 while ((rule = TAILQ_FIRST(old_rules)) != NULL)
1073 pf_unlink_rule(old_rules, rule);
1074 if (rs->rules[rs_num].inactive.ptr_array)
1075 free(rs->rules[rs_num].inactive.ptr_array, M_TEMP);
1076 rs->rules[rs_num].inactive.ptr_array = NULL;
1077 rs->rules[rs_num].inactive.rcount = 0;
1078 rs->rules[rs_num].inactive.open = 0;
1079 pf_remove_if_empty_kruleset(rs);
1085 pf_setup_pfsync_matching(struct pf_kruleset *rs)
1088 struct pf_krule *rule;
1090 u_int8_t digest[PF_MD5_DIGEST_LENGTH];
1093 for (rs_cnt = 0; rs_cnt < PF_RULESET_MAX; rs_cnt++) {
1094 /* XXX PF_RULESET_SCRUB as well? */
1095 if (rs_cnt == PF_RULESET_SCRUB)
1098 if (rs->rules[rs_cnt].inactive.ptr_array)
1099 free(rs->rules[rs_cnt].inactive.ptr_array, M_TEMP);
1100 rs->rules[rs_cnt].inactive.ptr_array = NULL;
1102 if (rs->rules[rs_cnt].inactive.rcount) {
1103 rs->rules[rs_cnt].inactive.ptr_array =
1104 malloc(sizeof(caddr_t) *
1105 rs->rules[rs_cnt].inactive.rcount,
1108 if (!rs->rules[rs_cnt].inactive.ptr_array)
1112 TAILQ_FOREACH(rule, rs->rules[rs_cnt].inactive.ptr,
1114 pf_hash_rule(&ctx, rule);
1115 (rs->rules[rs_cnt].inactive.ptr_array)[rule->nr] = rule;
1119 MD5Final(digest, &ctx);
1120 memcpy(V_pf_status.pf_chksum, digest, sizeof(V_pf_status.pf_chksum));
1125 pf_addr_setup(struct pf_kruleset *ruleset, struct pf_addr_wrap *addr,
1130 switch (addr->type) {
1132 addr->p.tbl = pfr_attach_table(ruleset, addr->v.tblname);
1133 if (addr->p.tbl == NULL)
1136 case PF_ADDR_DYNIFTL:
1137 error = pfi_dynaddr_setup(addr, af);
1145 pf_addr_copyout(struct pf_addr_wrap *addr)
1148 switch (addr->type) {
1149 case PF_ADDR_DYNIFTL:
1150 pfi_dynaddr_copyout(addr);
1153 pf_tbladdr_copyout(addr);
1159 pf_src_node_copy(const struct pf_ksrc_node *in, struct pf_src_node *out)
1161 int secs = time_uptime, diff;
1163 bzero(out, sizeof(struct pf_src_node));
1165 bcopy(&in->addr, &out->addr, sizeof(struct pf_addr));
1166 bcopy(&in->raddr, &out->raddr, sizeof(struct pf_addr));
1168 if (in->rule.ptr != NULL)
1169 out->rule.nr = in->rule.ptr->nr;
1171 for (int i = 0; i < 2; i++) {
1172 out->bytes[i] = counter_u64_fetch(in->bytes[i]);
1173 out->packets[i] = counter_u64_fetch(in->packets[i]);
1176 out->states = in->states;
1177 out->conn = in->conn;
1179 out->ruletype = in->ruletype;
1181 out->creation = secs - in->creation;
1182 if (out->expire > secs)
1183 out->expire -= secs;
1187 /* Adjust the connection rate estimate. */
1188 diff = secs - in->conn_rate.last;
1189 if (diff >= in->conn_rate.seconds)
1190 out->conn_rate.count = 0;
1192 out->conn_rate.count -=
1193 in->conn_rate.count * diff /
1194 in->conn_rate.seconds;
1199 * Handle export of struct pf_kaltq to user binaries that may be using any
1200 * version of struct pf_altq.
1203 pf_export_kaltq(struct pf_altq *q, struct pfioc_altq_v1 *pa, size_t ioc_size)
1207 if (ioc_size == sizeof(struct pfioc_altq_v0))
1210 version = pa->version;
1212 if (version > PFIOC_ALTQ_VERSION)
1215 #define ASSIGN(x) exported_q->x = q->x
1217 bcopy(&q->x, &exported_q->x, min(sizeof(q->x), sizeof(exported_q->x)))
1218 #define SATU16(x) (u_int32_t)uqmin((x), USHRT_MAX)
1219 #define SATU32(x) (u_int32_t)uqmin((x), UINT_MAX)
1223 struct pf_altq_v0 *exported_q =
1224 &((struct pfioc_altq_v0 *)pa)->altq;
1230 exported_q->tbrsize = SATU16(q->tbrsize);
1231 exported_q->ifbandwidth = SATU32(q->ifbandwidth);
1236 exported_q->bandwidth = SATU32(q->bandwidth);
1238 ASSIGN(local_flags);
1243 if (q->scheduler == ALTQT_HFSC) {
1244 #define ASSIGN_OPT(x) exported_q->pq_u.hfsc_opts.x = q->pq_u.hfsc_opts.x
1245 #define ASSIGN_OPT_SATU32(x) exported_q->pq_u.hfsc_opts.x = \
1246 SATU32(q->pq_u.hfsc_opts.x)
1248 ASSIGN_OPT_SATU32(rtsc_m1);
1250 ASSIGN_OPT_SATU32(rtsc_m2);
1252 ASSIGN_OPT_SATU32(lssc_m1);
1254 ASSIGN_OPT_SATU32(lssc_m2);
1256 ASSIGN_OPT_SATU32(ulsc_m1);
1258 ASSIGN_OPT_SATU32(ulsc_m2);
1263 #undef ASSIGN_OPT_SATU32
1271 struct pf_altq_v1 *exported_q =
1272 &((struct pfioc_altq_v1 *)pa)->altq;
1278 ASSIGN(ifbandwidth);
1285 ASSIGN(local_flags);
1295 panic("%s: unhandled struct pfioc_altq version", __func__);
1308 * Handle import to struct pf_kaltq of struct pf_altq from user binaries
1309 * that may be using any version of it.
1312 pf_import_kaltq(struct pfioc_altq_v1 *pa, struct pf_altq *q, size_t ioc_size)
1316 if (ioc_size == sizeof(struct pfioc_altq_v0))
1319 version = pa->version;
1321 if (version > PFIOC_ALTQ_VERSION)
1324 #define ASSIGN(x) q->x = imported_q->x
1326 bcopy(&imported_q->x, &q->x, min(sizeof(imported_q->x), sizeof(q->x)))
1330 struct pf_altq_v0 *imported_q =
1331 &((struct pfioc_altq_v0 *)pa)->altq;
1336 ASSIGN(tbrsize); /* 16-bit -> 32-bit */
1337 ASSIGN(ifbandwidth); /* 32-bit -> 64-bit */
1342 ASSIGN(bandwidth); /* 32-bit -> 64-bit */
1344 ASSIGN(local_flags);
1349 if (imported_q->scheduler == ALTQT_HFSC) {
1350 #define ASSIGN_OPT(x) q->pq_u.hfsc_opts.x = imported_q->pq_u.hfsc_opts.x
1353 * The m1 and m2 parameters are being copied from
1356 ASSIGN_OPT(rtsc_m1);
1358 ASSIGN_OPT(rtsc_m2);
1360 ASSIGN_OPT(lssc_m1);
1362 ASSIGN_OPT(lssc_m2);
1364 ASSIGN_OPT(ulsc_m1);
1366 ASSIGN_OPT(ulsc_m2);
1378 struct pf_altq_v1 *imported_q =
1379 &((struct pfioc_altq_v1 *)pa)->altq;
1385 ASSIGN(ifbandwidth);
1392 ASSIGN(local_flags);
1402 panic("%s: unhandled struct pfioc_altq version", __func__);
1412 static struct pf_altq *
1413 pf_altq_get_nth_active(u_int32_t n)
1415 struct pf_altq *altq;
1419 TAILQ_FOREACH(altq, V_pf_altq_ifs_active, entries) {
1425 TAILQ_FOREACH(altq, V_pf_altqs_active, entries) {
1436 pf_krule_free(struct pf_krule *rule)
1441 counter_u64_free(rule->evaluations);
1442 for (int i = 0; i < 2; i++) {
1443 counter_u64_free(rule->packets[i]);
1444 counter_u64_free(rule->bytes[i]);
1446 counter_u64_free(rule->states_cur);
1447 counter_u64_free(rule->states_tot);
1448 counter_u64_free(rule->src_nodes);
1449 free(rule, M_PFRULE);
1453 pf_kpooladdr_to_pooladdr(const struct pf_kpooladdr *kpool,
1454 struct pf_pooladdr *pool)
1457 bzero(pool, sizeof(*pool));
1458 bcopy(&kpool->addr, &pool->addr, sizeof(pool->addr));
1459 strlcpy(pool->ifname, kpool->ifname, sizeof(pool->ifname));
1463 pf_pooladdr_to_kpooladdr(const struct pf_pooladdr *pool,
1464 struct pf_kpooladdr *kpool)
1467 bzero(kpool, sizeof(*kpool));
1468 bcopy(&pool->addr, &kpool->addr, sizeof(kpool->addr));
1469 strlcpy(kpool->ifname, pool->ifname, sizeof(kpool->ifname));
1473 pf_kpool_to_pool(const struct pf_kpool *kpool, struct pf_pool *pool)
1475 bzero(pool, sizeof(*pool));
1477 bcopy(&kpool->key, &pool->key, sizeof(pool->key));
1478 bcopy(&kpool->counter, &pool->counter, sizeof(pool->counter));
1480 pool->tblidx = kpool->tblidx;
1481 pool->proxy_port[0] = kpool->proxy_port[0];
1482 pool->proxy_port[1] = kpool->proxy_port[1];
1483 pool->opts = kpool->opts;
1487 pf_pool_to_kpool(const struct pf_pool *pool, struct pf_kpool *kpool)
1489 _Static_assert(sizeof(pool->key) == sizeof(kpool->key), "");
1490 _Static_assert(sizeof(pool->counter) == sizeof(kpool->counter), "");
1492 bzero(kpool, sizeof(*kpool));
1494 bcopy(&pool->key, &kpool->key, sizeof(kpool->key));
1495 bcopy(&pool->counter, &kpool->counter, sizeof(kpool->counter));
1497 kpool->tblidx = pool->tblidx;
1498 kpool->proxy_port[0] = pool->proxy_port[0];
1499 kpool->proxy_port[1] = pool->proxy_port[1];
1500 kpool->opts = pool->opts;
1506 pf_krule_to_rule(const struct pf_krule *krule, struct pf_rule *rule)
1509 bzero(rule, sizeof(*rule));
1511 bcopy(&krule->src, &rule->src, sizeof(rule->src));
1512 bcopy(&krule->dst, &rule->dst, sizeof(rule->dst));
1514 for (int i = 0; i < PF_SKIP_COUNT; ++i) {
1515 if (rule->skip[i].ptr == NULL)
1516 rule->skip[i].nr = -1;
1518 rule->skip[i].nr = krule->skip[i].ptr->nr;
1521 strlcpy(rule->label, krule->label[0], sizeof(rule->label));
1522 strlcpy(rule->ifname, krule->ifname, sizeof(rule->ifname));
1523 strlcpy(rule->qname, krule->qname, sizeof(rule->qname));
1524 strlcpy(rule->pqname, krule->pqname, sizeof(rule->pqname));
1525 strlcpy(rule->tagname, krule->tagname, sizeof(rule->tagname));
1526 strlcpy(rule->match_tagname, krule->match_tagname,
1527 sizeof(rule->match_tagname));
1528 strlcpy(rule->overload_tblname, krule->overload_tblname,
1529 sizeof(rule->overload_tblname));
1531 pf_kpool_to_pool(&krule->rpool, &rule->rpool);
1533 rule->evaluations = counter_u64_fetch(krule->evaluations);
1534 for (int i = 0; i < 2; i++) {
1535 rule->packets[i] = counter_u64_fetch(krule->packets[i]);
1536 rule->bytes[i] = counter_u64_fetch(krule->bytes[i]);
1539 /* kif, anchor, overload_tbl are not copied over. */
1541 rule->os_fingerprint = krule->os_fingerprint;
1543 rule->rtableid = krule->rtableid;
1544 bcopy(krule->timeout, rule->timeout, sizeof(krule->timeout));
1545 rule->max_states = krule->max_states;
1546 rule->max_src_nodes = krule->max_src_nodes;
1547 rule->max_src_states = krule->max_src_states;
1548 rule->max_src_conn = krule->max_src_conn;
1549 rule->max_src_conn_rate.limit = krule->max_src_conn_rate.limit;
1550 rule->max_src_conn_rate.seconds = krule->max_src_conn_rate.seconds;
1551 rule->qid = krule->qid;
1552 rule->pqid = krule->pqid;
1553 rule->nr = krule->nr;
1554 rule->prob = krule->prob;
1555 rule->cuid = krule->cuid;
1556 rule->cpid = krule->cpid;
1558 rule->return_icmp = krule->return_icmp;
1559 rule->return_icmp6 = krule->return_icmp6;
1560 rule->max_mss = krule->max_mss;
1561 rule->tag = krule->tag;
1562 rule->match_tag = krule->match_tag;
1563 rule->scrub_flags = krule->scrub_flags;
1565 bcopy(&krule->uid, &rule->uid, sizeof(krule->uid));
1566 bcopy(&krule->gid, &rule->gid, sizeof(krule->gid));
1568 rule->rule_flag = krule->rule_flag;
1569 rule->action = krule->action;
1570 rule->direction = krule->direction;
1571 rule->log = krule->log;
1572 rule->logif = krule->logif;
1573 rule->quick = krule->quick;
1574 rule->ifnot = krule->ifnot;
1575 rule->match_tag_not = krule->match_tag_not;
1576 rule->natpass = krule->natpass;
1578 rule->keep_state = krule->keep_state;
1579 rule->af = krule->af;
1580 rule->proto = krule->proto;
1581 rule->type = krule->type;
1582 rule->code = krule->code;
1583 rule->flags = krule->flags;
1584 rule->flagset = krule->flagset;
1585 rule->min_ttl = krule->min_ttl;
1586 rule->allow_opts = krule->allow_opts;
1587 rule->rt = krule->rt;
1588 rule->return_ttl = krule->return_ttl;
1589 rule->tos = krule->tos;
1590 rule->set_tos = krule->set_tos;
1591 rule->anchor_relative = krule->anchor_relative;
1592 rule->anchor_wildcard = krule->anchor_wildcard;
1594 rule->flush = krule->flush;
1595 rule->prio = krule->prio;
1596 rule->set_prio[0] = krule->set_prio[0];
1597 rule->set_prio[1] = krule->set_prio[1];
1599 bcopy(&krule->divert, &rule->divert, sizeof(krule->divert));
1601 rule->u_states_cur = counter_u64_fetch(krule->states_cur);
1602 rule->u_states_tot = counter_u64_fetch(krule->states_tot);
1603 rule->u_src_nodes = counter_u64_fetch(krule->src_nodes);
1607 pf_check_rule_addr(const struct pf_rule_addr *addr)
1610 switch (addr->addr.type) {
1611 case PF_ADDR_ADDRMASK:
1612 case PF_ADDR_NOROUTE:
1613 case PF_ADDR_DYNIFTL:
1615 case PF_ADDR_URPFFAILED:
1622 if (addr->addr.p.dyn != NULL) {
1630 pf_nvaddr_to_addr(const nvlist_t *nvl, struct pf_addr *paddr)
1632 return (pf_nvbinary(nvl, "addr", paddr, sizeof(*paddr)));
1636 pf_addr_to_nvaddr(const struct pf_addr *paddr)
1640 nvl = nvlist_create(0);
1644 nvlist_add_binary(nvl, "addr", paddr, sizeof(*paddr));
1650 pf_nvmape_to_mape(const nvlist_t *nvl, struct pf_mape_portset *mape)
1654 bzero(mape, sizeof(*mape));
1655 PFNV_CHK(pf_nvuint8(nvl, "offset", &mape->offset));
1656 PFNV_CHK(pf_nvuint8(nvl, "psidlen", &mape->psidlen));
1657 PFNV_CHK(pf_nvuint16(nvl, "psid", &mape->psid));
1664 pf_mape_to_nvmape(const struct pf_mape_portset *mape)
1668 nvl = nvlist_create(0);
1672 nvlist_add_number(nvl, "offset", mape->offset);
1673 nvlist_add_number(nvl, "psidlen", mape->psidlen);
1674 nvlist_add_number(nvl, "psid", mape->psid);
1680 pf_nvpool_to_pool(const nvlist_t *nvl, struct pf_kpool *kpool)
1684 bzero(kpool, sizeof(*kpool));
1686 PFNV_CHK(pf_nvbinary(nvl, "key", &kpool->key, sizeof(kpool->key)));
1688 if (nvlist_exists_nvlist(nvl, "counter")) {
1689 PFNV_CHK(pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "counter"),
1693 PFNV_CHK(pf_nvint(nvl, "tblidx", &kpool->tblidx));
1694 PFNV_CHK(pf_nvuint16_array(nvl, "proxy_port", kpool->proxy_port, 2,
1696 PFNV_CHK(pf_nvuint8(nvl, "opts", &kpool->opts));
1698 if (nvlist_exists_nvlist(nvl, "mape")) {
1699 PFNV_CHK(pf_nvmape_to_mape(nvlist_get_nvlist(nvl, "mape"),
1708 pf_pool_to_nvpool(const struct pf_kpool *pool)
1713 nvl = nvlist_create(0);
1717 nvlist_add_binary(nvl, "key", &pool->key, sizeof(pool->key));
1718 tmp = pf_addr_to_nvaddr(&pool->counter);
1721 nvlist_add_nvlist(nvl, "counter", tmp);
1723 nvlist_add_number(nvl, "tblidx", pool->tblidx);
1724 pf_uint16_array_nv(nvl, "proxy_port", pool->proxy_port, 2);
1725 nvlist_add_number(nvl, "opts", pool->opts);
1727 tmp = pf_mape_to_nvmape(&pool->mape);
1730 nvlist_add_nvlist(nvl, "mape", tmp);
1735 nvlist_destroy(nvl);
1740 pf_nvaddr_wrap_to_addr_wrap(const nvlist_t *nvl, struct pf_addr_wrap *addr)
1744 bzero(addr, sizeof(*addr));
1746 PFNV_CHK(pf_nvuint8(nvl, "type", &addr->type));
1747 PFNV_CHK(pf_nvuint8(nvl, "iflags", &addr->iflags));
1748 if (addr->type == PF_ADDR_DYNIFTL)
1749 PFNV_CHK(pf_nvstring(nvl, "ifname", addr->v.ifname,
1750 sizeof(addr->v.ifname)));
1751 if (addr->type == PF_ADDR_TABLE)
1752 PFNV_CHK(pf_nvstring(nvl, "tblname", addr->v.tblname,
1753 sizeof(addr->v.tblname)));
1755 if (! nvlist_exists_nvlist(nvl, "addr"))
1757 PFNV_CHK(pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "addr"),
1760 if (! nvlist_exists_nvlist(nvl, "mask"))
1762 PFNV_CHK(pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "mask"),
1765 switch (addr->type) {
1766 case PF_ADDR_DYNIFTL:
1769 case PF_ADDR_ADDRMASK:
1770 case PF_ADDR_NOROUTE:
1771 case PF_ADDR_URPFFAILED:
1782 pf_addr_wrap_to_nvaddr_wrap(const struct pf_addr_wrap *addr)
1787 nvl = nvlist_create(0);
1791 nvlist_add_number(nvl, "type", addr->type);
1792 nvlist_add_number(nvl, "iflags", addr->iflags);
1793 if (addr->type == PF_ADDR_DYNIFTL)
1794 nvlist_add_string(nvl, "ifname", addr->v.ifname);
1795 if (addr->type == PF_ADDR_TABLE)
1796 nvlist_add_string(nvl, "tblname", addr->v.tblname);
1798 tmp = pf_addr_to_nvaddr(&addr->v.a.addr);
1801 nvlist_add_nvlist(nvl, "addr", tmp);
1802 tmp = pf_addr_to_nvaddr(&addr->v.a.mask);
1805 nvlist_add_nvlist(nvl, "mask", tmp);
1810 nvlist_destroy(nvl);
1815 pf_validate_op(uint8_t op)
1837 pf_nvrule_addr_to_rule_addr(const nvlist_t *nvl, struct pf_rule_addr *addr)
1841 if (! nvlist_exists_nvlist(nvl, "addr"))
1844 PFNV_CHK(pf_nvaddr_wrap_to_addr_wrap(nvlist_get_nvlist(nvl, "addr"),
1846 PFNV_CHK(pf_nvuint16_array(nvl, "port", addr->port, 2, NULL));
1847 PFNV_CHK(pf_nvuint8(nvl, "neg", &addr->neg));
1848 PFNV_CHK(pf_nvuint8(nvl, "port_op", &addr->port_op));
1850 PFNV_CHK(pf_validate_op(addr->port_op));
1857 pf_rule_addr_to_nvrule_addr(const struct pf_rule_addr *addr)
1862 nvl = nvlist_create(0);
1866 tmp = pf_addr_wrap_to_nvaddr_wrap(&addr->addr);
1869 nvlist_add_nvlist(nvl, "addr", tmp);
1870 pf_uint16_array_nv(nvl, "port", addr->port, 2);
1871 nvlist_add_number(nvl, "neg", addr->neg);
1872 nvlist_add_number(nvl, "port_op", addr->port_op);
1877 nvlist_destroy(nvl);
1882 pf_nvrule_uid_to_rule_uid(const nvlist_t *nvl, struct pf_rule_uid *uid)
1886 bzero(uid, sizeof(*uid));
1888 PFNV_CHK(pf_nvuint32_array(nvl, "uid", uid->uid, 2, NULL));
1889 PFNV_CHK(pf_nvuint8(nvl, "op", &uid->op));
1891 PFNV_CHK(pf_validate_op(uid->op));
1898 pf_rule_uid_to_nvrule_uid(const struct pf_rule_uid *uid)
1902 nvl = nvlist_create(0);
1906 pf_uint32_array_nv(nvl, "uid", uid->uid, 2);
1907 nvlist_add_number(nvl, "op", uid->op);
1913 pf_nvrule_gid_to_rule_gid(const nvlist_t *nvl, struct pf_rule_gid *gid)
1915 /* Cheat a little. These stucts are the same, other than the name of
1916 * the first field. */
1917 return (pf_nvrule_uid_to_rule_uid(nvl, (struct pf_rule_uid *)gid));
1921 pf_nvrule_to_krule(const nvlist_t *nvl, struct pf_krule **prule)
1923 struct pf_krule *rule;
1926 rule = malloc(sizeof(*rule), M_PFRULE, M_WAITOK | M_ZERO);
1928 PFNV_CHK(pf_nvuint32(nvl, "nr", &rule->nr));
1930 if (! nvlist_exists_nvlist(nvl, "src")) {
1934 error = pf_nvrule_addr_to_rule_addr(nvlist_get_nvlist(nvl, "src"),
1939 if (! nvlist_exists_nvlist(nvl, "dst")) {
1943 PFNV_CHK(pf_nvrule_addr_to_rule_addr(nvlist_get_nvlist(nvl, "dst"),
1946 if (nvlist_exists_string(nvl, "label")) {
1947 PFNV_CHK(pf_nvstring(nvl, "label", rule->label[0],
1948 sizeof(rule->label[0])));
1949 } else if (nvlist_exists_string_array(nvl, "labels")) {
1950 const char *const *strs;
1954 strs = nvlist_get_string_array(nvl, "labels", &items);
1955 if (items > PF_RULE_MAX_LABEL_COUNT) {
1960 for (size_t i = 0; i < items; i++) {
1961 ret = strlcpy(rule->label[i], strs[i],
1962 sizeof(rule->label[0]));
1963 if (ret >= sizeof(rule->label[0])) {
1970 PFNV_CHK(pf_nvstring(nvl, "ifname", rule->ifname,
1971 sizeof(rule->ifname)));
1972 PFNV_CHK(pf_nvstring(nvl, "qname", rule->qname, sizeof(rule->qname)));
1973 PFNV_CHK(pf_nvstring(nvl, "pqname", rule->pqname,
1974 sizeof(rule->pqname)));
1975 PFNV_CHK(pf_nvstring(nvl, "tagname", rule->tagname,
1976 sizeof(rule->tagname)));
1977 PFNV_CHK(pf_nvstring(nvl, "match_tagname", rule->match_tagname,
1978 sizeof(rule->match_tagname)));
1979 PFNV_CHK(pf_nvstring(nvl, "overload_tblname", rule->overload_tblname,
1980 sizeof(rule->overload_tblname)));
1982 if (! nvlist_exists_nvlist(nvl, "rpool")) {
1986 PFNV_CHK(pf_nvpool_to_pool(nvlist_get_nvlist(nvl, "rpool"),
1989 PFNV_CHK(pf_nvuint32(nvl, "os_fingerprint", &rule->os_fingerprint));
1991 PFNV_CHK(pf_nvint(nvl, "rtableid", &rule->rtableid));
1992 PFNV_CHK(pf_nvuint32_array(nvl, "timeout", rule->timeout, PFTM_MAX, NULL));
1993 PFNV_CHK(pf_nvuint32(nvl, "max_states", &rule->max_states));
1994 PFNV_CHK(pf_nvuint32(nvl, "max_src_nodes", &rule->max_src_nodes));
1995 PFNV_CHK(pf_nvuint32(nvl, "max_src_states", &rule->max_src_states));
1996 PFNV_CHK(pf_nvuint32(nvl, "max_src_conn", &rule->max_src_conn));
1997 PFNV_CHK(pf_nvuint32(nvl, "max_src_conn_rate.limit",
1998 &rule->max_src_conn_rate.limit));
1999 PFNV_CHK(pf_nvuint32(nvl, "max_src_conn_rate.seconds",
2000 &rule->max_src_conn_rate.seconds));
2001 PFNV_CHK(pf_nvuint32(nvl, "prob", &rule->prob));
2002 PFNV_CHK(pf_nvuint32(nvl, "cuid", &rule->cuid));
2003 PFNV_CHK(pf_nvuint32(nvl, "cpid", &rule->cpid));
2005 PFNV_CHK(pf_nvuint16(nvl, "return_icmp", &rule->return_icmp));
2006 PFNV_CHK(pf_nvuint16(nvl, "return_icmp6", &rule->return_icmp6));
2008 PFNV_CHK(pf_nvuint16(nvl, "max_mss", &rule->max_mss));
2009 PFNV_CHK(pf_nvuint16(nvl, "scrub_flags", &rule->scrub_flags));
2011 if (! nvlist_exists_nvlist(nvl, "uid")) {
2015 PFNV_CHK(pf_nvrule_uid_to_rule_uid(nvlist_get_nvlist(nvl, "uid"),
2018 if (! nvlist_exists_nvlist(nvl, "gid")) {
2022 PFNV_CHK(pf_nvrule_gid_to_rule_gid(nvlist_get_nvlist(nvl, "gid"),
2025 PFNV_CHK(pf_nvuint32(nvl, "rule_flag", &rule->rule_flag));
2026 PFNV_CHK(pf_nvuint8(nvl, "action", &rule->action));
2027 PFNV_CHK(pf_nvuint8(nvl, "direction", &rule->direction));
2028 PFNV_CHK(pf_nvuint8(nvl, "log", &rule->log));
2029 PFNV_CHK(pf_nvuint8(nvl, "logif", &rule->logif));
2030 PFNV_CHK(pf_nvuint8(nvl, "quick", &rule->quick));
2031 PFNV_CHK(pf_nvuint8(nvl, "ifnot", &rule->ifnot));
2032 PFNV_CHK(pf_nvuint8(nvl, "match_tag_not", &rule->match_tag_not));
2033 PFNV_CHK(pf_nvuint8(nvl, "natpass", &rule->natpass));
2035 PFNV_CHK(pf_nvuint8(nvl, "keep_state", &rule->keep_state));
2036 PFNV_CHK(pf_nvuint8(nvl, "af", &rule->af));
2037 PFNV_CHK(pf_nvuint8(nvl, "proto", &rule->proto));
2038 PFNV_CHK(pf_nvuint8(nvl, "type", &rule->type));
2039 PFNV_CHK(pf_nvuint8(nvl, "code", &rule->code));
2040 PFNV_CHK(pf_nvuint8(nvl, "flags", &rule->flags));
2041 PFNV_CHK(pf_nvuint8(nvl, "flagset", &rule->flagset));
2042 PFNV_CHK(pf_nvuint8(nvl, "min_ttl", &rule->min_ttl));
2043 PFNV_CHK(pf_nvuint8(nvl, "allow_opts", &rule->allow_opts));
2044 PFNV_CHK(pf_nvuint8(nvl, "rt", &rule->rt));
2045 PFNV_CHK(pf_nvuint8(nvl, "return_ttl", &rule->return_ttl));
2046 PFNV_CHK(pf_nvuint8(nvl, "tos", &rule->tos));
2047 PFNV_CHK(pf_nvuint8(nvl, "set_tos", &rule->set_tos));
2048 PFNV_CHK(pf_nvuint8(nvl, "anchor_relative", &rule->anchor_relative));
2049 PFNV_CHK(pf_nvuint8(nvl, "anchor_wildcard", &rule->anchor_wildcard));
2051 PFNV_CHK(pf_nvuint8(nvl, "flush", &rule->flush));
2052 PFNV_CHK(pf_nvuint8(nvl, "prio", &rule->prio));
2054 PFNV_CHK(pf_nvuint8_array(nvl, "set_prio", &rule->prio, 2, NULL));
2056 if (nvlist_exists_nvlist(nvl, "divert")) {
2057 const nvlist_t *nvldivert = nvlist_get_nvlist(nvl, "divert");
2059 if (! nvlist_exists_nvlist(nvldivert, "addr")) {
2063 PFNV_CHK(pf_nvaddr_to_addr(nvlist_get_nvlist(nvldivert, "addr"),
2064 &rule->divert.addr));
2065 PFNV_CHK(pf_nvuint16(nvldivert, "port", &rule->divert.port));
2070 if (rule->af == AF_INET) {
2071 error = EAFNOSUPPORT;
2076 if (rule->af == AF_INET6) {
2077 error = EAFNOSUPPORT;
2082 PFNV_CHK(pf_check_rule_addr(&rule->src));
2083 PFNV_CHK(pf_check_rule_addr(&rule->dst));
2090 pf_krule_free(rule);
2097 pf_divert_to_nvdivert(const struct pf_krule *rule)
2102 nvl = nvlist_create(0);
2106 tmp = pf_addr_to_nvaddr(&rule->divert.addr);
2109 nvlist_add_nvlist(nvl, "addr", tmp);
2110 nvlist_add_number(nvl, "port", rule->divert.port);
2115 nvlist_destroy(nvl);
2120 pf_krule_to_nvrule(const struct pf_krule *rule)
2122 nvlist_t *nvl, *tmp;
2124 nvl = nvlist_create(0);
2128 nvlist_add_number(nvl, "nr", rule->nr);
2129 tmp = pf_rule_addr_to_nvrule_addr(&rule->src);
2132 nvlist_add_nvlist(nvl, "src", tmp);
2133 tmp = pf_rule_addr_to_nvrule_addr(&rule->dst);
2136 nvlist_add_nvlist(nvl, "dst", tmp);
2138 for (int i = 0; i < PF_SKIP_COUNT; i++) {
2139 nvlist_append_number_array(nvl, "skip",
2140 rule->skip[i].ptr ? rule->skip[i].ptr->nr : -1);
2143 for (int i = 0; i < PF_RULE_MAX_LABEL_COUNT; i++) {
2144 nvlist_append_string_array(nvl, "labels", rule->label[i]);
2146 nvlist_add_string(nvl, "label", rule->label[0]);
2147 nvlist_add_string(nvl, "ifname", rule->ifname);
2148 nvlist_add_string(nvl, "qname", rule->qname);
2149 nvlist_add_string(nvl, "pqname", rule->pqname);
2150 nvlist_add_string(nvl, "tagname", rule->tagname);
2151 nvlist_add_string(nvl, "match_tagname", rule->match_tagname);
2152 nvlist_add_string(nvl, "overload_tblname", rule->overload_tblname);
2154 tmp = pf_pool_to_nvpool(&rule->rpool);
2157 nvlist_add_nvlist(nvl, "rpool", tmp);
2159 nvlist_add_number(nvl, "evaluations",
2160 counter_u64_fetch(rule->evaluations));
2161 for (int i = 0; i < 2; i++) {
2162 nvlist_append_number_array(nvl, "packets",
2163 counter_u64_fetch(rule->packets[i]));
2164 nvlist_append_number_array(nvl, "bytes",
2165 counter_u64_fetch(rule->bytes[i]));
2168 nvlist_add_number(nvl, "os_fingerprint", rule->os_fingerprint);
2170 nvlist_add_number(nvl, "rtableid", rule->rtableid);
2171 pf_uint32_array_nv(nvl, "timeout", rule->timeout, PFTM_MAX);
2172 nvlist_add_number(nvl, "max_states", rule->max_states);
2173 nvlist_add_number(nvl, "max_src_nodes", rule->max_src_nodes);
2174 nvlist_add_number(nvl, "max_src_states", rule->max_src_states);
2175 nvlist_add_number(nvl, "max_src_conn", rule->max_src_conn);
2176 nvlist_add_number(nvl, "max_src_conn_rate.limit",
2177 rule->max_src_conn_rate.limit);
2178 nvlist_add_number(nvl, "max_src_conn_rate.seconds",
2179 rule->max_src_conn_rate.seconds);
2180 nvlist_add_number(nvl, "qid", rule->qid);
2181 nvlist_add_number(nvl, "pqid", rule->pqid);
2182 nvlist_add_number(nvl, "prob", rule->prob);
2183 nvlist_add_number(nvl, "cuid", rule->cuid);
2184 nvlist_add_number(nvl, "cpid", rule->cpid);
2186 nvlist_add_number(nvl, "states_cur",
2187 counter_u64_fetch(rule->states_cur));
2188 nvlist_add_number(nvl, "states_tot",
2189 counter_u64_fetch(rule->states_tot));
2190 nvlist_add_number(nvl, "src_nodes",
2191 counter_u64_fetch(rule->src_nodes));
2193 nvlist_add_number(nvl, "return_icmp", rule->return_icmp);
2194 nvlist_add_number(nvl, "return_icmp6", rule->return_icmp6);
2196 nvlist_add_number(nvl, "max_mss", rule->max_mss);
2197 nvlist_add_number(nvl, "scrub_flags", rule->scrub_flags);
2199 tmp = pf_rule_uid_to_nvrule_uid(&rule->uid);
2202 nvlist_add_nvlist(nvl, "uid", tmp);
2203 tmp = pf_rule_uid_to_nvrule_uid((const struct pf_rule_uid *)&rule->gid);
2206 nvlist_add_nvlist(nvl, "gid", tmp);
2208 nvlist_add_number(nvl, "rule_flag", rule->rule_flag);
2209 nvlist_add_number(nvl, "action", rule->action);
2210 nvlist_add_number(nvl, "direction", rule->direction);
2211 nvlist_add_number(nvl, "log", rule->log);
2212 nvlist_add_number(nvl, "logif", rule->logif);
2213 nvlist_add_number(nvl, "quick", rule->quick);
2214 nvlist_add_number(nvl, "ifnot", rule->ifnot);
2215 nvlist_add_number(nvl, "match_tag_not", rule->match_tag_not);
2216 nvlist_add_number(nvl, "natpass", rule->natpass);
2218 nvlist_add_number(nvl, "keep_state", rule->keep_state);
2219 nvlist_add_number(nvl, "af", rule->af);
2220 nvlist_add_number(nvl, "proto", rule->proto);
2221 nvlist_add_number(nvl, "type", rule->type);
2222 nvlist_add_number(nvl, "code", rule->code);
2223 nvlist_add_number(nvl, "flags", rule->flags);
2224 nvlist_add_number(nvl, "flagset", rule->flagset);
2225 nvlist_add_number(nvl, "min_ttl", rule->min_ttl);
2226 nvlist_add_number(nvl, "allow_opts", rule->allow_opts);
2227 nvlist_add_number(nvl, "rt", rule->rt);
2228 nvlist_add_number(nvl, "return_ttl", rule->return_ttl);
2229 nvlist_add_number(nvl, "tos", rule->tos);
2230 nvlist_add_number(nvl, "set_tos", rule->set_tos);
2231 nvlist_add_number(nvl, "anchor_relative", rule->anchor_relative);
2232 nvlist_add_number(nvl, "anchor_wildcard", rule->anchor_wildcard);
2234 nvlist_add_number(nvl, "flush", rule->flush);
2235 nvlist_add_number(nvl, "prio", rule->prio);
2237 pf_uint8_array_nv(nvl, "set_prio", &rule->prio, 2);
2239 tmp = pf_divert_to_nvdivert(rule);
2242 nvlist_add_nvlist(nvl, "divert", tmp);
2247 nvlist_destroy(nvl);
2252 pf_rule_to_krule(const struct pf_rule *rule, struct pf_krule *krule)
2257 if (rule->af == AF_INET) {
2258 return (EAFNOSUPPORT);
2262 if (rule->af == AF_INET6) {
2263 return (EAFNOSUPPORT);
2267 ret = pf_check_rule_addr(&rule->src);
2270 ret = pf_check_rule_addr(&rule->dst);
2274 bzero(krule, sizeof(*krule));
2276 bcopy(&rule->src, &krule->src, sizeof(rule->src));
2277 bcopy(&rule->dst, &krule->dst, sizeof(rule->dst));
2279 strlcpy(krule->label[0], rule->label, sizeof(rule->label));
2280 strlcpy(krule->ifname, rule->ifname, sizeof(rule->ifname));
2281 strlcpy(krule->qname, rule->qname, sizeof(rule->qname));
2282 strlcpy(krule->pqname, rule->pqname, sizeof(rule->pqname));
2283 strlcpy(krule->tagname, rule->tagname, sizeof(rule->tagname));
2284 strlcpy(krule->match_tagname, rule->match_tagname,
2285 sizeof(rule->match_tagname));
2286 strlcpy(krule->overload_tblname, rule->overload_tblname,
2287 sizeof(rule->overload_tblname));
2289 ret = pf_pool_to_kpool(&rule->rpool, &krule->rpool);
2293 /* Don't allow userspace to set evaulations, packets or bytes. */
2294 /* kif, anchor, overload_tbl are not copied over. */
2296 krule->os_fingerprint = rule->os_fingerprint;
2298 krule->rtableid = rule->rtableid;
2299 bcopy(rule->timeout, krule->timeout, sizeof(krule->timeout));
2300 krule->max_states = rule->max_states;
2301 krule->max_src_nodes = rule->max_src_nodes;
2302 krule->max_src_states = rule->max_src_states;
2303 krule->max_src_conn = rule->max_src_conn;
2304 krule->max_src_conn_rate.limit = rule->max_src_conn_rate.limit;
2305 krule->max_src_conn_rate.seconds = rule->max_src_conn_rate.seconds;
2306 krule->qid = rule->qid;
2307 krule->pqid = rule->pqid;
2308 krule->nr = rule->nr;
2309 krule->prob = rule->prob;
2310 krule->cuid = rule->cuid;
2311 krule->cpid = rule->cpid;
2313 krule->return_icmp = rule->return_icmp;
2314 krule->return_icmp6 = rule->return_icmp6;
2315 krule->max_mss = rule->max_mss;
2316 krule->tag = rule->tag;
2317 krule->match_tag = rule->match_tag;
2318 krule->scrub_flags = rule->scrub_flags;
2320 bcopy(&rule->uid, &krule->uid, sizeof(krule->uid));
2321 bcopy(&rule->gid, &krule->gid, sizeof(krule->gid));
2323 krule->rule_flag = rule->rule_flag;
2324 krule->action = rule->action;
2325 krule->direction = rule->direction;
2326 krule->log = rule->log;
2327 krule->logif = rule->logif;
2328 krule->quick = rule->quick;
2329 krule->ifnot = rule->ifnot;
2330 krule->match_tag_not = rule->match_tag_not;
2331 krule->natpass = rule->natpass;
2333 krule->keep_state = rule->keep_state;
2334 krule->af = rule->af;
2335 krule->proto = rule->proto;
2336 krule->type = rule->type;
2337 krule->code = rule->code;
2338 krule->flags = rule->flags;
2339 krule->flagset = rule->flagset;
2340 krule->min_ttl = rule->min_ttl;
2341 krule->allow_opts = rule->allow_opts;
2342 krule->rt = rule->rt;
2343 krule->return_ttl = rule->return_ttl;
2344 krule->tos = rule->tos;
2345 krule->set_tos = rule->set_tos;
2346 krule->anchor_relative = rule->anchor_relative;
2347 krule->anchor_wildcard = rule->anchor_wildcard;
2349 krule->flush = rule->flush;
2350 krule->prio = rule->prio;
2351 krule->set_prio[0] = rule->set_prio[0];
2352 krule->set_prio[1] = rule->set_prio[1];
2354 bcopy(&rule->divert, &krule->divert, sizeof(krule->divert));
2360 pf_label_match(const struct pf_krule *rule, const char *label)
2364 while (*rule->label[i]) {
2365 if (strcmp(rule->label[i], label) == 0)
2374 pf_killstates_row(struct pfioc_state_kill *psk, struct pf_idhash *ih)
2377 struct pf_state_key *sk;
2378 struct pf_addr *srcaddr, *dstaddr;
2380 u_int16_t srcport, dstport;
2382 relock_DIOCKILLSTATES:
2383 PF_HASHROW_LOCK(ih);
2384 LIST_FOREACH(s, &ih->states, entry) {
2385 sk = s->key[PF_SK_WIRE];
2386 if (s->direction == PF_OUT) {
2387 srcaddr = &sk->addr[1];
2388 dstaddr = &sk->addr[0];
2389 srcport = sk->port[1];
2390 dstport = sk->port[0];
2392 srcaddr = &sk->addr[0];
2393 dstaddr = &sk->addr[1];
2394 srcport = sk->port[0];
2395 dstport = sk->port[1];
2398 if (psk->psk_af && sk->af != psk->psk_af)
2401 if (psk->psk_proto && psk->psk_proto != sk->proto)
2404 if (! PF_MATCHA(psk->psk_src.neg, &psk->psk_src.addr.v.a.addr,
2405 &psk->psk_src.addr.v.a.mask, srcaddr, sk->af))
2408 if (! PF_MATCHA(psk->psk_dst.neg, &psk->psk_dst.addr.v.a.addr,
2409 &psk->psk_dst.addr.v.a.mask, dstaddr, sk->af))
2412 if (psk->psk_src.port_op != 0 &&
2413 ! pf_match_port(psk->psk_src.port_op,
2414 psk->psk_src.port[0], psk->psk_src.port[1], srcport))
2417 if (psk->psk_dst.port_op != 0 &&
2418 ! pf_match_port(psk->psk_dst.port_op,
2419 psk->psk_dst.port[0], psk->psk_dst.port[1], dstport))
2422 if (psk->psk_label[0] &&
2423 ! pf_label_match(s->rule.ptr, psk->psk_label))
2426 if (psk->psk_ifname[0] && strcmp(psk->psk_ifname,
2430 pf_unlink_state(s, PF_ENTER_LOCKED);
2432 goto relock_DIOCKILLSTATES;
2434 PF_HASHROW_UNLOCK(ih);
2440 pf_ioctl_addrule(struct pf_krule *rule, uint32_t ticket,
2441 uint32_t pool_ticket, const char *anchor, const char *anchor_call,
2444 struct pf_kruleset *ruleset;
2445 struct pf_krule *tail;
2446 struct pf_kpooladdr *pa;
2447 struct pfi_kkif *kif = NULL;
2451 if ((rule->return_icmp >> 8) > ICMP_MAXTYPE) {
2453 goto errout_unlocked;
2456 #define ERROUT(x) { error = (x); goto errout; }
2458 if (rule->ifname[0])
2459 kif = pf_kkif_create(M_WAITOK);
2460 rule->evaluations = counter_u64_alloc(M_WAITOK);
2461 for (int i = 0; i < 2; i++) {
2462 rule->packets[i] = counter_u64_alloc(M_WAITOK);
2463 rule->bytes[i] = counter_u64_alloc(M_WAITOK);
2465 rule->states_cur = counter_u64_alloc(M_WAITOK);
2466 rule->states_tot = counter_u64_alloc(M_WAITOK);
2467 rule->src_nodes = counter_u64_alloc(M_WAITOK);
2468 rule->cuid = td->td_ucred->cr_ruid;
2469 rule->cpid = td->td_proc ? td->td_proc->p_pid : 0;
2470 TAILQ_INIT(&rule->rpool.list);
2473 ruleset = pf_find_kruleset(anchor);
2474 if (ruleset == NULL)
2476 rs_num = pf_get_ruleset_number(rule->action);
2477 if (rs_num >= PF_RULESET_MAX)
2479 if (ticket != ruleset->rules[rs_num].inactive.ticket) {
2480 DPFPRINTF(PF_DEBUG_MISC,
2481 ("ticket: %d != [%d]%d\n", ticket, rs_num,
2482 ruleset->rules[rs_num].inactive.ticket));
2485 if (pool_ticket != V_ticket_pabuf) {
2486 DPFPRINTF(PF_DEBUG_MISC,
2487 ("pool_ticket: %d != %d\n", pool_ticket,
2492 tail = TAILQ_LAST(ruleset->rules[rs_num].inactive.ptr,
2495 rule->nr = tail->nr + 1;
2498 if (rule->ifname[0]) {
2499 rule->kif = pfi_kkif_attach(kif, rule->ifname);
2501 pfi_kkif_ref(rule->kif);
2505 if (rule->rtableid > 0 && rule->rtableid >= rt_numfibs)
2510 if (rule->qname[0] != 0) {
2511 if ((rule->qid = pf_qname2qid(rule->qname)) == 0)
2513 else if (rule->pqname[0] != 0) {
2515 pf_qname2qid(rule->pqname)) == 0)
2518 rule->pqid = rule->qid;
2521 if (rule->tagname[0])
2522 if ((rule->tag = pf_tagname2tag(rule->tagname)) == 0)
2524 if (rule->match_tagname[0])
2525 if ((rule->match_tag =
2526 pf_tagname2tag(rule->match_tagname)) == 0)
2528 if (rule->rt && !rule->direction)
2532 if (rule->logif >= PFLOGIFS_MAX)
2534 if (pf_addr_setup(ruleset, &rule->src.addr, rule->af))
2536 if (pf_addr_setup(ruleset, &rule->dst.addr, rule->af))
2538 if (pf_kanchor_setup(rule, ruleset, anchor_call))
2540 if (rule->scrub_flags & PFSTATE_SETPRIO &&
2541 (rule->set_prio[0] > PF_PRIO_MAX ||
2542 rule->set_prio[1] > PF_PRIO_MAX))
2544 TAILQ_FOREACH(pa, &V_pf_pabuf, entries)
2545 if (pa->addr.type == PF_ADDR_TABLE) {
2546 pa->addr.p.tbl = pfr_attach_table(ruleset,
2547 pa->addr.v.tblname);
2548 if (pa->addr.p.tbl == NULL)
2552 rule->overload_tbl = NULL;
2553 if (rule->overload_tblname[0]) {
2554 if ((rule->overload_tbl = pfr_attach_table(ruleset,
2555 rule->overload_tblname)) == NULL)
2558 rule->overload_tbl->pfrkt_flags |=
2562 pf_mv_kpool(&V_pf_pabuf, &rule->rpool.list);
2563 if (((((rule->action == PF_NAT) || (rule->action == PF_RDR) ||
2564 (rule->action == PF_BINAT)) && rule->anchor == NULL) ||
2565 (rule->rt > PF_NOPFROUTE)) &&
2566 (TAILQ_FIRST(&rule->rpool.list) == NULL))
2575 rule->rpool.cur = TAILQ_FIRST(&rule->rpool.list);
2576 counter_u64_zero(rule->evaluations);
2577 for (int i = 0; i < 2; i++) {
2578 counter_u64_zero(rule->packets[i]);
2579 counter_u64_zero(rule->bytes[i]);
2581 TAILQ_INSERT_TAIL(ruleset->rules[rs_num].inactive.ptr,
2583 ruleset->rules[rs_num].inactive.rcount++;
2593 pf_krule_free(rule);
2598 pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td)
2601 PF_RULES_RLOCK_TRACKER;
2603 /* XXX keep in sync with switch() below */
2604 if (securelevel_gt(td->td_ucred, 2))
2612 case DIOCSETSTATUSIF:
2618 case DIOCGETTIMEOUT:
2619 case DIOCCLRRULECTRS:
2621 case DIOCGETALTQSV0:
2622 case DIOCGETALTQSV1:
2625 case DIOCGETQSTATSV0:
2626 case DIOCGETQSTATSV1:
2627 case DIOCGETRULESETS:
2628 case DIOCGETRULESET:
2629 case DIOCRGETTABLES:
2630 case DIOCRGETTSTATS:
2631 case DIOCRCLRTSTATS:
2637 case DIOCRGETASTATS:
2638 case DIOCRCLRASTATS:
2641 case DIOCGETSRCNODES:
2642 case DIOCCLRSRCNODES:
2643 case DIOCIGETIFACES:
2644 case DIOCGIFSPEEDV0:
2645 case DIOCGIFSPEEDV1:
2649 case DIOCRCLRTABLES:
2650 case DIOCRADDTABLES:
2651 case DIOCRDELTABLES:
2652 case DIOCRSETTFLAGS:
2653 if (((struct pfioc_table *)addr)->pfrio_flags &
2655 break; /* dummy operation ok */
2661 if (!(flags & FWRITE))
2669 case DIOCGETTIMEOUT:
2671 case DIOCGETALTQSV0:
2672 case DIOCGETALTQSV1:
2675 case DIOCGETQSTATSV0:
2676 case DIOCGETQSTATSV1:
2677 case DIOCGETRULESETS:
2678 case DIOCGETRULESET:
2680 case DIOCRGETTABLES:
2681 case DIOCRGETTSTATS:
2683 case DIOCRGETASTATS:
2686 case DIOCGETSRCNODES:
2687 case DIOCIGETIFACES:
2688 case DIOCGIFSPEEDV1:
2689 case DIOCGIFSPEEDV0:
2692 case DIOCRCLRTABLES:
2693 case DIOCRADDTABLES:
2694 case DIOCRDELTABLES:
2695 case DIOCRCLRTSTATS:
2700 case DIOCRSETTFLAGS:
2701 if (((struct pfioc_table *)addr)->pfrio_flags &
2703 flags |= FWRITE; /* need write lock for dummy */
2704 break; /* dummy operation ok */
2708 if (((struct pfioc_rule *)addr)->action ==
2716 CURVNET_SET(TD_TO_VNET(td));
2720 sx_xlock(&pf_ioctl_lock);
2721 if (V_pf_status.running)
2728 DPFPRINTF(PF_DEBUG_MISC,
2729 ("pf: pfil registration failed\n"));
2732 V_pf_status.running = 1;
2733 V_pf_status.since = time_second;
2736 V_pf_stateid[cpu] = time_second;
2738 DPFPRINTF(PF_DEBUG_MISC, ("pf: started\n"));
2743 sx_xlock(&pf_ioctl_lock);
2744 if (!V_pf_status.running)
2747 V_pf_status.running = 0;
2748 error = dehook_pf();
2750 V_pf_status.running = 1;
2751 DPFPRINTF(PF_DEBUG_MISC,
2752 ("pf: pfil unregistration failed\n"));
2754 V_pf_status.since = time_second;
2755 DPFPRINTF(PF_DEBUG_MISC, ("pf: stopped\n"));
2759 case DIOCADDRULENV: {
2760 struct pfioc_nv *nv = (struct pfioc_nv *)addr;
2761 nvlist_t *nvl = NULL;
2762 void *nvlpacked = NULL;
2763 struct pf_krule *rule = NULL;
2764 const char *anchor = "", *anchor_call = "";
2765 uint32_t ticket = 0, pool_ticket = 0;
2767 #define ERROUT(x) do { error = (x); goto DIOCADDRULENV_error; } while (0)
2769 if (nv->len > pf_ioctl_maxcount)
2772 nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK);
2773 error = copyin(nv->data, nvlpacked, nv->len);
2777 nvl = nvlist_unpack(nvlpacked, nv->len, 0);
2781 if (! nvlist_exists_number(nvl, "ticket"))
2783 ticket = nvlist_get_number(nvl, "ticket");
2785 if (! nvlist_exists_number(nvl, "pool_ticket"))
2787 pool_ticket = nvlist_get_number(nvl, "pool_ticket");
2789 if (! nvlist_exists_nvlist(nvl, "rule"))
2792 error = pf_nvrule_to_krule(nvlist_get_nvlist(nvl, "rule"),
2797 if (nvlist_exists_string(nvl, "anchor"))
2798 anchor = nvlist_get_string(nvl, "anchor");
2799 if (nvlist_exists_string(nvl, "anchor_call"))
2800 anchor_call = nvlist_get_string(nvl, "anchor_call");
2802 if ((error = nvlist_error(nvl)))
2805 /* Frees rule on error */
2806 error = pf_ioctl_addrule(rule, ticket, pool_ticket, anchor,
2809 nvlist_destroy(nvl);
2810 free(nvlpacked, M_TEMP);
2813 DIOCADDRULENV_error:
2814 pf_krule_free(rule);
2815 nvlist_destroy(nvl);
2816 free(nvlpacked, M_TEMP);
2821 struct pfioc_rule *pr = (struct pfioc_rule *)addr;
2822 struct pf_krule *rule;
2824 rule = malloc(sizeof(*rule), M_PFRULE, M_WAITOK);
2825 error = pf_rule_to_krule(&pr->rule, rule);
2827 free(rule, M_PFRULE);
2831 pr->anchor[sizeof(pr->anchor) - 1] = 0;
2833 /* Frees rule on error */
2834 error = pf_ioctl_addrule(rule, pr->ticket, pr->pool_ticket,
2835 pr->anchor, pr->anchor_call, td);
2839 case DIOCGETRULES: {
2840 struct pfioc_rule *pr = (struct pfioc_rule *)addr;
2841 struct pf_kruleset *ruleset;
2842 struct pf_krule *tail;
2846 pr->anchor[sizeof(pr->anchor) - 1] = 0;
2847 ruleset = pf_find_kruleset(pr->anchor);
2848 if (ruleset == NULL) {
2853 rs_num = pf_get_ruleset_number(pr->rule.action);
2854 if (rs_num >= PF_RULESET_MAX) {
2859 tail = TAILQ_LAST(ruleset->rules[rs_num].active.ptr,
2862 pr->nr = tail->nr + 1;
2865 pr->ticket = ruleset->rules[rs_num].active.ticket;
2871 struct pfioc_rule *pr = (struct pfioc_rule *)addr;
2872 struct pf_kruleset *ruleset;
2873 struct pf_krule *rule;
2877 pr->anchor[sizeof(pr->anchor) - 1] = 0;
2878 ruleset = pf_find_kruleset(pr->anchor);
2879 if (ruleset == NULL) {
2884 rs_num = pf_get_ruleset_number(pr->rule.action);
2885 if (rs_num >= PF_RULESET_MAX) {
2890 if (pr->ticket != ruleset->rules[rs_num].active.ticket) {
2895 rule = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr);
2896 while ((rule != NULL) && (rule->nr != pr->nr))
2897 rule = TAILQ_NEXT(rule, entries);
2904 pf_krule_to_rule(rule, &pr->rule);
2906 if (pf_kanchor_copyout(ruleset, rule, pr)) {
2911 pf_addr_copyout(&pr->rule.src.addr);
2912 pf_addr_copyout(&pr->rule.dst.addr);
2914 if (pr->action == PF_GET_CLR_CNTR) {
2915 counter_u64_zero(rule->evaluations);
2916 for (int i = 0; i < 2; i++) {
2917 counter_u64_zero(rule->packets[i]);
2918 counter_u64_zero(rule->bytes[i]);
2920 counter_u64_zero(rule->states_tot);
2926 case DIOCGETRULENV: {
2927 struct pfioc_nv *nv = (struct pfioc_nv *)addr;
2928 nvlist_t *nvrule = NULL;
2929 nvlist_t *nvl = NULL;
2930 struct pf_kruleset *ruleset;
2931 struct pf_krule *rule;
2932 void *nvlpacked = NULL;
2934 bool clear_counter = false;
2936 #define ERROUT(x) do { error = (x); goto DIOCGETRULENV_error; } while (0)
2938 if (nv->len > pf_ioctl_maxcount)
2941 /* Copy the request in */
2942 nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK);
2943 if (nvlpacked == NULL)
2946 error = copyin(nv->data, nvlpacked, nv->len);
2950 nvl = nvlist_unpack(nvlpacked, nv->len, 0);
2954 if (! nvlist_exists_string(nvl, "anchor"))
2956 if (! nvlist_exists_number(nvl, "ruleset"))
2958 if (! nvlist_exists_number(nvl, "ticket"))
2960 if (! nvlist_exists_number(nvl, "nr"))
2963 if (nvlist_exists_bool(nvl, "clear_counter"))
2964 clear_counter = nvlist_get_bool(nvl, "clear_counter");
2966 if (clear_counter && !(flags & FWRITE))
2969 nr = nvlist_get_number(nvl, "nr");
2972 ruleset = pf_find_kruleset(nvlist_get_string(nvl, "anchor"));
2973 if (ruleset == NULL) {
2978 rs_num = pf_get_ruleset_number(nvlist_get_number(nvl, "ruleset"));
2979 if (rs_num >= PF_RULESET_MAX) {
2984 if (nvlist_get_number(nvl, "ticket") !=
2985 ruleset->rules[rs_num].active.ticket) {
2991 if ((error = nvlist_error(nvl))) {
2996 rule = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr);
2997 while ((rule != NULL) && (rule->nr != nr))
2998 rule = TAILQ_NEXT(rule, entries);
3005 nvrule = pf_krule_to_nvrule(rule);
3007 nvlist_destroy(nvl);
3008 nvl = nvlist_create(0);
3013 nvlist_add_number(nvl, "nr", nr);
3014 nvlist_add_nvlist(nvl, "rule", nvrule);
3016 if (pf_kanchor_nvcopyout(ruleset, rule, nvl)) {
3021 free(nvlpacked, M_TEMP);
3022 nvlpacked = nvlist_pack(nvl, &nv->len);
3023 if (nvlpacked == NULL) {
3028 if (nv->size == 0) {
3032 else if (nv->size < nv->len) {
3037 error = copyout(nvlpacked, nv->data, nv->len);
3039 if (clear_counter) {
3040 counter_u64_zero(rule->evaluations);
3041 for (int i = 0; i < 2; i++) {
3042 counter_u64_zero(rule->packets[i]);
3043 counter_u64_zero(rule->bytes[i]);
3045 counter_u64_zero(rule->states_tot);
3050 DIOCGETRULENV_error:
3051 free(nvlpacked, M_TEMP);
3052 nvlist_destroy(nvrule);
3053 nvlist_destroy(nvl);
3058 case DIOCCHANGERULE: {
3059 struct pfioc_rule *pcr = (struct pfioc_rule *)addr;
3060 struct pf_kruleset *ruleset;
3061 struct pf_krule *oldrule = NULL, *newrule = NULL;
3062 struct pfi_kkif *kif = NULL;
3063 struct pf_kpooladdr *pa;
3067 if (pcr->action < PF_CHANGE_ADD_HEAD ||
3068 pcr->action > PF_CHANGE_GET_TICKET) {
3072 if (pcr->rule.return_icmp >> 8 > ICMP_MAXTYPE) {
3077 if (pcr->action != PF_CHANGE_REMOVE) {
3078 newrule = malloc(sizeof(*newrule), M_PFRULE, M_WAITOK);
3079 error = pf_rule_to_krule(&pcr->rule, newrule);
3081 free(newrule, M_PFRULE);
3085 if (newrule->ifname[0])
3086 kif = pf_kkif_create(M_WAITOK);
3087 newrule->evaluations = counter_u64_alloc(M_WAITOK);
3088 for (int i = 0; i < 2; i++) {
3089 newrule->packets[i] =
3090 counter_u64_alloc(M_WAITOK);
3092 counter_u64_alloc(M_WAITOK);
3094 newrule->states_cur = counter_u64_alloc(M_WAITOK);
3095 newrule->states_tot = counter_u64_alloc(M_WAITOK);
3096 newrule->src_nodes = counter_u64_alloc(M_WAITOK);
3097 newrule->cuid = td->td_ucred->cr_ruid;
3098 newrule->cpid = td->td_proc ? td->td_proc->p_pid : 0;
3099 TAILQ_INIT(&newrule->rpool.list);
3102 #define ERROUT(x) { error = (x); goto DIOCCHANGERULE_error; }
3105 if (!(pcr->action == PF_CHANGE_REMOVE ||
3106 pcr->action == PF_CHANGE_GET_TICKET) &&
3107 pcr->pool_ticket != V_ticket_pabuf)
3110 ruleset = pf_find_kruleset(pcr->anchor);
3111 if (ruleset == NULL)
3114 rs_num = pf_get_ruleset_number(pcr->rule.action);
3115 if (rs_num >= PF_RULESET_MAX)
3118 if (pcr->action == PF_CHANGE_GET_TICKET) {
3119 pcr->ticket = ++ruleset->rules[rs_num].active.ticket;
3121 } else if (pcr->ticket !=
3122 ruleset->rules[rs_num].active.ticket)
3125 if (pcr->action != PF_CHANGE_REMOVE) {
3126 if (newrule->ifname[0]) {
3127 newrule->kif = pfi_kkif_attach(kif,
3130 pfi_kkif_ref(newrule->kif);
3132 newrule->kif = NULL;
3134 if (newrule->rtableid > 0 &&
3135 newrule->rtableid >= rt_numfibs)
3140 if (newrule->qname[0] != 0) {
3142 pf_qname2qid(newrule->qname)) == 0)
3144 else if (newrule->pqname[0] != 0) {
3145 if ((newrule->pqid =
3146 pf_qname2qid(newrule->pqname)) == 0)
3149 newrule->pqid = newrule->qid;
3152 if (newrule->tagname[0])
3154 pf_tagname2tag(newrule->tagname)) == 0)
3156 if (newrule->match_tagname[0])
3157 if ((newrule->match_tag = pf_tagname2tag(
3158 newrule->match_tagname)) == 0)
3160 if (newrule->rt && !newrule->direction)
3164 if (newrule->logif >= PFLOGIFS_MAX)
3166 if (pf_addr_setup(ruleset, &newrule->src.addr, newrule->af))
3168 if (pf_addr_setup(ruleset, &newrule->dst.addr, newrule->af))
3170 if (pf_kanchor_setup(newrule, ruleset, pcr->anchor_call))
3172 TAILQ_FOREACH(pa, &V_pf_pabuf, entries)
3173 if (pa->addr.type == PF_ADDR_TABLE) {
3175 pfr_attach_table(ruleset,
3176 pa->addr.v.tblname);
3177 if (pa->addr.p.tbl == NULL)
3181 newrule->overload_tbl = NULL;
3182 if (newrule->overload_tblname[0]) {
3183 if ((newrule->overload_tbl = pfr_attach_table(
3184 ruleset, newrule->overload_tblname)) ==
3188 newrule->overload_tbl->pfrkt_flags |=
3192 pf_mv_kpool(&V_pf_pabuf, &newrule->rpool.list);
3193 if (((((newrule->action == PF_NAT) ||
3194 (newrule->action == PF_RDR) ||
3195 (newrule->action == PF_BINAT) ||
3196 (newrule->rt > PF_NOPFROUTE)) &&
3197 !newrule->anchor)) &&
3198 (TAILQ_FIRST(&newrule->rpool.list) == NULL))
3202 pf_free_rule(newrule);
3207 newrule->rpool.cur = TAILQ_FIRST(&newrule->rpool.list);
3209 pf_empty_kpool(&V_pf_pabuf);
3211 if (pcr->action == PF_CHANGE_ADD_HEAD)
3212 oldrule = TAILQ_FIRST(
3213 ruleset->rules[rs_num].active.ptr);
3214 else if (pcr->action == PF_CHANGE_ADD_TAIL)
3215 oldrule = TAILQ_LAST(
3216 ruleset->rules[rs_num].active.ptr, pf_krulequeue);
3218 oldrule = TAILQ_FIRST(
3219 ruleset->rules[rs_num].active.ptr);
3220 while ((oldrule != NULL) && (oldrule->nr != pcr->nr))
3221 oldrule = TAILQ_NEXT(oldrule, entries);
3222 if (oldrule == NULL) {
3223 if (newrule != NULL)
3224 pf_free_rule(newrule);
3231 if (pcr->action == PF_CHANGE_REMOVE) {
3232 pf_unlink_rule(ruleset->rules[rs_num].active.ptr,
3234 ruleset->rules[rs_num].active.rcount--;
3236 if (oldrule == NULL)
3238 ruleset->rules[rs_num].active.ptr,
3240 else if (pcr->action == PF_CHANGE_ADD_HEAD ||
3241 pcr->action == PF_CHANGE_ADD_BEFORE)
3242 TAILQ_INSERT_BEFORE(oldrule, newrule, entries);
3245 ruleset->rules[rs_num].active.ptr,
3246 oldrule, newrule, entries);
3247 ruleset->rules[rs_num].active.rcount++;
3251 TAILQ_FOREACH(oldrule,
3252 ruleset->rules[rs_num].active.ptr, entries)
3255 ruleset->rules[rs_num].active.ticket++;
3257 pf_calc_skip_steps(ruleset->rules[rs_num].active.ptr);
3258 pf_remove_if_empty_kruleset(ruleset);
3264 DIOCCHANGERULE_error:
3266 pf_krule_free(newrule);
3271 case DIOCCLRSTATES: {
3273 struct pfioc_state_kill *psk = (struct pfioc_state_kill *)addr;
3274 u_int i, killed = 0;
3276 for (i = 0; i <= pf_hashmask; i++) {
3277 struct pf_idhash *ih = &V_pf_idhash[i];
3279 relock_DIOCCLRSTATES:
3280 PF_HASHROW_LOCK(ih);
3281 LIST_FOREACH(s, &ih->states, entry)
3282 if (!psk->psk_ifname[0] ||
3283 !strcmp(psk->psk_ifname,
3284 s->kif->pfik_name)) {
3286 * Don't send out individual
3289 s->state_flags |= PFSTATE_NOSYNC;
3290 pf_unlink_state(s, PF_ENTER_LOCKED);
3292 goto relock_DIOCCLRSTATES;
3294 PF_HASHROW_UNLOCK(ih);
3296 psk->psk_killed = killed;
3297 if (V_pfsync_clear_states_ptr != NULL)
3298 V_pfsync_clear_states_ptr(V_pf_status.hostid, psk->psk_ifname);
3302 case DIOCKILLSTATES: {
3304 struct pfioc_state_kill *psk = (struct pfioc_state_kill *)addr;
3305 u_int i, killed = 0;
3307 if (psk->psk_pfcmp.id) {
3308 if (psk->psk_pfcmp.creatorid == 0)
3309 psk->psk_pfcmp.creatorid = V_pf_status.hostid;
3310 if ((s = pf_find_state_byid(psk->psk_pfcmp.id,
3311 psk->psk_pfcmp.creatorid))) {
3312 pf_unlink_state(s, PF_ENTER_LOCKED);
3313 psk->psk_killed = 1;
3318 for (i = 0; i <= pf_hashmask; i++)
3319 killed += pf_killstates_row(psk, &V_pf_idhash[i]);
3321 psk->psk_killed = killed;
3325 case DIOCADDSTATE: {
3326 struct pfioc_state *ps = (struct pfioc_state *)addr;
3327 struct pfsync_state *sp = &ps->state;
3329 if (sp->timeout >= PFTM_MAX) {
3333 if (V_pfsync_state_import_ptr != NULL) {
3335 error = V_pfsync_state_import_ptr(sp, PFSYNC_SI_IOCTL);
3342 case DIOCGETSTATE: {
3343 struct pfioc_state *ps = (struct pfioc_state *)addr;
3346 s = pf_find_state_byid(ps->state.id, ps->state.creatorid);
3352 pfsync_state_export(&ps->state, s);
3357 case DIOCGETSTATES: {
3358 struct pfioc_states *ps = (struct pfioc_states *)addr;
3360 struct pfsync_state *pstore, *p;
3363 if (ps->ps_len <= 0) {
3364 nr = uma_zone_get_cur(V_pf_state_z);
3365 ps->ps_len = sizeof(struct pfsync_state) * nr;
3369 p = pstore = malloc(ps->ps_len, M_TEMP, M_WAITOK | M_ZERO);
3372 for (i = 0; i <= pf_hashmask; i++) {
3373 struct pf_idhash *ih = &V_pf_idhash[i];
3375 PF_HASHROW_LOCK(ih);
3376 LIST_FOREACH(s, &ih->states, entry) {
3378 if (s->timeout == PFTM_UNLINKED)
3381 if ((nr+1) * sizeof(*p) > ps->ps_len) {
3382 PF_HASHROW_UNLOCK(ih);
3383 goto DIOCGETSTATES_full;
3385 pfsync_state_export(p, s);
3389 PF_HASHROW_UNLOCK(ih);
3392 error = copyout(pstore, ps->ps_states,
3393 sizeof(struct pfsync_state) * nr);
3395 free(pstore, M_TEMP);
3398 ps->ps_len = sizeof(struct pfsync_state) * nr;
3399 free(pstore, M_TEMP);
3404 case DIOCGETSTATUS: {
3405 struct pf_status *s = (struct pf_status *)addr;
3408 s->running = V_pf_status.running;
3409 s->since = V_pf_status.since;
3410 s->debug = V_pf_status.debug;
3411 s->hostid = V_pf_status.hostid;
3412 s->states = V_pf_status.states;
3413 s->src_nodes = V_pf_status.src_nodes;
3415 for (int i = 0; i < PFRES_MAX; i++)
3417 counter_u64_fetch(V_pf_status.counters[i]);
3418 for (int i = 0; i < LCNT_MAX; i++)
3420 counter_u64_fetch(V_pf_status.lcounters[i]);
3421 for (int i = 0; i < FCNT_MAX; i++)
3423 counter_u64_fetch(V_pf_status.fcounters[i]);
3424 for (int i = 0; i < SCNT_MAX; i++)
3426 counter_u64_fetch(V_pf_status.scounters[i]);
3428 bcopy(V_pf_status.ifname, s->ifname, IFNAMSIZ);
3429 bcopy(V_pf_status.pf_chksum, s->pf_chksum,
3430 PF_MD5_DIGEST_LENGTH);
3432 pfi_update_status(s->ifname, s);
3437 case DIOCSETSTATUSIF: {
3438 struct pfioc_if *pi = (struct pfioc_if *)addr;
3440 if (pi->ifname[0] == 0) {
3441 bzero(V_pf_status.ifname, IFNAMSIZ);
3445 strlcpy(V_pf_status.ifname, pi->ifname, IFNAMSIZ);
3450 case DIOCCLRSTATUS: {
3452 for (int i = 0; i < PFRES_MAX; i++)
3453 counter_u64_zero(V_pf_status.counters[i]);
3454 for (int i = 0; i < FCNT_MAX; i++)
3455 counter_u64_zero(V_pf_status.fcounters[i]);
3456 for (int i = 0; i < SCNT_MAX; i++)
3457 counter_u64_zero(V_pf_status.scounters[i]);
3458 for (int i = 0; i < LCNT_MAX; i++)
3459 counter_u64_zero(V_pf_status.lcounters[i]);
3460 V_pf_status.since = time_second;
3461 if (*V_pf_status.ifname)
3462 pfi_update_status(V_pf_status.ifname, NULL);
3468 struct pfioc_natlook *pnl = (struct pfioc_natlook *)addr;
3469 struct pf_state_key *sk;
3470 struct pf_state *state;
3471 struct pf_state_key_cmp key;
3472 int m = 0, direction = pnl->direction;
3475 /* NATLOOK src and dst are reversed, so reverse sidx/didx */
3476 sidx = (direction == PF_IN) ? 1 : 0;
3477 didx = (direction == PF_IN) ? 0 : 1;
3480 PF_AZERO(&pnl->saddr, pnl->af) ||
3481 PF_AZERO(&pnl->daddr, pnl->af) ||
3482 ((pnl->proto == IPPROTO_TCP ||
3483 pnl->proto == IPPROTO_UDP) &&
3484 (!pnl->dport || !pnl->sport)))
3487 bzero(&key, sizeof(key));
3489 key.proto = pnl->proto;
3490 PF_ACPY(&key.addr[sidx], &pnl->saddr, pnl->af);
3491 key.port[sidx] = pnl->sport;
3492 PF_ACPY(&key.addr[didx], &pnl->daddr, pnl->af);
3493 key.port[didx] = pnl->dport;
3495 state = pf_find_state_all(&key, direction, &m);
3498 error = E2BIG; /* more than one state */
3499 else if (state != NULL) {
3500 /* XXXGL: not locked read */
3501 sk = state->key[sidx];
3502 PF_ACPY(&pnl->rsaddr, &sk->addr[sidx], sk->af);
3503 pnl->rsport = sk->port[sidx];
3504 PF_ACPY(&pnl->rdaddr, &sk->addr[didx], sk->af);
3505 pnl->rdport = sk->port[didx];
3512 case DIOCSETTIMEOUT: {
3513 struct pfioc_tm *pt = (struct pfioc_tm *)addr;
3516 if (pt->timeout < 0 || pt->timeout >= PFTM_MAX ||
3522 old = V_pf_default_rule.timeout[pt->timeout];
3523 if (pt->timeout == PFTM_INTERVAL && pt->seconds == 0)
3525 V_pf_default_rule.timeout[pt->timeout] = pt->seconds;
3526 if (pt->timeout == PFTM_INTERVAL && pt->seconds < old)
3527 wakeup(pf_purge_thread);
3533 case DIOCGETTIMEOUT: {
3534 struct pfioc_tm *pt = (struct pfioc_tm *)addr;
3536 if (pt->timeout < 0 || pt->timeout >= PFTM_MAX) {
3541 pt->seconds = V_pf_default_rule.timeout[pt->timeout];
3546 case DIOCGETLIMIT: {
3547 struct pfioc_limit *pl = (struct pfioc_limit *)addr;
3549 if (pl->index < 0 || pl->index >= PF_LIMIT_MAX) {
3554 pl->limit = V_pf_limits[pl->index].limit;
3559 case DIOCSETLIMIT: {
3560 struct pfioc_limit *pl = (struct pfioc_limit *)addr;
3564 if (pl->index < 0 || pl->index >= PF_LIMIT_MAX ||
3565 V_pf_limits[pl->index].zone == NULL) {
3570 uma_zone_set_max(V_pf_limits[pl->index].zone, pl->limit);
3571 old_limit = V_pf_limits[pl->index].limit;
3572 V_pf_limits[pl->index].limit = pl->limit;
3573 pl->limit = old_limit;
3578 case DIOCSETDEBUG: {
3579 u_int32_t *level = (u_int32_t *)addr;
3582 V_pf_status.debug = *level;
3587 case DIOCCLRRULECTRS: {
3588 /* obsoleted by DIOCGETRULE with action=PF_GET_CLR_CNTR */
3589 struct pf_kruleset *ruleset = &pf_main_ruleset;
3590 struct pf_krule *rule;
3594 ruleset->rules[PF_RULESET_FILTER].active.ptr, entries) {
3595 counter_u64_zero(rule->evaluations);
3596 for (int i = 0; i < 2; i++) {
3597 counter_u64_zero(rule->packets[i]);
3598 counter_u64_zero(rule->bytes[i]);
3605 case DIOCGIFSPEEDV0:
3606 case DIOCGIFSPEEDV1: {
3607 struct pf_ifspeed_v1 *psp = (struct pf_ifspeed_v1 *)addr;
3608 struct pf_ifspeed_v1 ps;
3611 if (psp->ifname[0] != 0) {
3612 /* Can we completely trust user-land? */
3613 strlcpy(ps.ifname, psp->ifname, IFNAMSIZ);
3614 ifp = ifunit(ps.ifname);
3617 (u_int32_t)uqmin(ifp->if_baudrate, UINT_MAX);
3618 if (cmd == DIOCGIFSPEEDV1)
3619 psp->baudrate = ifp->if_baudrate;
3628 case DIOCSTARTALTQ: {
3629 struct pf_altq *altq;
3632 /* enable all altq interfaces on active list */
3633 TAILQ_FOREACH(altq, V_pf_altq_ifs_active, entries) {
3634 if ((altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
3635 error = pf_enable_altq(altq);
3641 V_pf_altq_running = 1;
3643 DPFPRINTF(PF_DEBUG_MISC, ("altq: started\n"));
3647 case DIOCSTOPALTQ: {
3648 struct pf_altq *altq;
3651 /* disable all altq interfaces on active list */
3652 TAILQ_FOREACH(altq, V_pf_altq_ifs_active, entries) {
3653 if ((altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
3654 error = pf_disable_altq(altq);
3660 V_pf_altq_running = 0;
3662 DPFPRINTF(PF_DEBUG_MISC, ("altq: stopped\n"));
3667 case DIOCADDALTQV1: {
3668 struct pfioc_altq_v1 *pa = (struct pfioc_altq_v1 *)addr;
3669 struct pf_altq *altq, *a;
3672 altq = malloc(sizeof(*altq), M_PFALTQ, M_WAITOK | M_ZERO);
3673 error = pf_import_kaltq(pa, altq, IOCPARM_LEN(cmd));
3676 altq->local_flags = 0;
3679 if (pa->ticket != V_ticket_altqs_inactive) {
3681 free(altq, M_PFALTQ);
3687 * if this is for a queue, find the discipline and
3688 * copy the necessary fields
3690 if (altq->qname[0] != 0) {
3691 if ((altq->qid = pf_qname2qid(altq->qname)) == 0) {
3694 free(altq, M_PFALTQ);
3697 altq->altq_disc = NULL;
3698 TAILQ_FOREACH(a, V_pf_altq_ifs_inactive, entries) {
3699 if (strncmp(a->ifname, altq->ifname,
3701 altq->altq_disc = a->altq_disc;
3707 if ((ifp = ifunit(altq->ifname)) == NULL)
3708 altq->local_flags |= PFALTQ_FLAG_IF_REMOVED;
3710 error = altq_add(ifp, altq);
3714 free(altq, M_PFALTQ);
3718 if (altq->qname[0] != 0)
3719 TAILQ_INSERT_TAIL(V_pf_altqs_inactive, altq, entries);
3721 TAILQ_INSERT_TAIL(V_pf_altq_ifs_inactive, altq, entries);
3722 /* version error check done on import above */
3723 pf_export_kaltq(altq, pa, IOCPARM_LEN(cmd));
3728 case DIOCGETALTQSV0:
3729 case DIOCGETALTQSV1: {
3730 struct pfioc_altq_v1 *pa = (struct pfioc_altq_v1 *)addr;
3731 struct pf_altq *altq;
3735 TAILQ_FOREACH(altq, V_pf_altq_ifs_active, entries)
3737 TAILQ_FOREACH(altq, V_pf_altqs_active, entries)
3739 pa->ticket = V_ticket_altqs_active;
3745 case DIOCGETALTQV1: {
3746 struct pfioc_altq_v1 *pa = (struct pfioc_altq_v1 *)addr;
3747 struct pf_altq *altq;
3750 if (pa->ticket != V_ticket_altqs_active) {
3755 altq = pf_altq_get_nth_active(pa->nr);
3761 pf_export_kaltq(altq, pa, IOCPARM_LEN(cmd));
3766 case DIOCCHANGEALTQV0:
3767 case DIOCCHANGEALTQV1:
3768 /* CHANGEALTQ not supported yet! */
3772 case DIOCGETQSTATSV0:
3773 case DIOCGETQSTATSV1: {
3774 struct pfioc_qstats_v1 *pq = (struct pfioc_qstats_v1 *)addr;
3775 struct pf_altq *altq;
3780 if (pq->ticket != V_ticket_altqs_active) {
3785 nbytes = pq->nbytes;
3786 altq = pf_altq_get_nth_active(pq->nr);
3793 if ((altq->local_flags & PFALTQ_FLAG_IF_REMOVED) != 0) {
3799 if (cmd == DIOCGETQSTATSV0)
3800 version = 0; /* DIOCGETQSTATSV0 means stats struct v0 */
3802 version = pq->version;
3803 error = altq_getqstats(altq, pq->buf, &nbytes, version);
3805 pq->scheduler = altq->scheduler;
3806 pq->nbytes = nbytes;
3812 case DIOCBEGINADDRS: {
3813 struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr;
3816 pf_empty_kpool(&V_pf_pabuf);
3817 pp->ticket = ++V_ticket_pabuf;
3823 struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr;
3824 struct pf_kpooladdr *pa;
3825 struct pfi_kkif *kif = NULL;
3828 if (pp->af == AF_INET) {
3829 error = EAFNOSUPPORT;
3834 if (pp->af == AF_INET6) {
3835 error = EAFNOSUPPORT;
3839 if (pp->addr.addr.type != PF_ADDR_ADDRMASK &&
3840 pp->addr.addr.type != PF_ADDR_DYNIFTL &&
3841 pp->addr.addr.type != PF_ADDR_TABLE) {
3845 if (pp->addr.addr.p.dyn != NULL) {
3849 pa = malloc(sizeof(*pa), M_PFRULE, M_WAITOK);
3850 pf_pooladdr_to_kpooladdr(&pp->addr, pa);
3852 kif = pf_kkif_create(M_WAITOK);
3854 if (pp->ticket != V_ticket_pabuf) {
3862 if (pa->ifname[0]) {
3863 pa->kif = pfi_kkif_attach(kif, pa->ifname);
3865 pfi_kkif_ref(pa->kif);
3868 if (pa->addr.type == PF_ADDR_DYNIFTL && ((error =
3869 pfi_dynaddr_setup(&pa->addr, pp->af)) != 0)) {
3871 pfi_kkif_unref(pa->kif);
3876 TAILQ_INSERT_TAIL(&V_pf_pabuf, pa, entries);
3881 case DIOCGETADDRS: {
3882 struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr;
3883 struct pf_kpool *pool;
3884 struct pf_kpooladdr *pa;
3888 pool = pf_get_kpool(pp->anchor, pp->ticket, pp->r_action,
3889 pp->r_num, 0, 1, 0);
3895 TAILQ_FOREACH(pa, &pool->list, entries)
3902 struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr;
3903 struct pf_kpool *pool;
3904 struct pf_kpooladdr *pa;
3908 pool = pf_get_kpool(pp->anchor, pp->ticket, pp->r_action,
3909 pp->r_num, 0, 1, 1);
3915 pa = TAILQ_FIRST(&pool->list);
3916 while ((pa != NULL) && (nr < pp->nr)) {
3917 pa = TAILQ_NEXT(pa, entries);
3925 pf_kpooladdr_to_pooladdr(pa, &pp->addr);
3926 pf_addr_copyout(&pp->addr.addr);
3931 case DIOCCHANGEADDR: {
3932 struct pfioc_pooladdr *pca = (struct pfioc_pooladdr *)addr;
3933 struct pf_kpool *pool;
3934 struct pf_kpooladdr *oldpa = NULL, *newpa = NULL;
3935 struct pf_kruleset *ruleset;
3936 struct pfi_kkif *kif = NULL;
3938 if (pca->action < PF_CHANGE_ADD_HEAD ||
3939 pca->action > PF_CHANGE_REMOVE) {
3943 if (pca->addr.addr.type != PF_ADDR_ADDRMASK &&
3944 pca->addr.addr.type != PF_ADDR_DYNIFTL &&
3945 pca->addr.addr.type != PF_ADDR_TABLE) {
3949 if (pca->addr.addr.p.dyn != NULL) {
3954 if (pca->action != PF_CHANGE_REMOVE) {
3956 if (pca->af == AF_INET) {
3957 error = EAFNOSUPPORT;
3962 if (pca->af == AF_INET6) {
3963 error = EAFNOSUPPORT;
3967 newpa = malloc(sizeof(*newpa), M_PFRULE, M_WAITOK);
3968 bcopy(&pca->addr, newpa, sizeof(struct pf_pooladdr));
3969 if (newpa->ifname[0])
3970 kif = pf_kkif_create(M_WAITOK);
3974 #define ERROUT(x) { error = (x); goto DIOCCHANGEADDR_error; }
3976 ruleset = pf_find_kruleset(pca->anchor);
3977 if (ruleset == NULL)
3980 pool = pf_get_kpool(pca->anchor, pca->ticket, pca->r_action,
3981 pca->r_num, pca->r_last, 1, 1);
3985 if (pca->action != PF_CHANGE_REMOVE) {
3986 if (newpa->ifname[0]) {
3987 newpa->kif = pfi_kkif_attach(kif, newpa->ifname);
3988 pfi_kkif_ref(newpa->kif);
3992 switch (newpa->addr.type) {
3993 case PF_ADDR_DYNIFTL:
3994 error = pfi_dynaddr_setup(&newpa->addr,
3998 newpa->addr.p.tbl = pfr_attach_table(ruleset,
3999 newpa->addr.v.tblname);
4000 if (newpa->addr.p.tbl == NULL)
4005 goto DIOCCHANGEADDR_error;
4008 switch (pca->action) {
4009 case PF_CHANGE_ADD_HEAD:
4010 oldpa = TAILQ_FIRST(&pool->list);
4012 case PF_CHANGE_ADD_TAIL:
4013 oldpa = TAILQ_LAST(&pool->list, pf_kpalist);
4016 oldpa = TAILQ_FIRST(&pool->list);
4017 for (int i = 0; oldpa && i < pca->nr; i++)
4018 oldpa = TAILQ_NEXT(oldpa, entries);
4024 if (pca->action == PF_CHANGE_REMOVE) {
4025 TAILQ_REMOVE(&pool->list, oldpa, entries);
4026 switch (oldpa->addr.type) {
4027 case PF_ADDR_DYNIFTL:
4028 pfi_dynaddr_remove(oldpa->addr.p.dyn);
4031 pfr_detach_table(oldpa->addr.p.tbl);
4035 pfi_kkif_unref(oldpa->kif);
4036 free(oldpa, M_PFRULE);
4039 TAILQ_INSERT_TAIL(&pool->list, newpa, entries);
4040 else if (pca->action == PF_CHANGE_ADD_HEAD ||
4041 pca->action == PF_CHANGE_ADD_BEFORE)
4042 TAILQ_INSERT_BEFORE(oldpa, newpa, entries);
4044 TAILQ_INSERT_AFTER(&pool->list, oldpa,
4048 pool->cur = TAILQ_FIRST(&pool->list);
4049 PF_ACPY(&pool->counter, &pool->cur->addr.v.a.addr, pca->af);
4054 DIOCCHANGEADDR_error:
4055 if (newpa != NULL) {
4057 pfi_kkif_unref(newpa->kif);
4058 free(newpa, M_PFRULE);
4065 case DIOCGETRULESETS: {
4066 struct pfioc_ruleset *pr = (struct pfioc_ruleset *)addr;
4067 struct pf_kruleset *ruleset;
4068 struct pf_kanchor *anchor;
4071 pr->path[sizeof(pr->path) - 1] = 0;
4072 if ((ruleset = pf_find_kruleset(pr->path)) == NULL) {
4078 if (ruleset->anchor == NULL) {
4079 /* XXX kludge for pf_main_ruleset */
4080 RB_FOREACH(anchor, pf_kanchor_global, &V_pf_anchors)
4081 if (anchor->parent == NULL)
4084 RB_FOREACH(anchor, pf_kanchor_node,
4085 &ruleset->anchor->children)
4092 case DIOCGETRULESET: {
4093 struct pfioc_ruleset *pr = (struct pfioc_ruleset *)addr;
4094 struct pf_kruleset *ruleset;
4095 struct pf_kanchor *anchor;
4099 pr->path[sizeof(pr->path) - 1] = 0;
4100 if ((ruleset = pf_find_kruleset(pr->path)) == NULL) {
4106 if (ruleset->anchor == NULL) {
4107 /* XXX kludge for pf_main_ruleset */
4108 RB_FOREACH(anchor, pf_kanchor_global, &V_pf_anchors)
4109 if (anchor->parent == NULL && nr++ == pr->nr) {
4110 strlcpy(pr->name, anchor->name,
4115 RB_FOREACH(anchor, pf_kanchor_node,
4116 &ruleset->anchor->children)
4117 if (nr++ == pr->nr) {
4118 strlcpy(pr->name, anchor->name,
4129 case DIOCRCLRTABLES: {
4130 struct pfioc_table *io = (struct pfioc_table *)addr;
4132 if (io->pfrio_esize != 0) {
4137 error = pfr_clr_tables(&io->pfrio_table, &io->pfrio_ndel,
4138 io->pfrio_flags | PFR_FLAG_USERIOCTL);
4143 case DIOCRADDTABLES: {
4144 struct pfioc_table *io = (struct pfioc_table *)addr;
4145 struct pfr_table *pfrts;
4148 if (io->pfrio_esize != sizeof(struct pfr_table)) {
4153 if (io->pfrio_size < 0 || io->pfrio_size > pf_ioctl_maxcount ||
4154 WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_table))) {
4159 totlen = io->pfrio_size * sizeof(struct pfr_table);
4160 pfrts = mallocarray(io->pfrio_size, sizeof(struct pfr_table),
4162 error = copyin(io->pfrio_buffer, pfrts, totlen);
4164 free(pfrts, M_TEMP);
4168 error = pfr_add_tables(pfrts, io->pfrio_size,
4169 &io->pfrio_nadd, io->pfrio_flags | PFR_FLAG_USERIOCTL);
4171 free(pfrts, M_TEMP);
4175 case DIOCRDELTABLES: {
4176 struct pfioc_table *io = (struct pfioc_table *)addr;
4177 struct pfr_table *pfrts;
4180 if (io->pfrio_esize != sizeof(struct pfr_table)) {
4185 if (io->pfrio_size < 0 || io->pfrio_size > pf_ioctl_maxcount ||
4186 WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_table))) {
4191 totlen = io->pfrio_size * sizeof(struct pfr_table);
4192 pfrts = mallocarray(io->pfrio_size, sizeof(struct pfr_table),
4194 error = copyin(io->pfrio_buffer, pfrts, totlen);
4196 free(pfrts, M_TEMP);
4200 error = pfr_del_tables(pfrts, io->pfrio_size,
4201 &io->pfrio_ndel, io->pfrio_flags | PFR_FLAG_USERIOCTL);
4203 free(pfrts, M_TEMP);
4207 case DIOCRGETTABLES: {
4208 struct pfioc_table *io = (struct pfioc_table *)addr;
4209 struct pfr_table *pfrts;
4213 if (io->pfrio_esize != sizeof(struct pfr_table)) {
4218 n = pfr_table_count(&io->pfrio_table, io->pfrio_flags);
4224 io->pfrio_size = min(io->pfrio_size, n);
4226 totlen = io->pfrio_size * sizeof(struct pfr_table);
4228 pfrts = mallocarray(io->pfrio_size, sizeof(struct pfr_table),
4230 if (pfrts == NULL) {
4235 error = pfr_get_tables(&io->pfrio_table, pfrts,
4236 &io->pfrio_size, io->pfrio_flags | PFR_FLAG_USERIOCTL);
4239 error = copyout(pfrts, io->pfrio_buffer, totlen);
4240 free(pfrts, M_TEMP);
4244 case DIOCRGETTSTATS: {
4245 struct pfioc_table *io = (struct pfioc_table *)addr;
4246 struct pfr_tstats *pfrtstats;
4250 if (io->pfrio_esize != sizeof(struct pfr_tstats)) {
4255 n = pfr_table_count(&io->pfrio_table, io->pfrio_flags);
4261 io->pfrio_size = min(io->pfrio_size, n);
4263 totlen = io->pfrio_size * sizeof(struct pfr_tstats);
4264 pfrtstats = mallocarray(io->pfrio_size,
4265 sizeof(struct pfr_tstats), M_TEMP, M_NOWAIT);
4266 if (pfrtstats == NULL) {
4271 error = pfr_get_tstats(&io->pfrio_table, pfrtstats,
4272 &io->pfrio_size, io->pfrio_flags | PFR_FLAG_USERIOCTL);
4275 error = copyout(pfrtstats, io->pfrio_buffer, totlen);
4276 free(pfrtstats, M_TEMP);
4280 case DIOCRCLRTSTATS: {
4281 struct pfioc_table *io = (struct pfioc_table *)addr;
4282 struct pfr_table *pfrts;
4285 if (io->pfrio_esize != sizeof(struct pfr_table)) {
4290 if (io->pfrio_size < 0 || io->pfrio_size > pf_ioctl_maxcount ||
4291 WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_table))) {
4292 /* We used to count tables and use the minimum required
4293 * size, so we didn't fail on overly large requests.
4295 io->pfrio_size = pf_ioctl_maxcount;
4299 totlen = io->pfrio_size * sizeof(struct pfr_table);
4300 pfrts = mallocarray(io->pfrio_size, sizeof(struct pfr_table),
4302 if (pfrts == NULL) {
4306 error = copyin(io->pfrio_buffer, pfrts, totlen);
4308 free(pfrts, M_TEMP);
4313 error = pfr_clr_tstats(pfrts, io->pfrio_size,
4314 &io->pfrio_nzero, io->pfrio_flags | PFR_FLAG_USERIOCTL);
4316 free(pfrts, M_TEMP);
4320 case DIOCRSETTFLAGS: {
4321 struct pfioc_table *io = (struct pfioc_table *)addr;
4322 struct pfr_table *pfrts;
4326 if (io->pfrio_esize != sizeof(struct pfr_table)) {
4332 n = pfr_table_count(&io->pfrio_table, io->pfrio_flags);
4339 io->pfrio_size = min(io->pfrio_size, n);
4342 totlen = io->pfrio_size * sizeof(struct pfr_table);
4343 pfrts = mallocarray(io->pfrio_size, sizeof(struct pfr_table),
4345 error = copyin(io->pfrio_buffer, pfrts, totlen);
4347 free(pfrts, M_TEMP);
4351 error = pfr_set_tflags(pfrts, io->pfrio_size,
4352 io->pfrio_setflag, io->pfrio_clrflag, &io->pfrio_nchange,
4353 &io->pfrio_ndel, io->pfrio_flags | PFR_FLAG_USERIOCTL);
4355 free(pfrts, M_TEMP);
4359 case DIOCRCLRADDRS: {
4360 struct pfioc_table *io = (struct pfioc_table *)addr;
4362 if (io->pfrio_esize != 0) {
4367 error = pfr_clr_addrs(&io->pfrio_table, &io->pfrio_ndel,
4368 io->pfrio_flags | PFR_FLAG_USERIOCTL);
4373 case DIOCRADDADDRS: {
4374 struct pfioc_table *io = (struct pfioc_table *)addr;
4375 struct pfr_addr *pfras;
4378 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
4382 if (io->pfrio_size < 0 ||
4383 io->pfrio_size > pf_ioctl_maxcount ||
4384 WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_addr))) {
4388 totlen = io->pfrio_size * sizeof(struct pfr_addr);
4389 pfras = mallocarray(io->pfrio_size, sizeof(struct pfr_addr),
4395 error = copyin(io->pfrio_buffer, pfras, totlen);
4397 free(pfras, M_TEMP);
4401 error = pfr_add_addrs(&io->pfrio_table, pfras,
4402 io->pfrio_size, &io->pfrio_nadd, io->pfrio_flags |
4403 PFR_FLAG_USERIOCTL);
4405 if (error == 0 && io->pfrio_flags & PFR_FLAG_FEEDBACK)
4406 error = copyout(pfras, io->pfrio_buffer, totlen);
4407 free(pfras, M_TEMP);
4411 case DIOCRDELADDRS: {
4412 struct pfioc_table *io = (struct pfioc_table *)addr;
4413 struct pfr_addr *pfras;
4416 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
4420 if (io->pfrio_size < 0 ||
4421 io->pfrio_size > pf_ioctl_maxcount ||
4422 WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_addr))) {
4426 totlen = io->pfrio_size * sizeof(struct pfr_addr);
4427 pfras = mallocarray(io->pfrio_size, sizeof(struct pfr_addr),
4433 error = copyin(io->pfrio_buffer, pfras, totlen);
4435 free(pfras, M_TEMP);
4439 error = pfr_del_addrs(&io->pfrio_table, pfras,
4440 io->pfrio_size, &io->pfrio_ndel, io->pfrio_flags |
4441 PFR_FLAG_USERIOCTL);
4443 if (error == 0 && io->pfrio_flags & PFR_FLAG_FEEDBACK)
4444 error = copyout(pfras, io->pfrio_buffer, totlen);
4445 free(pfras, M_TEMP);
4449 case DIOCRSETADDRS: {
4450 struct pfioc_table *io = (struct pfioc_table *)addr;
4451 struct pfr_addr *pfras;
4452 size_t totlen, count;
4454 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
4458 if (io->pfrio_size < 0 || io->pfrio_size2 < 0) {
4462 count = max(io->pfrio_size, io->pfrio_size2);
4463 if (count > pf_ioctl_maxcount ||
4464 WOULD_OVERFLOW(count, sizeof(struct pfr_addr))) {
4468 totlen = count * sizeof(struct pfr_addr);
4469 pfras = mallocarray(count, sizeof(struct pfr_addr), M_TEMP,
4475 error = copyin(io->pfrio_buffer, pfras, totlen);
4477 free(pfras, M_TEMP);
4481 error = pfr_set_addrs(&io->pfrio_table, pfras,
4482 io->pfrio_size, &io->pfrio_size2, &io->pfrio_nadd,
4483 &io->pfrio_ndel, &io->pfrio_nchange, io->pfrio_flags |
4484 PFR_FLAG_USERIOCTL, 0);
4486 if (error == 0 && io->pfrio_flags & PFR_FLAG_FEEDBACK)
4487 error = copyout(pfras, io->pfrio_buffer, totlen);
4488 free(pfras, M_TEMP);
4492 case DIOCRGETADDRS: {
4493 struct pfioc_table *io = (struct pfioc_table *)addr;
4494 struct pfr_addr *pfras;
4497 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
4501 if (io->pfrio_size < 0 ||
4502 io->pfrio_size > pf_ioctl_maxcount ||
4503 WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_addr))) {
4507 totlen = io->pfrio_size * sizeof(struct pfr_addr);
4508 pfras = mallocarray(io->pfrio_size, sizeof(struct pfr_addr),
4515 error = pfr_get_addrs(&io->pfrio_table, pfras,
4516 &io->pfrio_size, io->pfrio_flags | PFR_FLAG_USERIOCTL);
4519 error = copyout(pfras, io->pfrio_buffer, totlen);
4520 free(pfras, M_TEMP);
4524 case DIOCRGETASTATS: {
4525 struct pfioc_table *io = (struct pfioc_table *)addr;
4526 struct pfr_astats *pfrastats;
4529 if (io->pfrio_esize != sizeof(struct pfr_astats)) {
4533 if (io->pfrio_size < 0 ||
4534 io->pfrio_size > pf_ioctl_maxcount ||
4535 WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_astats))) {
4539 totlen = io->pfrio_size * sizeof(struct pfr_astats);
4540 pfrastats = mallocarray(io->pfrio_size,
4541 sizeof(struct pfr_astats), M_TEMP, M_NOWAIT);
4547 error = pfr_get_astats(&io->pfrio_table, pfrastats,
4548 &io->pfrio_size, io->pfrio_flags | PFR_FLAG_USERIOCTL);
4551 error = copyout(pfrastats, io->pfrio_buffer, totlen);
4552 free(pfrastats, M_TEMP);
4556 case DIOCRCLRASTATS: {
4557 struct pfioc_table *io = (struct pfioc_table *)addr;
4558 struct pfr_addr *pfras;
4561 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
4565 if (io->pfrio_size < 0 ||
4566 io->pfrio_size > pf_ioctl_maxcount ||
4567 WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_addr))) {
4571 totlen = io->pfrio_size * sizeof(struct pfr_addr);
4572 pfras = mallocarray(io->pfrio_size, sizeof(struct pfr_addr),
4578 error = copyin(io->pfrio_buffer, pfras, totlen);
4580 free(pfras, M_TEMP);
4584 error = pfr_clr_astats(&io->pfrio_table, pfras,
4585 io->pfrio_size, &io->pfrio_nzero, io->pfrio_flags |
4586 PFR_FLAG_USERIOCTL);
4588 if (error == 0 && io->pfrio_flags & PFR_FLAG_FEEDBACK)
4589 error = copyout(pfras, io->pfrio_buffer, totlen);
4590 free(pfras, M_TEMP);
4594 case DIOCRTSTADDRS: {
4595 struct pfioc_table *io = (struct pfioc_table *)addr;
4596 struct pfr_addr *pfras;
4599 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
4603 if (io->pfrio_size < 0 ||
4604 io->pfrio_size > pf_ioctl_maxcount ||
4605 WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_addr))) {
4609 totlen = io->pfrio_size * sizeof(struct pfr_addr);
4610 pfras = mallocarray(io->pfrio_size, sizeof(struct pfr_addr),
4616 error = copyin(io->pfrio_buffer, pfras, totlen);
4618 free(pfras, M_TEMP);
4622 error = pfr_tst_addrs(&io->pfrio_table, pfras,
4623 io->pfrio_size, &io->pfrio_nmatch, io->pfrio_flags |
4624 PFR_FLAG_USERIOCTL);
4627 error = copyout(pfras, io->pfrio_buffer, totlen);
4628 free(pfras, M_TEMP);
4632 case DIOCRINADEFINE: {
4633 struct pfioc_table *io = (struct pfioc_table *)addr;
4634 struct pfr_addr *pfras;
4637 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
4641 if (io->pfrio_size < 0 ||
4642 io->pfrio_size > pf_ioctl_maxcount ||
4643 WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_addr))) {
4647 totlen = io->pfrio_size * sizeof(struct pfr_addr);
4648 pfras = mallocarray(io->pfrio_size, sizeof(struct pfr_addr),
4654 error = copyin(io->pfrio_buffer, pfras, totlen);
4656 free(pfras, M_TEMP);
4660 error = pfr_ina_define(&io->pfrio_table, pfras,
4661 io->pfrio_size, &io->pfrio_nadd, &io->pfrio_naddr,
4662 io->pfrio_ticket, io->pfrio_flags | PFR_FLAG_USERIOCTL);
4664 free(pfras, M_TEMP);
4669 struct pf_osfp_ioctl *io = (struct pf_osfp_ioctl *)addr;
4671 error = pf_osfp_add(io);
4677 struct pf_osfp_ioctl *io = (struct pf_osfp_ioctl *)addr;
4679 error = pf_osfp_get(io);
4685 struct pfioc_trans *io = (struct pfioc_trans *)addr;
4686 struct pfioc_trans_e *ioes, *ioe;
4690 if (io->esize != sizeof(*ioe)) {
4695 io->size > pf_ioctl_maxcount ||
4696 WOULD_OVERFLOW(io->size, sizeof(struct pfioc_trans_e))) {
4700 totlen = sizeof(struct pfioc_trans_e) * io->size;
4701 ioes = mallocarray(io->size, sizeof(struct pfioc_trans_e),
4707 error = copyin(io->array, ioes, totlen);
4713 for (i = 0, ioe = ioes; i < io->size; i++, ioe++) {
4714 switch (ioe->rs_num) {
4716 case PF_RULESET_ALTQ:
4717 if (ioe->anchor[0]) {
4723 if ((error = pf_begin_altq(&ioe->ticket))) {
4730 case PF_RULESET_TABLE:
4732 struct pfr_table table;
4734 bzero(&table, sizeof(table));
4735 strlcpy(table.pfrt_anchor, ioe->anchor,
4736 sizeof(table.pfrt_anchor));
4737 if ((error = pfr_ina_begin(&table,
4738 &ioe->ticket, NULL, 0))) {
4746 if ((error = pf_begin_rules(&ioe->ticket,
4747 ioe->rs_num, ioe->anchor))) {
4756 error = copyout(ioes, io->array, totlen);
4761 case DIOCXROLLBACK: {
4762 struct pfioc_trans *io = (struct pfioc_trans *)addr;
4763 struct pfioc_trans_e *ioe, *ioes;
4767 if (io->esize != sizeof(*ioe)) {
4772 io->size > pf_ioctl_maxcount ||
4773 WOULD_OVERFLOW(io->size, sizeof(struct pfioc_trans_e))) {
4777 totlen = sizeof(struct pfioc_trans_e) * io->size;
4778 ioes = mallocarray(io->size, sizeof(struct pfioc_trans_e),
4784 error = copyin(io->array, ioes, totlen);
4790 for (i = 0, ioe = ioes; i < io->size; i++, ioe++) {
4791 switch (ioe->rs_num) {
4793 case PF_RULESET_ALTQ:
4794 if (ioe->anchor[0]) {
4800 if ((error = pf_rollback_altq(ioe->ticket))) {
4803 goto fail; /* really bad */
4807 case PF_RULESET_TABLE:
4809 struct pfr_table table;
4811 bzero(&table, sizeof(table));
4812 strlcpy(table.pfrt_anchor, ioe->anchor,
4813 sizeof(table.pfrt_anchor));
4814 if ((error = pfr_ina_rollback(&table,
4815 ioe->ticket, NULL, 0))) {
4818 goto fail; /* really bad */
4823 if ((error = pf_rollback_rules(ioe->ticket,
4824 ioe->rs_num, ioe->anchor))) {
4827 goto fail; /* really bad */
4838 struct pfioc_trans *io = (struct pfioc_trans *)addr;
4839 struct pfioc_trans_e *ioe, *ioes;
4840 struct pf_kruleset *rs;
4844 if (io->esize != sizeof(*ioe)) {
4850 io->size > pf_ioctl_maxcount ||
4851 WOULD_OVERFLOW(io->size, sizeof(struct pfioc_trans_e))) {
4856 totlen = sizeof(struct pfioc_trans_e) * io->size;
4857 ioes = mallocarray(io->size, sizeof(struct pfioc_trans_e),
4863 error = copyin(io->array, ioes, totlen);
4869 /* First makes sure everything will succeed. */
4870 for (i = 0, ioe = ioes; i < io->size; i++, ioe++) {
4871 switch (ioe->rs_num) {
4873 case PF_RULESET_ALTQ:
4874 if (ioe->anchor[0]) {
4880 if (!V_altqs_inactive_open || ioe->ticket !=
4881 V_ticket_altqs_inactive) {
4889 case PF_RULESET_TABLE:
4890 rs = pf_find_kruleset(ioe->anchor);
4891 if (rs == NULL || !rs->topen || ioe->ticket !=
4900 if (ioe->rs_num < 0 || ioe->rs_num >=
4907 rs = pf_find_kruleset(ioe->anchor);
4909 !rs->rules[ioe->rs_num].inactive.open ||
4910 rs->rules[ioe->rs_num].inactive.ticket !=
4920 /* Now do the commit - no errors should happen here. */
4921 for (i = 0, ioe = ioes; i < io->size; i++, ioe++) {
4922 switch (ioe->rs_num) {
4924 case PF_RULESET_ALTQ:
4925 if ((error = pf_commit_altq(ioe->ticket))) {
4928 goto fail; /* really bad */
4932 case PF_RULESET_TABLE:
4934 struct pfr_table table;
4936 bzero(&table, sizeof(table));
4937 strlcpy(table.pfrt_anchor, ioe->anchor,
4938 sizeof(table.pfrt_anchor));
4939 if ((error = pfr_ina_commit(&table,
4940 ioe->ticket, NULL, NULL, 0))) {
4943 goto fail; /* really bad */
4948 if ((error = pf_commit_rules(ioe->ticket,
4949 ioe->rs_num, ioe->anchor))) {
4952 goto fail; /* really bad */
4962 case DIOCGETSRCNODES: {
4963 struct pfioc_src_nodes *psn = (struct pfioc_src_nodes *)addr;
4964 struct pf_srchash *sh;
4965 struct pf_ksrc_node *n;
4966 struct pf_src_node *p, *pstore;
4969 for (i = 0, sh = V_pf_srchash; i <= pf_srchashmask;
4971 PF_HASHROW_LOCK(sh);
4972 LIST_FOREACH(n, &sh->nodes, entry)
4974 PF_HASHROW_UNLOCK(sh);
4977 psn->psn_len = min(psn->psn_len,
4978 sizeof(struct pf_src_node) * nr);
4980 if (psn->psn_len == 0) {
4981 psn->psn_len = sizeof(struct pf_src_node) * nr;
4987 p = pstore = malloc(psn->psn_len, M_TEMP, M_WAITOK | M_ZERO);
4988 for (i = 0, sh = V_pf_srchash; i <= pf_srchashmask;
4990 PF_HASHROW_LOCK(sh);
4991 LIST_FOREACH(n, &sh->nodes, entry) {
4993 if ((nr + 1) * sizeof(*p) > (unsigned)psn->psn_len)
4996 pf_src_node_copy(n, p);
5001 PF_HASHROW_UNLOCK(sh);
5003 error = copyout(pstore, psn->psn_src_nodes,
5004 sizeof(struct pf_src_node) * nr);
5006 free(pstore, M_TEMP);
5009 psn->psn_len = sizeof(struct pf_src_node) * nr;
5010 free(pstore, M_TEMP);
5014 case DIOCCLRSRCNODES: {
5016 pf_clear_srcnodes(NULL);
5017 pf_purge_expired_src_nodes();
5021 case DIOCKILLSRCNODES:
5022 pf_kill_srcnodes((struct pfioc_src_node_kill *)addr);
5025 case DIOCSETHOSTID: {
5026 u_int32_t *hostid = (u_int32_t *)addr;
5030 V_pf_status.hostid = arc4random();
5032 V_pf_status.hostid = *hostid;
5043 case DIOCIGETIFACES: {
5044 struct pfioc_iface *io = (struct pfioc_iface *)addr;
5045 struct pfi_kif *ifstore;
5048 if (io->pfiio_esize != sizeof(struct pfi_kif)) {
5053 if (io->pfiio_size < 0 ||
5054 io->pfiio_size > pf_ioctl_maxcount ||
5055 WOULD_OVERFLOW(io->pfiio_size, sizeof(struct pfi_kif))) {
5060 bufsiz = io->pfiio_size * sizeof(struct pfi_kif);
5061 ifstore = mallocarray(io->pfiio_size, sizeof(struct pfi_kif),
5063 if (ifstore == NULL) {
5069 pfi_get_ifaces(io->pfiio_name, ifstore, &io->pfiio_size);
5071 error = copyout(ifstore, io->pfiio_buffer, bufsiz);
5072 free(ifstore, M_TEMP);
5076 case DIOCSETIFFLAG: {
5077 struct pfioc_iface *io = (struct pfioc_iface *)addr;
5080 error = pfi_set_flags(io->pfiio_name, io->pfiio_flags);
5085 case DIOCCLRIFFLAG: {
5086 struct pfioc_iface *io = (struct pfioc_iface *)addr;
5089 error = pfi_clear_flags(io->pfiio_name, io->pfiio_flags);
5099 if (sx_xlocked(&pf_ioctl_lock))
5100 sx_xunlock(&pf_ioctl_lock);
5107 pfsync_state_export(struct pfsync_state *sp, struct pf_state *st)
5109 bzero(sp, sizeof(struct pfsync_state));
5111 /* copy from state key */
5112 sp->key[PF_SK_WIRE].addr[0] = st->key[PF_SK_WIRE]->addr[0];
5113 sp->key[PF_SK_WIRE].addr[1] = st->key[PF_SK_WIRE]->addr[1];
5114 sp->key[PF_SK_WIRE].port[0] = st->key[PF_SK_WIRE]->port[0];
5115 sp->key[PF_SK_WIRE].port[1] = st->key[PF_SK_WIRE]->port[1];
5116 sp->key[PF_SK_STACK].addr[0] = st->key[PF_SK_STACK]->addr[0];
5117 sp->key[PF_SK_STACK].addr[1] = st->key[PF_SK_STACK]->addr[1];
5118 sp->key[PF_SK_STACK].port[0] = st->key[PF_SK_STACK]->port[0];
5119 sp->key[PF_SK_STACK].port[1] = st->key[PF_SK_STACK]->port[1];
5120 sp->proto = st->key[PF_SK_WIRE]->proto;
5121 sp->af = st->key[PF_SK_WIRE]->af;
5123 /* copy from state */
5124 strlcpy(sp->ifname, st->kif->pfik_name, sizeof(sp->ifname));
5125 bcopy(&st->rt_addr, &sp->rt_addr, sizeof(sp->rt_addr));
5126 sp->creation = htonl(time_uptime - st->creation);
5127 sp->expire = pf_state_expires(st);
5128 if (sp->expire <= time_uptime)
5129 sp->expire = htonl(0);
5131 sp->expire = htonl(sp->expire - time_uptime);
5133 sp->direction = st->direction;
5135 sp->timeout = st->timeout;
5136 sp->state_flags = st->state_flags;
5138 sp->sync_flags |= PFSYNC_FLAG_SRCNODE;
5139 if (st->nat_src_node)
5140 sp->sync_flags |= PFSYNC_FLAG_NATSRCNODE;
5143 sp->creatorid = st->creatorid;
5144 pf_state_peer_hton(&st->src, &sp->src);
5145 pf_state_peer_hton(&st->dst, &sp->dst);
5147 if (st->rule.ptr == NULL)
5148 sp->rule = htonl(-1);
5150 sp->rule = htonl(st->rule.ptr->nr);
5151 if (st->anchor.ptr == NULL)
5152 sp->anchor = htonl(-1);
5154 sp->anchor = htonl(st->anchor.ptr->nr);
5155 if (st->nat_rule.ptr == NULL)
5156 sp->nat_rule = htonl(-1);
5158 sp->nat_rule = htonl(st->nat_rule.ptr->nr);
5160 pf_state_counter_hton(counter_u64_fetch(st->packets[0]),
5162 pf_state_counter_hton(counter_u64_fetch(st->packets[1]),
5164 pf_state_counter_hton(counter_u64_fetch(st->bytes[0]), sp->bytes[0]);
5165 pf_state_counter_hton(counter_u64_fetch(st->bytes[1]), sp->bytes[1]);
5170 pf_tbladdr_copyout(struct pf_addr_wrap *aw)
5172 struct pfr_ktable *kt;
5174 KASSERT(aw->type == PF_ADDR_TABLE, ("%s: type %u", __func__, aw->type));
5177 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root != NULL)
5178 kt = kt->pfrkt_root;
5180 aw->p.tblcnt = (kt->pfrkt_flags & PFR_TFLAG_ACTIVE) ?
5185 * XXX - Check for version missmatch!!!
5188 pf_clear_states(void)
5193 for (i = 0; i <= pf_hashmask; i++) {
5194 struct pf_idhash *ih = &V_pf_idhash[i];
5196 PF_HASHROW_LOCK(ih);
5197 LIST_FOREACH(s, &ih->states, entry) {
5198 s->timeout = PFTM_PURGE;
5199 /* Don't send out individual delete messages. */
5200 s->state_flags |= PFSTATE_NOSYNC;
5201 pf_unlink_state(s, PF_ENTER_LOCKED);
5204 PF_HASHROW_UNLOCK(ih);
5209 pf_clear_tables(void)
5211 struct pfioc_table io;
5214 bzero(&io, sizeof(io));
5216 error = pfr_clr_tables(&io.pfrio_table, &io.pfrio_ndel,
5223 pf_clear_srcnodes(struct pf_ksrc_node *n)
5228 for (i = 0; i <= pf_hashmask; i++) {
5229 struct pf_idhash *ih = &V_pf_idhash[i];
5231 PF_HASHROW_LOCK(ih);
5232 LIST_FOREACH(s, &ih->states, entry) {
5233 if (n == NULL || n == s->src_node)
5235 if (n == NULL || n == s->nat_src_node)
5236 s->nat_src_node = NULL;
5238 PF_HASHROW_UNLOCK(ih);
5242 struct pf_srchash *sh;
5244 for (i = 0, sh = V_pf_srchash; i <= pf_srchashmask;
5246 PF_HASHROW_LOCK(sh);
5247 LIST_FOREACH(n, &sh->nodes, entry) {
5251 PF_HASHROW_UNLOCK(sh);
5254 /* XXX: hash slot should already be locked here. */
5261 pf_kill_srcnodes(struct pfioc_src_node_kill *psnk)
5263 struct pf_ksrc_node_list kill;
5266 for (int i = 0; i <= pf_srchashmask; i++) {
5267 struct pf_srchash *sh = &V_pf_srchash[i];
5268 struct pf_ksrc_node *sn, *tmp;
5270 PF_HASHROW_LOCK(sh);
5271 LIST_FOREACH_SAFE(sn, &sh->nodes, entry, tmp)
5272 if (PF_MATCHA(psnk->psnk_src.neg,
5273 &psnk->psnk_src.addr.v.a.addr,
5274 &psnk->psnk_src.addr.v.a.mask,
5275 &sn->addr, sn->af) &&
5276 PF_MATCHA(psnk->psnk_dst.neg,
5277 &psnk->psnk_dst.addr.v.a.addr,
5278 &psnk->psnk_dst.addr.v.a.mask,
5279 &sn->raddr, sn->af)) {
5280 pf_unlink_src_node(sn);
5281 LIST_INSERT_HEAD(&kill, sn, entry);
5284 PF_HASHROW_UNLOCK(sh);
5287 for (int i = 0; i <= pf_hashmask; i++) {
5288 struct pf_idhash *ih = &V_pf_idhash[i];
5291 PF_HASHROW_LOCK(ih);
5292 LIST_FOREACH(s, &ih->states, entry) {
5293 if (s->src_node && s->src_node->expire == 1)
5295 if (s->nat_src_node && s->nat_src_node->expire == 1)
5296 s->nat_src_node = NULL;
5298 PF_HASHROW_UNLOCK(ih);
5301 psnk->psnk_killed = pf_free_src_nodes(&kill);
5305 * XXX - Check for version missmatch!!!
5309 * Duplicate pfctl -Fa operation to get rid of as much as we can.
5319 if ((error = pf_begin_rules(&t[0], PF_RULESET_SCRUB, &nn))
5321 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: SCRUB\n"));
5324 if ((error = pf_begin_rules(&t[1], PF_RULESET_FILTER, &nn))
5326 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: FILTER\n"));
5327 break; /* XXX: rollback? */
5329 if ((error = pf_begin_rules(&t[2], PF_RULESET_NAT, &nn))
5331 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: NAT\n"));
5332 break; /* XXX: rollback? */
5334 if ((error = pf_begin_rules(&t[3], PF_RULESET_BINAT, &nn))
5336 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: BINAT\n"));
5337 break; /* XXX: rollback? */
5339 if ((error = pf_begin_rules(&t[4], PF_RULESET_RDR, &nn))
5341 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: RDR\n"));
5342 break; /* XXX: rollback? */
5345 /* XXX: these should always succeed here */
5346 pf_commit_rules(t[0], PF_RULESET_SCRUB, &nn);
5347 pf_commit_rules(t[1], PF_RULESET_FILTER, &nn);
5348 pf_commit_rules(t[2], PF_RULESET_NAT, &nn);
5349 pf_commit_rules(t[3], PF_RULESET_BINAT, &nn);
5350 pf_commit_rules(t[4], PF_RULESET_RDR, &nn);
5352 if ((error = pf_clear_tables()) != 0)
5356 if ((error = pf_begin_altq(&t[0])) != 0) {
5357 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: ALTQ\n"));
5360 pf_commit_altq(t[0]);
5365 pf_clear_srcnodes(NULL);
5367 /* status does not use malloced mem so no need to cleanup */
5368 /* fingerprints and interfaces have their own cleanup code */
5376 pf_check_in(void *arg, struct mbuf **m, struct ifnet *ifp, int dir, int flags,
5381 chk = pf_test(PF_IN, flags, ifp, m, inp);
5393 pf_check_out(void *arg, struct mbuf **m, struct ifnet *ifp, int dir, int flags,
5398 chk = pf_test(PF_OUT, flags, ifp, m, inp);
5412 pf_check6_in(void *arg, struct mbuf **m, struct ifnet *ifp, int dir, int flags,
5418 * In case of loopback traffic IPv6 uses the real interface in
5419 * order to support scoped addresses. In order to support stateful
5420 * filtering we have change this to lo0 as it is the case in IPv4.
5422 CURVNET_SET(ifp->if_vnet);
5423 chk = pf_test6(PF_IN, flags, (*m)->m_flags & M_LOOP ? V_loif : ifp, m, inp);
5435 pf_check6_out(void *arg, struct mbuf **m, struct ifnet *ifp, int dir, int flags,
5440 CURVNET_SET(ifp->if_vnet);
5441 chk = pf_test6(PF_OUT, flags, ifp, m, inp);
5457 struct pfil_head *pfh_inet;
5460 struct pfil_head *pfh_inet6;
5463 if (V_pf_pfil_hooked)
5467 pfh_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
5468 if (pfh_inet == NULL)
5469 return (ESRCH); /* XXX */
5470 pfil_add_hook_flags(pf_check_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet);
5471 pfil_add_hook_flags(pf_check_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet);
5474 pfh_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
5475 if (pfh_inet6 == NULL) {
5477 pfil_remove_hook_flags(pf_check_in, NULL, PFIL_IN | PFIL_WAITOK,
5479 pfil_remove_hook_flags(pf_check_out, NULL, PFIL_OUT | PFIL_WAITOK,
5482 return (ESRCH); /* XXX */
5484 pfil_add_hook_flags(pf_check6_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet6);
5485 pfil_add_hook_flags(pf_check6_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet6);
5488 V_pf_pfil_hooked = 1;
5496 struct pfil_head *pfh_inet;
5499 struct pfil_head *pfh_inet6;
5502 if (V_pf_pfil_hooked == 0)
5506 pfh_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
5507 if (pfh_inet == NULL)
5508 return (ESRCH); /* XXX */
5509 pfil_remove_hook_flags(pf_check_in, NULL, PFIL_IN | PFIL_WAITOK,
5511 pfil_remove_hook_flags(pf_check_out, NULL, PFIL_OUT | PFIL_WAITOK,
5515 pfh_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
5516 if (pfh_inet6 == NULL)
5517 return (ESRCH); /* XXX */
5518 pfil_remove_hook_flags(pf_check6_in, NULL, PFIL_IN | PFIL_WAITOK,
5520 pfil_remove_hook_flags(pf_check6_out, NULL, PFIL_OUT | PFIL_WAITOK,
5524 V_pf_pfil_hooked = 0;
5531 V_pf_tag_z = uma_zcreate("pf tags", sizeof(struct pf_tagname),
5532 NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, 0);
5534 pf_init_tagset(&V_pf_tags, &pf_rule_tag_hashsize,
5535 PF_RULE_TAG_HASH_SIZE_DEFAULT);
5537 pf_init_tagset(&V_pf_qids, &pf_queue_tag_hashsize,
5538 PF_QUEUE_TAG_HASH_SIZE_DEFAULT);
5542 V_pf_vnet_active = 1;
5550 rm_init(&pf_rules_lock, "pf rulesets");
5551 sx_init(&pf_ioctl_lock, "pf ioctl");
5552 sx_init(&pf_end_lock, "pf end thread");
5554 pf_mtag_initialize();
5556 pf_dev = make_dev(&pf_cdevsw, 0, 0, 0, 0600, PF_NAME);
5561 error = kproc_create(pf_purge_thread, NULL, &pf_purge_proc, 0, 0, "pf purge");
5571 pf_unload_vnet(void)
5575 V_pf_vnet_active = 0;
5576 V_pf_status.running = 0;
5577 error = dehook_pf();
5580 * Should not happen!
5581 * XXX Due to error code ESRCH, kldunload will show
5582 * a message like 'No such process'.
5584 printf("%s : pfil unregisteration fail\n", __FUNCTION__);
5592 ret = swi_remove(V_pf_swi_cookie);
5594 ret = intr_event_destroy(V_pf_swi_ie);
5597 pf_unload_vnet_purge();
5599 pf_normalize_cleanup();
5606 if (IS_DEFAULT_VNET(curvnet))
5609 pf_cleanup_tagset(&V_pf_tags);
5611 pf_cleanup_tagset(&V_pf_qids);
5613 uma_zdestroy(V_pf_tag_z);
5615 /* Free counters last as we updated them during shutdown. */
5616 counter_u64_free(V_pf_default_rule.evaluations);
5617 for (int i = 0; i < 2; i++) {
5618 counter_u64_free(V_pf_default_rule.packets[i]);
5619 counter_u64_free(V_pf_default_rule.bytes[i]);
5621 counter_u64_free(V_pf_default_rule.states_cur);
5622 counter_u64_free(V_pf_default_rule.states_tot);
5623 counter_u64_free(V_pf_default_rule.src_nodes);
5625 for (int i = 0; i < PFRES_MAX; i++)
5626 counter_u64_free(V_pf_status.counters[i]);
5627 for (int i = 0; i < LCNT_MAX; i++)
5628 counter_u64_free(V_pf_status.lcounters[i]);
5629 for (int i = 0; i < FCNT_MAX; i++)
5630 counter_u64_free(V_pf_status.fcounters[i]);
5631 for (int i = 0; i < SCNT_MAX; i++)
5632 counter_u64_free(V_pf_status.scounters[i]);
5639 sx_xlock(&pf_end_lock);
5641 while (pf_end_threads < 2) {
5642 wakeup_one(pf_purge_thread);
5643 sx_sleep(pf_purge_proc, &pf_end_lock, 0, "pftmo", 0);
5645 sx_xunlock(&pf_end_lock);
5648 destroy_dev(pf_dev);
5652 rm_destroy(&pf_rules_lock);
5653 sx_destroy(&pf_ioctl_lock);
5654 sx_destroy(&pf_end_lock);
5658 vnet_pf_init(void *unused __unused)
5663 VNET_SYSINIT(vnet_pf_init, SI_SUB_PROTO_FIREWALL, SI_ORDER_THIRD,
5664 vnet_pf_init, NULL);
5667 vnet_pf_uninit(const void *unused __unused)
5672 SYSUNINIT(pf_unload, SI_SUB_PROTO_FIREWALL, SI_ORDER_SECOND, pf_unload, NULL);
5673 VNET_SYSUNINIT(vnet_pf_uninit, SI_SUB_PROTO_FIREWALL, SI_ORDER_THIRD,
5674 vnet_pf_uninit, NULL);
5678 pf_modevent(module_t mod, int type, void *data)
5687 /* Handled in SYSUNINIT(pf_unload) to ensure it's done after
5688 * the vnet_pf_uninit()s */
5698 static moduledata_t pf_mod = {
5704 DECLARE_MODULE(pf, pf_mod, SI_SUB_PROTO_FIREWALL, SI_ORDER_SECOND);
5705 MODULE_VERSION(pf, PF_MODVER);
projects / FreeBSD / FreeBSD.git / blob