2 * SPDX-License-Identifier: BSD-2-Clause
4 * Copyright (c) 2001 Daniel Hartmeier
5 * Copyright (c) 2002,2003 Henning Brauer
6 * Copyright (c) 2012 Gleb Smirnoff <glebius@FreeBSD.org>
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
13 * - Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * - Redistributions in binary form must reproduce the above
16 * copyright notice, this list of conditions and the following
17 * disclaimer in the documentation and/or other materials provided
18 * with the distribution.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
23 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
24 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
26 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
27 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
28 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
30 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31 * POSSIBILITY OF SUCH DAMAGE.
33 * Effort sponsored in part by the Defense Advanced Research Projects
34 * Agency (DARPA) and Air Force Research Laboratory, Air Force
35 * Materiel Command, USAF, under agreement number F30602-01-2-0537.
37 * $OpenBSD: pf_ioctl.c,v 1.213 2009/02/15 21:46:12 mbalmer Exp $
40 #include <sys/cdefs.h>
41 __FBSDID("$FreeBSD$");
44 #include "opt_inet6.h"
48 #include <sys/param.h>
49 #include <sys/_bitset.h>
50 #include <sys/bitset.h>
53 #include <sys/endian.h>
54 #include <sys/fcntl.h>
55 #include <sys/filio.h>
57 #include <sys/interrupt.h>
59 #include <sys/kernel.h>
60 #include <sys/kthread.h>
63 #include <sys/module.h>
68 #include <sys/socket.h>
69 #include <sys/sysctl.h>
71 #include <sys/ucred.h>
74 #include <net/if_var.h>
76 #include <net/route.h>
78 #include <net/pfvar.h>
79 #include <net/if_pfsync.h>
80 #include <net/if_pflog.h>
82 #include <netinet/in.h>
83 #include <netinet/ip.h>
84 #include <netinet/ip_var.h>
85 #include <netinet6/ip6_var.h>
86 #include <netinet/ip_icmp.h>
87 #include <netpfil/pf/pf_nv.h>
90 #include <netinet/ip6.h>
94 #include <net/altq/altq.h>
97 SDT_PROBE_DEFINE3(pf, ioctl, ioctl, error, "int", "int", "int");
98 SDT_PROBE_DEFINE3(pf, ioctl, function, error, "char *", "int", "int");
99 SDT_PROBE_DEFINE2(pf, ioctl, addrule, error, "int", "int");
100 SDT_PROBE_DEFINE2(pf, ioctl, nvchk, error, "int", "int");
102 static struct pf_kpool *pf_get_kpool(char *, u_int32_t, u_int8_t, u_int32_t,
103 u_int8_t, u_int8_t, u_int8_t);
105 static void pf_mv_kpool(struct pf_kpalist *, struct pf_kpalist *);
106 static void pf_empty_kpool(struct pf_kpalist *);
107 static int pfioctl(struct cdev *, u_long, caddr_t, int,
110 static int pf_begin_altq(u_int32_t *);
111 static int pf_rollback_altq(u_int32_t);
112 static int pf_commit_altq(u_int32_t);
113 static int pf_enable_altq(struct pf_altq *);
114 static int pf_disable_altq(struct pf_altq *);
115 static u_int32_t pf_qname2qid(char *);
116 static void pf_qid_unref(u_int32_t);
118 static int pf_begin_rules(u_int32_t *, int, const char *);
119 static int pf_rollback_rules(u_int32_t, int, char *);
120 static int pf_setup_pfsync_matching(struct pf_kruleset *);
121 static void pf_hash_rule(MD5_CTX *, struct pf_krule *);
122 static void pf_hash_rule_addr(MD5_CTX *, struct pf_rule_addr *);
123 static int pf_commit_rules(u_int32_t, int, char *);
124 static int pf_addr_setup(struct pf_kruleset *,
125 struct pf_addr_wrap *, sa_family_t);
126 static void pf_addr_copyout(struct pf_addr_wrap *);
127 static void pf_src_node_copy(const struct pf_ksrc_node *,
128 struct pf_src_node *);
130 static int pf_export_kaltq(struct pf_altq *,
131 struct pfioc_altq_v1 *, size_t);
132 static int pf_import_kaltq(struct pfioc_altq_v1 *,
133 struct pf_altq *, size_t);
136 VNET_DEFINE(struct pf_krule, pf_default_rule);
139 VNET_DEFINE_STATIC(int, pf_altq_running);
140 #define V_pf_altq_running VNET(pf_altq_running)
143 #define TAGID_MAX 50000
145 TAILQ_ENTRY(pf_tagname) namehash_entries;
146 TAILQ_ENTRY(pf_tagname) taghash_entries;
147 char name[PF_TAG_NAME_SIZE];
153 TAILQ_HEAD(, pf_tagname) *namehash;
154 TAILQ_HEAD(, pf_tagname) *taghash;
157 BITSET_DEFINE(, TAGID_MAX) avail;
160 VNET_DEFINE(struct pf_tagset, pf_tags);
161 #define V_pf_tags VNET(pf_tags)
162 static unsigned int pf_rule_tag_hashsize;
163 #define PF_RULE_TAG_HASH_SIZE_DEFAULT 128
164 SYSCTL_UINT(_net_pf, OID_AUTO, rule_tag_hashsize, CTLFLAG_RDTUN,
165 &pf_rule_tag_hashsize, PF_RULE_TAG_HASH_SIZE_DEFAULT,
166 "Size of pf(4) rule tag hashtable");
169 VNET_DEFINE(struct pf_tagset, pf_qids);
170 #define V_pf_qids VNET(pf_qids)
171 static unsigned int pf_queue_tag_hashsize;
172 #define PF_QUEUE_TAG_HASH_SIZE_DEFAULT 128
173 SYSCTL_UINT(_net_pf, OID_AUTO, queue_tag_hashsize, CTLFLAG_RDTUN,
174 &pf_queue_tag_hashsize, PF_QUEUE_TAG_HASH_SIZE_DEFAULT,
175 "Size of pf(4) queue tag hashtable");
177 VNET_DEFINE(uma_zone_t, pf_tag_z);
178 #define V_pf_tag_z VNET(pf_tag_z)
179 static MALLOC_DEFINE(M_PFALTQ, "pf_altq", "pf(4) altq configuration db");
180 static MALLOC_DEFINE(M_PFRULE, "pf_rule", "pf(4) rules");
182 #if (PF_QNAME_SIZE != PF_TAG_NAME_SIZE)
183 #error PF_QNAME_SIZE must be equal to PF_TAG_NAME_SIZE
186 static void pf_init_tagset(struct pf_tagset *, unsigned int *,
188 static void pf_cleanup_tagset(struct pf_tagset *);
189 static uint16_t tagname2hashindex(const struct pf_tagset *, const char *);
190 static uint16_t tag2hashindex(const struct pf_tagset *, uint16_t);
191 static u_int16_t tagname2tag(struct pf_tagset *, char *);
192 static u_int16_t pf_tagname2tag(char *);
193 static void tag_unref(struct pf_tagset *, u_int16_t);
195 #define DPFPRINTF(n, x) if (V_pf_status.debug >= (n)) printf x
200 * XXX - These are new and need to be checked when moveing to a new version
202 static void pf_clear_all_states(void);
203 static unsigned int pf_clear_states(const struct pf_kstate_kill *);
204 static int pf_killstates(struct pf_kstate_kill *,
206 static int pf_killstates_row(struct pf_kstate_kill *,
208 static int pf_killstates_nv(struct pfioc_nv *);
209 static int pf_clearstates_nv(struct pfioc_nv *);
210 static int pf_getstate(struct pfioc_nv *);
211 static int pf_getstates(struct pfioc_nv *);
212 static int pf_clear_tables(void);
213 static void pf_clear_srcnodes(struct pf_ksrc_node *);
214 static void pf_kill_srcnodes(struct pfioc_src_node_kill *);
215 static int pf_keepcounters(struct pfioc_nv *);
216 static void pf_tbladdr_copyout(struct pf_addr_wrap *);
219 * Wrapper functions for pfil(9) hooks
222 static pfil_return_t pf_check_in(struct mbuf **m, struct ifnet *ifp,
223 int flags, void *ruleset __unused, struct inpcb *inp);
224 static pfil_return_t pf_check_out(struct mbuf **m, struct ifnet *ifp,
225 int flags, void *ruleset __unused, struct inpcb *inp);
228 static pfil_return_t pf_check6_in(struct mbuf **m, struct ifnet *ifp,
229 int flags, void *ruleset __unused, struct inpcb *inp);
230 static pfil_return_t pf_check6_out(struct mbuf **m, struct ifnet *ifp,
231 int flags, void *ruleset __unused, struct inpcb *inp);
234 static void hook_pf(void);
235 static void dehook_pf(void);
236 static int shutdown_pf(void);
237 static int pf_load(void);
238 static void pf_unload(void);
240 static struct cdevsw pf_cdevsw = {
243 .d_version = D_VERSION,
246 volatile VNET_DEFINE_STATIC(int, pf_pfil_hooked);
247 #define V_pf_pfil_hooked VNET(pf_pfil_hooked)
250 * We need a flag that is neither hooked nor running to know when
251 * the VNET is "valid". We primarily need this to control (global)
252 * external event, e.g., eventhandlers.
254 VNET_DEFINE(int, pf_vnet_active);
255 #define V_pf_vnet_active VNET(pf_vnet_active)
258 struct proc *pf_purge_proc;
260 struct rmlock pf_rules_lock;
261 struct sx pf_ioctl_lock;
262 struct sx pf_end_lock;
265 VNET_DEFINE(pfsync_state_import_t *, pfsync_state_import_ptr);
266 VNET_DEFINE(pfsync_insert_state_t *, pfsync_insert_state_ptr);
267 VNET_DEFINE(pfsync_update_state_t *, pfsync_update_state_ptr);
268 VNET_DEFINE(pfsync_delete_state_t *, pfsync_delete_state_ptr);
269 VNET_DEFINE(pfsync_clear_states_t *, pfsync_clear_states_ptr);
270 VNET_DEFINE(pfsync_defer_t *, pfsync_defer_ptr);
271 pfsync_detach_ifnet_t *pfsync_detach_ifnet_ptr;
274 pflog_packet_t *pflog_packet_ptr = NULL;
276 extern u_long pf_ioctl_maxcount;
281 u_int32_t *my_timeout = V_pf_default_rule.timeout;
285 pfi_initialize_vnet();
288 V_pf_limits[PF_LIMIT_STATES].limit = PFSTATE_HIWAT;
289 V_pf_limits[PF_LIMIT_SRC_NODES].limit = PFSNODE_HIWAT;
291 RB_INIT(&V_pf_anchors);
292 pf_init_kruleset(&pf_main_ruleset);
294 /* default rule should never be garbage collected */
295 V_pf_default_rule.entries.tqe_prev = &V_pf_default_rule.entries.tqe_next;
296 #ifdef PF_DEFAULT_TO_DROP
297 V_pf_default_rule.action = PF_DROP;
299 V_pf_default_rule.action = PF_PASS;
301 V_pf_default_rule.nr = -1;
302 V_pf_default_rule.rtableid = -1;
304 V_pf_default_rule.evaluations = counter_u64_alloc(M_WAITOK);
305 for (int i = 0; i < 2; i++) {
306 V_pf_default_rule.packets[i] = counter_u64_alloc(M_WAITOK);
307 V_pf_default_rule.bytes[i] = counter_u64_alloc(M_WAITOK);
309 V_pf_default_rule.states_cur = counter_u64_alloc(M_WAITOK);
310 V_pf_default_rule.states_tot = counter_u64_alloc(M_WAITOK);
311 V_pf_default_rule.src_nodes = counter_u64_alloc(M_WAITOK);
313 /* initialize default timeouts */
314 my_timeout[PFTM_TCP_FIRST_PACKET] = PFTM_TCP_FIRST_PACKET_VAL;
315 my_timeout[PFTM_TCP_OPENING] = PFTM_TCP_OPENING_VAL;
316 my_timeout[PFTM_TCP_ESTABLISHED] = PFTM_TCP_ESTABLISHED_VAL;
317 my_timeout[PFTM_TCP_CLOSING] = PFTM_TCP_CLOSING_VAL;
318 my_timeout[PFTM_TCP_FIN_WAIT] = PFTM_TCP_FIN_WAIT_VAL;
319 my_timeout[PFTM_TCP_CLOSED] = PFTM_TCP_CLOSED_VAL;
320 my_timeout[PFTM_UDP_FIRST_PACKET] = PFTM_UDP_FIRST_PACKET_VAL;
321 my_timeout[PFTM_UDP_SINGLE] = PFTM_UDP_SINGLE_VAL;
322 my_timeout[PFTM_UDP_MULTIPLE] = PFTM_UDP_MULTIPLE_VAL;
323 my_timeout[PFTM_ICMP_FIRST_PACKET] = PFTM_ICMP_FIRST_PACKET_VAL;
324 my_timeout[PFTM_ICMP_ERROR_REPLY] = PFTM_ICMP_ERROR_REPLY_VAL;
325 my_timeout[PFTM_OTHER_FIRST_PACKET] = PFTM_OTHER_FIRST_PACKET_VAL;
326 my_timeout[PFTM_OTHER_SINGLE] = PFTM_OTHER_SINGLE_VAL;
327 my_timeout[PFTM_OTHER_MULTIPLE] = PFTM_OTHER_MULTIPLE_VAL;
328 my_timeout[PFTM_FRAG] = PFTM_FRAG_VAL;
329 my_timeout[PFTM_INTERVAL] = PFTM_INTERVAL_VAL;
330 my_timeout[PFTM_SRC_NODE] = PFTM_SRC_NODE_VAL;
331 my_timeout[PFTM_TS_DIFF] = PFTM_TS_DIFF_VAL;
332 my_timeout[PFTM_ADAPTIVE_START] = PFSTATE_ADAPT_START;
333 my_timeout[PFTM_ADAPTIVE_END] = PFSTATE_ADAPT_END;
335 bzero(&V_pf_status, sizeof(V_pf_status));
336 V_pf_status.debug = PF_DEBUG_URGENT;
338 V_pf_pfil_hooked = 0;
340 /* XXX do our best to avoid a conflict */
341 V_pf_status.hostid = arc4random();
343 for (int i = 0; i < PFRES_MAX; i++)
344 V_pf_status.counters[i] = counter_u64_alloc(M_WAITOK);
345 for (int i = 0; i < LCNT_MAX; i++)
346 V_pf_status.lcounters[i] = counter_u64_alloc(M_WAITOK);
347 for (int i = 0; i < FCNT_MAX; i++)
348 V_pf_status.fcounters[i] = counter_u64_alloc(M_WAITOK);
349 for (int i = 0; i < SCNT_MAX; i++)
350 V_pf_status.scounters[i] = counter_u64_alloc(M_WAITOK);
352 if (swi_add(&V_pf_swi_ie, "pf send", pf_intr, curvnet, SWI_NET,
353 INTR_MPSAFE, &V_pf_swi_cookie) != 0)
354 /* XXXGL: leaked all above. */
358 static struct pf_kpool *
359 pf_get_kpool(char *anchor, u_int32_t ticket, u_int8_t rule_action,
360 u_int32_t rule_number, u_int8_t r_last, u_int8_t active,
361 u_int8_t check_ticket)
363 struct pf_kruleset *ruleset;
364 struct pf_krule *rule;
367 ruleset = pf_find_kruleset(anchor);
370 rs_num = pf_get_ruleset_number(rule_action);
371 if (rs_num >= PF_RULESET_MAX)
374 if (check_ticket && ticket !=
375 ruleset->rules[rs_num].active.ticket)
378 rule = TAILQ_LAST(ruleset->rules[rs_num].active.ptr,
381 rule = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr);
383 if (check_ticket && ticket !=
384 ruleset->rules[rs_num].inactive.ticket)
387 rule = TAILQ_LAST(ruleset->rules[rs_num].inactive.ptr,
390 rule = TAILQ_FIRST(ruleset->rules[rs_num].inactive.ptr);
393 while ((rule != NULL) && (rule->nr != rule_number))
394 rule = TAILQ_NEXT(rule, entries);
399 return (&rule->rpool);
403 pf_mv_kpool(struct pf_kpalist *poola, struct pf_kpalist *poolb)
405 struct pf_kpooladdr *mv_pool_pa;
407 while ((mv_pool_pa = TAILQ_FIRST(poola)) != NULL) {
408 TAILQ_REMOVE(poola, mv_pool_pa, entries);
409 TAILQ_INSERT_TAIL(poolb, mv_pool_pa, entries);
414 pf_empty_kpool(struct pf_kpalist *poola)
416 struct pf_kpooladdr *pa;
418 while ((pa = TAILQ_FIRST(poola)) != NULL) {
419 switch (pa->addr.type) {
420 case PF_ADDR_DYNIFTL:
421 pfi_dynaddr_remove(pa->addr.p.dyn);
424 /* XXX: this could be unfinished pooladdr on pabuf */
425 if (pa->addr.p.tbl != NULL)
426 pfr_detach_table(pa->addr.p.tbl);
430 pfi_kkif_unref(pa->kif);
431 TAILQ_REMOVE(poola, pa, entries);
437 pf_unlink_rule(struct pf_krulequeue *rulequeue, struct pf_krule *rule)
442 TAILQ_REMOVE(rulequeue, rule, entries);
444 PF_UNLNKDRULES_LOCK();
445 rule->rule_ref |= PFRULE_REFS;
446 TAILQ_INSERT_TAIL(&V_pf_unlinked_rules, rule, entries);
447 PF_UNLNKDRULES_UNLOCK();
451 pf_free_rule(struct pf_krule *rule)
457 tag_unref(&V_pf_tags, rule->tag);
459 tag_unref(&V_pf_tags, rule->match_tag);
461 if (rule->pqid != rule->qid)
462 pf_qid_unref(rule->pqid);
463 pf_qid_unref(rule->qid);
465 switch (rule->src.addr.type) {
466 case PF_ADDR_DYNIFTL:
467 pfi_dynaddr_remove(rule->src.addr.p.dyn);
470 pfr_detach_table(rule->src.addr.p.tbl);
473 switch (rule->dst.addr.type) {
474 case PF_ADDR_DYNIFTL:
475 pfi_dynaddr_remove(rule->dst.addr.p.dyn);
478 pfr_detach_table(rule->dst.addr.p.tbl);
481 if (rule->overload_tbl)
482 pfr_detach_table(rule->overload_tbl);
484 pfi_kkif_unref(rule->kif);
485 pf_kanchor_remove(rule);
486 pf_empty_kpool(&rule->rpool.list);
492 pf_init_tagset(struct pf_tagset *ts, unsigned int *tunable_size,
493 unsigned int default_size)
496 unsigned int hashsize;
498 if (*tunable_size == 0 || !powerof2(*tunable_size))
499 *tunable_size = default_size;
501 hashsize = *tunable_size;
502 ts->namehash = mallocarray(hashsize, sizeof(*ts->namehash), M_PFHASH,
504 ts->taghash = mallocarray(hashsize, sizeof(*ts->taghash), M_PFHASH,
506 ts->mask = hashsize - 1;
507 ts->seed = arc4random();
508 for (i = 0; i < hashsize; i++) {
509 TAILQ_INIT(&ts->namehash[i]);
510 TAILQ_INIT(&ts->taghash[i]);
512 BIT_FILL(TAGID_MAX, &ts->avail);
516 pf_cleanup_tagset(struct pf_tagset *ts)
519 unsigned int hashsize;
520 struct pf_tagname *t, *tmp;
523 * Only need to clean up one of the hashes as each tag is hashed
526 hashsize = ts->mask + 1;
527 for (i = 0; i < hashsize; i++)
528 TAILQ_FOREACH_SAFE(t, &ts->namehash[i], namehash_entries, tmp)
529 uma_zfree(V_pf_tag_z, t);
531 free(ts->namehash, M_PFHASH);
532 free(ts->taghash, M_PFHASH);
536 tagname2hashindex(const struct pf_tagset *ts, const char *tagname)
540 len = strnlen(tagname, PF_TAG_NAME_SIZE - 1);
541 return (murmur3_32_hash(tagname, len, ts->seed) & ts->mask);
545 tag2hashindex(const struct pf_tagset *ts, uint16_t tag)
548 return (tag & ts->mask);
552 tagname2tag(struct pf_tagset *ts, char *tagname)
554 struct pf_tagname *tag;
560 index = tagname2hashindex(ts, tagname);
561 TAILQ_FOREACH(tag, &ts->namehash[index], namehash_entries)
562 if (strcmp(tagname, tag->name) == 0) {
570 * to avoid fragmentation, we do a linear search from the beginning
571 * and take the first free slot we find.
573 new_tagid = BIT_FFS(TAGID_MAX, &ts->avail);
575 * Tags are 1-based, with valid tags in the range [1..TAGID_MAX].
576 * BIT_FFS() returns a 1-based bit number, with 0 indicating no bits
577 * set. It may also return a bit number greater than TAGID_MAX due
578 * to rounding of the number of bits in the vector up to a multiple
579 * of the vector word size at declaration/allocation time.
581 if ((new_tagid == 0) || (new_tagid > TAGID_MAX))
584 /* Mark the tag as in use. Bits are 0-based for BIT_CLR() */
585 BIT_CLR(TAGID_MAX, new_tagid - 1, &ts->avail);
587 /* allocate and fill new struct pf_tagname */
588 tag = uma_zalloc(V_pf_tag_z, M_NOWAIT);
591 strlcpy(tag->name, tagname, sizeof(tag->name));
592 tag->tag = new_tagid;
595 /* Insert into namehash */
596 TAILQ_INSERT_TAIL(&ts->namehash[index], tag, namehash_entries);
598 /* Insert into taghash */
599 index = tag2hashindex(ts, new_tagid);
600 TAILQ_INSERT_TAIL(&ts->taghash[index], tag, taghash_entries);
606 tag_unref(struct pf_tagset *ts, u_int16_t tag)
608 struct pf_tagname *t;
613 index = tag2hashindex(ts, tag);
614 TAILQ_FOREACH(t, &ts->taghash[index], taghash_entries)
617 TAILQ_REMOVE(&ts->taghash[index], t,
619 index = tagname2hashindex(ts, t->name);
620 TAILQ_REMOVE(&ts->namehash[index], t,
622 /* Bits are 0-based for BIT_SET() */
623 BIT_SET(TAGID_MAX, tag - 1, &ts->avail);
624 uma_zfree(V_pf_tag_z, t);
631 pf_tagname2tag(char *tagname)
633 return (tagname2tag(&V_pf_tags, tagname));
638 pf_qname2qid(char *qname)
640 return ((u_int32_t)tagname2tag(&V_pf_qids, qname));
644 pf_qid_unref(u_int32_t qid)
646 tag_unref(&V_pf_qids, (u_int16_t)qid);
650 pf_begin_altq(u_int32_t *ticket)
652 struct pf_altq *altq, *tmp;
657 /* Purge the old altq lists */
658 TAILQ_FOREACH_SAFE(altq, V_pf_altq_ifs_inactive, entries, tmp) {
659 if ((altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
660 /* detach and destroy the discipline */
661 error = altq_remove(altq);
663 free(altq, M_PFALTQ);
665 TAILQ_INIT(V_pf_altq_ifs_inactive);
666 TAILQ_FOREACH_SAFE(altq, V_pf_altqs_inactive, entries, tmp) {
667 pf_qid_unref(altq->qid);
668 free(altq, M_PFALTQ);
670 TAILQ_INIT(V_pf_altqs_inactive);
673 *ticket = ++V_ticket_altqs_inactive;
674 V_altqs_inactive_open = 1;
679 pf_rollback_altq(u_int32_t ticket)
681 struct pf_altq *altq, *tmp;
686 if (!V_altqs_inactive_open || ticket != V_ticket_altqs_inactive)
688 /* Purge the old altq lists */
689 TAILQ_FOREACH_SAFE(altq, V_pf_altq_ifs_inactive, entries, tmp) {
690 if ((altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
691 /* detach and destroy the discipline */
692 error = altq_remove(altq);
694 free(altq, M_PFALTQ);
696 TAILQ_INIT(V_pf_altq_ifs_inactive);
697 TAILQ_FOREACH_SAFE(altq, V_pf_altqs_inactive, entries, tmp) {
698 pf_qid_unref(altq->qid);
699 free(altq, M_PFALTQ);
701 TAILQ_INIT(V_pf_altqs_inactive);
702 V_altqs_inactive_open = 0;
707 pf_commit_altq(u_int32_t ticket)
709 struct pf_altqqueue *old_altqs, *old_altq_ifs;
710 struct pf_altq *altq, *tmp;
715 if (!V_altqs_inactive_open || ticket != V_ticket_altqs_inactive)
718 /* swap altqs, keep the old. */
719 old_altqs = V_pf_altqs_active;
720 old_altq_ifs = V_pf_altq_ifs_active;
721 V_pf_altqs_active = V_pf_altqs_inactive;
722 V_pf_altq_ifs_active = V_pf_altq_ifs_inactive;
723 V_pf_altqs_inactive = old_altqs;
724 V_pf_altq_ifs_inactive = old_altq_ifs;
725 V_ticket_altqs_active = V_ticket_altqs_inactive;
727 /* Attach new disciplines */
728 TAILQ_FOREACH(altq, V_pf_altq_ifs_active, entries) {
729 if ((altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
730 /* attach the discipline */
731 error = altq_pfattach(altq);
732 if (error == 0 && V_pf_altq_running)
733 error = pf_enable_altq(altq);
739 /* Purge the old altq lists */
740 TAILQ_FOREACH_SAFE(altq, V_pf_altq_ifs_inactive, entries, tmp) {
741 if ((altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
742 /* detach and destroy the discipline */
743 if (V_pf_altq_running)
744 error = pf_disable_altq(altq);
745 err = altq_pfdetach(altq);
746 if (err != 0 && error == 0)
748 err = altq_remove(altq);
749 if (err != 0 && error == 0)
752 free(altq, M_PFALTQ);
754 TAILQ_INIT(V_pf_altq_ifs_inactive);
755 TAILQ_FOREACH_SAFE(altq, V_pf_altqs_inactive, entries, tmp) {
756 pf_qid_unref(altq->qid);
757 free(altq, M_PFALTQ);
759 TAILQ_INIT(V_pf_altqs_inactive);
761 V_altqs_inactive_open = 0;
766 pf_enable_altq(struct pf_altq *altq)
769 struct tb_profile tb;
772 if ((ifp = ifunit(altq->ifname)) == NULL)
775 if (ifp->if_snd.altq_type != ALTQT_NONE)
776 error = altq_enable(&ifp->if_snd);
778 /* set tokenbucket regulator */
779 if (error == 0 && ifp != NULL && ALTQ_IS_ENABLED(&ifp->if_snd)) {
780 tb.rate = altq->ifbandwidth;
781 tb.depth = altq->tbrsize;
782 error = tbr_set(&ifp->if_snd, &tb);
789 pf_disable_altq(struct pf_altq *altq)
792 struct tb_profile tb;
795 if ((ifp = ifunit(altq->ifname)) == NULL)
799 * when the discipline is no longer referenced, it was overridden
800 * by a new one. if so, just return.
802 if (altq->altq_disc != ifp->if_snd.altq_disc)
805 error = altq_disable(&ifp->if_snd);
808 /* clear tokenbucket regulator */
810 error = tbr_set(&ifp->if_snd, &tb);
817 pf_altq_ifnet_event_add(struct ifnet *ifp, int remove, u_int32_t ticket,
818 struct pf_altq *altq)
823 /* Deactivate the interface in question */
824 altq->local_flags &= ~PFALTQ_FLAG_IF_REMOVED;
825 if ((ifp1 = ifunit(altq->ifname)) == NULL ||
826 (remove && ifp1 == ifp)) {
827 altq->local_flags |= PFALTQ_FLAG_IF_REMOVED;
829 error = altq_add(ifp1, altq);
831 if (ticket != V_ticket_altqs_inactive)
835 free(altq, M_PFALTQ);
842 pf_altq_ifnet_event(struct ifnet *ifp, int remove)
844 struct pf_altq *a1, *a2, *a3;
849 * No need to re-evaluate the configuration for events on interfaces
850 * that do not support ALTQ, as it's not possible for such
851 * interfaces to be part of the configuration.
853 if (!ALTQ_IS_READY(&ifp->if_snd))
856 /* Interrupt userland queue modifications */
857 if (V_altqs_inactive_open)
858 pf_rollback_altq(V_ticket_altqs_inactive);
860 /* Start new altq ruleset */
861 if (pf_begin_altq(&ticket))
864 /* Copy the current active set */
865 TAILQ_FOREACH(a1, V_pf_altq_ifs_active, entries) {
866 a2 = malloc(sizeof(*a2), M_PFALTQ, M_NOWAIT);
871 bcopy(a1, a2, sizeof(struct pf_altq));
873 error = pf_altq_ifnet_event_add(ifp, remove, ticket, a2);
877 TAILQ_INSERT_TAIL(V_pf_altq_ifs_inactive, a2, entries);
881 TAILQ_FOREACH(a1, V_pf_altqs_active, entries) {
882 a2 = malloc(sizeof(*a2), M_PFALTQ, M_NOWAIT);
887 bcopy(a1, a2, sizeof(struct pf_altq));
889 if ((a2->qid = pf_qname2qid(a2->qname)) == 0) {
894 a2->altq_disc = NULL;
895 TAILQ_FOREACH(a3, V_pf_altq_ifs_inactive, entries) {
896 if (strncmp(a3->ifname, a2->ifname,
898 a2->altq_disc = a3->altq_disc;
902 error = pf_altq_ifnet_event_add(ifp, remove, ticket, a2);
906 TAILQ_INSERT_TAIL(V_pf_altqs_inactive, a2, entries);
911 pf_rollback_altq(ticket);
913 pf_commit_altq(ticket);
918 pf_begin_rules(u_int32_t *ticket, int rs_num, const char *anchor)
920 struct pf_kruleset *rs;
921 struct pf_krule *rule;
925 if (rs_num < 0 || rs_num >= PF_RULESET_MAX)
927 rs = pf_find_or_create_kruleset(anchor);
930 while ((rule = TAILQ_FIRST(rs->rules[rs_num].inactive.ptr)) != NULL) {
931 pf_unlink_rule(rs->rules[rs_num].inactive.ptr, rule);
932 rs->rules[rs_num].inactive.rcount--;
934 *ticket = ++rs->rules[rs_num].inactive.ticket;
935 rs->rules[rs_num].inactive.open = 1;
940 pf_rollback_rules(u_int32_t ticket, int rs_num, char *anchor)
942 struct pf_kruleset *rs;
943 struct pf_krule *rule;
947 if (rs_num < 0 || rs_num >= PF_RULESET_MAX)
949 rs = pf_find_kruleset(anchor);
950 if (rs == NULL || !rs->rules[rs_num].inactive.open ||
951 rs->rules[rs_num].inactive.ticket != ticket)
953 while ((rule = TAILQ_FIRST(rs->rules[rs_num].inactive.ptr)) != NULL) {
954 pf_unlink_rule(rs->rules[rs_num].inactive.ptr, rule);
955 rs->rules[rs_num].inactive.rcount--;
957 rs->rules[rs_num].inactive.open = 0;
961 #define PF_MD5_UPD(st, elm) \
962 MD5Update(ctx, (u_int8_t *) &(st)->elm, sizeof((st)->elm))
964 #define PF_MD5_UPD_STR(st, elm) \
965 MD5Update(ctx, (u_int8_t *) (st)->elm, strlen((st)->elm))
967 #define PF_MD5_UPD_HTONL(st, elm, stor) do { \
968 (stor) = htonl((st)->elm); \
969 MD5Update(ctx, (u_int8_t *) &(stor), sizeof(u_int32_t));\
972 #define PF_MD5_UPD_HTONS(st, elm, stor) do { \
973 (stor) = htons((st)->elm); \
974 MD5Update(ctx, (u_int8_t *) &(stor), sizeof(u_int16_t));\
978 pf_hash_rule_addr(MD5_CTX *ctx, struct pf_rule_addr *pfr)
980 PF_MD5_UPD(pfr, addr.type);
981 switch (pfr->addr.type) {
982 case PF_ADDR_DYNIFTL:
983 PF_MD5_UPD(pfr, addr.v.ifname);
984 PF_MD5_UPD(pfr, addr.iflags);
987 PF_MD5_UPD(pfr, addr.v.tblname);
989 case PF_ADDR_ADDRMASK:
991 PF_MD5_UPD(pfr, addr.v.a.addr.addr32);
992 PF_MD5_UPD(pfr, addr.v.a.mask.addr32);
996 PF_MD5_UPD(pfr, port[0]);
997 PF_MD5_UPD(pfr, port[1]);
998 PF_MD5_UPD(pfr, neg);
999 PF_MD5_UPD(pfr, port_op);
1003 pf_hash_rule(MD5_CTX *ctx, struct pf_krule *rule)
1008 pf_hash_rule_addr(ctx, &rule->src);
1009 pf_hash_rule_addr(ctx, &rule->dst);
1010 for (int i = 0; i < PF_RULE_MAX_LABEL_COUNT; i++)
1011 PF_MD5_UPD_STR(rule, label[i]);
1012 PF_MD5_UPD_STR(rule, ifname);
1013 PF_MD5_UPD_STR(rule, match_tagname);
1014 PF_MD5_UPD_HTONS(rule, match_tag, x); /* dup? */
1015 PF_MD5_UPD_HTONL(rule, os_fingerprint, y);
1016 PF_MD5_UPD_HTONL(rule, prob, y);
1017 PF_MD5_UPD_HTONL(rule, uid.uid[0], y);
1018 PF_MD5_UPD_HTONL(rule, uid.uid[1], y);
1019 PF_MD5_UPD(rule, uid.op);
1020 PF_MD5_UPD_HTONL(rule, gid.gid[0], y);
1021 PF_MD5_UPD_HTONL(rule, gid.gid[1], y);
1022 PF_MD5_UPD(rule, gid.op);
1023 PF_MD5_UPD_HTONL(rule, rule_flag, y);
1024 PF_MD5_UPD(rule, action);
1025 PF_MD5_UPD(rule, direction);
1026 PF_MD5_UPD(rule, af);
1027 PF_MD5_UPD(rule, quick);
1028 PF_MD5_UPD(rule, ifnot);
1029 PF_MD5_UPD(rule, match_tag_not);
1030 PF_MD5_UPD(rule, natpass);
1031 PF_MD5_UPD(rule, keep_state);
1032 PF_MD5_UPD(rule, proto);
1033 PF_MD5_UPD(rule, type);
1034 PF_MD5_UPD(rule, code);
1035 PF_MD5_UPD(rule, flags);
1036 PF_MD5_UPD(rule, flagset);
1037 PF_MD5_UPD(rule, allow_opts);
1038 PF_MD5_UPD(rule, rt);
1039 PF_MD5_UPD(rule, tos);
1043 pf_krule_compare(struct pf_krule *a, struct pf_krule *b)
1046 u_int8_t digest[2][PF_MD5_DIGEST_LENGTH];
1050 pf_hash_rule(&ctx[0], a);
1051 pf_hash_rule(&ctx[1], b);
1052 MD5Final(digest[0], &ctx[0]);
1053 MD5Final(digest[1], &ctx[1]);
1055 return (memcmp(digest[0], digest[1], PF_MD5_DIGEST_LENGTH) == 0);
1059 pf_commit_rules(u_int32_t ticket, int rs_num, char *anchor)
1061 struct pf_kruleset *rs;
1062 struct pf_krule *rule, **old_array, *tail;
1063 struct pf_krulequeue *old_rules;
1065 u_int32_t old_rcount;
1069 if (rs_num < 0 || rs_num >= PF_RULESET_MAX)
1071 rs = pf_find_kruleset(anchor);
1072 if (rs == NULL || !rs->rules[rs_num].inactive.open ||
1073 ticket != rs->rules[rs_num].inactive.ticket)
1076 /* Calculate checksum for the main ruleset */
1077 if (rs == &pf_main_ruleset) {
1078 error = pf_setup_pfsync_matching(rs);
1083 /* Swap rules, keep the old. */
1084 old_rules = rs->rules[rs_num].active.ptr;
1085 old_rcount = rs->rules[rs_num].active.rcount;
1086 old_array = rs->rules[rs_num].active.ptr_array;
1088 rs->rules[rs_num].active.ptr =
1089 rs->rules[rs_num].inactive.ptr;
1090 rs->rules[rs_num].active.ptr_array =
1091 rs->rules[rs_num].inactive.ptr_array;
1092 rs->rules[rs_num].active.rcount =
1093 rs->rules[rs_num].inactive.rcount;
1095 /* Attempt to preserve counter information. */
1096 if (V_pf_status.keep_counters) {
1097 TAILQ_FOREACH(rule, rs->rules[rs_num].active.ptr,
1099 tail = TAILQ_FIRST(old_rules);
1100 while ((tail != NULL) && ! pf_krule_compare(tail, rule))
1101 tail = TAILQ_NEXT(tail, entries);
1103 counter_u64_add(rule->evaluations,
1104 counter_u64_fetch(tail->evaluations));
1105 counter_u64_add(rule->packets[0],
1106 counter_u64_fetch(tail->packets[0]));
1107 counter_u64_add(rule->packets[1],
1108 counter_u64_fetch(tail->packets[1]));
1109 counter_u64_add(rule->bytes[0],
1110 counter_u64_fetch(tail->bytes[0]));
1111 counter_u64_add(rule->bytes[1],
1112 counter_u64_fetch(tail->bytes[1]));
1117 rs->rules[rs_num].inactive.ptr = old_rules;
1118 rs->rules[rs_num].inactive.ptr_array = old_array;
1119 rs->rules[rs_num].inactive.rcount = old_rcount;
1121 rs->rules[rs_num].active.ticket =
1122 rs->rules[rs_num].inactive.ticket;
1123 pf_calc_skip_steps(rs->rules[rs_num].active.ptr);
1125 /* Purge the old rule list. */
1126 while ((rule = TAILQ_FIRST(old_rules)) != NULL)
1127 pf_unlink_rule(old_rules, rule);
1128 if (rs->rules[rs_num].inactive.ptr_array)
1129 free(rs->rules[rs_num].inactive.ptr_array, M_TEMP);
1130 rs->rules[rs_num].inactive.ptr_array = NULL;
1131 rs->rules[rs_num].inactive.rcount = 0;
1132 rs->rules[rs_num].inactive.open = 0;
1133 pf_remove_if_empty_kruleset(rs);
1139 pf_setup_pfsync_matching(struct pf_kruleset *rs)
1142 struct pf_krule *rule;
1144 u_int8_t digest[PF_MD5_DIGEST_LENGTH];
1147 for (rs_cnt = 0; rs_cnt < PF_RULESET_MAX; rs_cnt++) {
1148 /* XXX PF_RULESET_SCRUB as well? */
1149 if (rs_cnt == PF_RULESET_SCRUB)
1152 if (rs->rules[rs_cnt].inactive.ptr_array)
1153 free(rs->rules[rs_cnt].inactive.ptr_array, M_TEMP);
1154 rs->rules[rs_cnt].inactive.ptr_array = NULL;
1156 if (rs->rules[rs_cnt].inactive.rcount) {
1157 rs->rules[rs_cnt].inactive.ptr_array =
1158 malloc(sizeof(caddr_t) *
1159 rs->rules[rs_cnt].inactive.rcount,
1162 if (!rs->rules[rs_cnt].inactive.ptr_array)
1166 TAILQ_FOREACH(rule, rs->rules[rs_cnt].inactive.ptr,
1168 pf_hash_rule(&ctx, rule);
1169 (rs->rules[rs_cnt].inactive.ptr_array)[rule->nr] = rule;
1173 MD5Final(digest, &ctx);
1174 memcpy(V_pf_status.pf_chksum, digest, sizeof(V_pf_status.pf_chksum));
1179 pf_addr_setup(struct pf_kruleset *ruleset, struct pf_addr_wrap *addr,
1184 switch (addr->type) {
1186 addr->p.tbl = pfr_attach_table(ruleset, addr->v.tblname);
1187 if (addr->p.tbl == NULL)
1190 case PF_ADDR_DYNIFTL:
1191 error = pfi_dynaddr_setup(addr, af);
1199 pf_addr_copyout(struct pf_addr_wrap *addr)
1202 switch (addr->type) {
1203 case PF_ADDR_DYNIFTL:
1204 pfi_dynaddr_copyout(addr);
1207 pf_tbladdr_copyout(addr);
1213 pf_src_node_copy(const struct pf_ksrc_node *in, struct pf_src_node *out)
1215 int secs = time_uptime, diff;
1217 bzero(out, sizeof(struct pf_src_node));
1219 bcopy(&in->addr, &out->addr, sizeof(struct pf_addr));
1220 bcopy(&in->raddr, &out->raddr, sizeof(struct pf_addr));
1222 if (in->rule.ptr != NULL)
1223 out->rule.nr = in->rule.ptr->nr;
1225 for (int i = 0; i < 2; i++) {
1226 out->bytes[i] = counter_u64_fetch(in->bytes[i]);
1227 out->packets[i] = counter_u64_fetch(in->packets[i]);
1230 out->states = in->states;
1231 out->conn = in->conn;
1233 out->ruletype = in->ruletype;
1235 out->creation = secs - in->creation;
1236 if (out->expire > secs)
1237 out->expire -= secs;
1241 /* Adjust the connection rate estimate. */
1242 diff = secs - in->conn_rate.last;
1243 if (diff >= in->conn_rate.seconds)
1244 out->conn_rate.count = 0;
1246 out->conn_rate.count -=
1247 in->conn_rate.count * diff /
1248 in->conn_rate.seconds;
1253 * Handle export of struct pf_kaltq to user binaries that may be using any
1254 * version of struct pf_altq.
1257 pf_export_kaltq(struct pf_altq *q, struct pfioc_altq_v1 *pa, size_t ioc_size)
1261 if (ioc_size == sizeof(struct pfioc_altq_v0))
1264 version = pa->version;
1266 if (version > PFIOC_ALTQ_VERSION)
1269 #define ASSIGN(x) exported_q->x = q->x
1271 bcopy(&q->x, &exported_q->x, min(sizeof(q->x), sizeof(exported_q->x)))
1272 #define SATU16(x) (u_int32_t)uqmin((x), USHRT_MAX)
1273 #define SATU32(x) (u_int32_t)uqmin((x), UINT_MAX)
1277 struct pf_altq_v0 *exported_q =
1278 &((struct pfioc_altq_v0 *)pa)->altq;
1284 exported_q->tbrsize = SATU16(q->tbrsize);
1285 exported_q->ifbandwidth = SATU32(q->ifbandwidth);
1290 exported_q->bandwidth = SATU32(q->bandwidth);
1292 ASSIGN(local_flags);
1297 if (q->scheduler == ALTQT_HFSC) {
1298 #define ASSIGN_OPT(x) exported_q->pq_u.hfsc_opts.x = q->pq_u.hfsc_opts.x
1299 #define ASSIGN_OPT_SATU32(x) exported_q->pq_u.hfsc_opts.x = \
1300 SATU32(q->pq_u.hfsc_opts.x)
1302 ASSIGN_OPT_SATU32(rtsc_m1);
1304 ASSIGN_OPT_SATU32(rtsc_m2);
1306 ASSIGN_OPT_SATU32(lssc_m1);
1308 ASSIGN_OPT_SATU32(lssc_m2);
1310 ASSIGN_OPT_SATU32(ulsc_m1);
1312 ASSIGN_OPT_SATU32(ulsc_m2);
1317 #undef ASSIGN_OPT_SATU32
1325 struct pf_altq_v1 *exported_q =
1326 &((struct pfioc_altq_v1 *)pa)->altq;
1332 ASSIGN(ifbandwidth);
1339 ASSIGN(local_flags);
1349 panic("%s: unhandled struct pfioc_altq version", __func__);
1362 * Handle import to struct pf_kaltq of struct pf_altq from user binaries
1363 * that may be using any version of it.
1366 pf_import_kaltq(struct pfioc_altq_v1 *pa, struct pf_altq *q, size_t ioc_size)
1370 if (ioc_size == sizeof(struct pfioc_altq_v0))
1373 version = pa->version;
1375 if (version > PFIOC_ALTQ_VERSION)
1378 #define ASSIGN(x) q->x = imported_q->x
1380 bcopy(&imported_q->x, &q->x, min(sizeof(imported_q->x), sizeof(q->x)))
1384 struct pf_altq_v0 *imported_q =
1385 &((struct pfioc_altq_v0 *)pa)->altq;
1390 ASSIGN(tbrsize); /* 16-bit -> 32-bit */
1391 ASSIGN(ifbandwidth); /* 32-bit -> 64-bit */
1396 ASSIGN(bandwidth); /* 32-bit -> 64-bit */
1398 ASSIGN(local_flags);
1403 if (imported_q->scheduler == ALTQT_HFSC) {
1404 #define ASSIGN_OPT(x) q->pq_u.hfsc_opts.x = imported_q->pq_u.hfsc_opts.x
1407 * The m1 and m2 parameters are being copied from
1410 ASSIGN_OPT(rtsc_m1);
1412 ASSIGN_OPT(rtsc_m2);
1414 ASSIGN_OPT(lssc_m1);
1416 ASSIGN_OPT(lssc_m2);
1418 ASSIGN_OPT(ulsc_m1);
1420 ASSIGN_OPT(ulsc_m2);
1432 struct pf_altq_v1 *imported_q =
1433 &((struct pfioc_altq_v1 *)pa)->altq;
1439 ASSIGN(ifbandwidth);
1446 ASSIGN(local_flags);
1456 panic("%s: unhandled struct pfioc_altq version", __func__);
1466 static struct pf_altq *
1467 pf_altq_get_nth_active(u_int32_t n)
1469 struct pf_altq *altq;
1473 TAILQ_FOREACH(altq, V_pf_altq_ifs_active, entries) {
1479 TAILQ_FOREACH(altq, V_pf_altqs_active, entries) {
1490 pf_krule_free(struct pf_krule *rule)
1495 counter_u64_free(rule->evaluations);
1496 for (int i = 0; i < 2; i++) {
1497 counter_u64_free(rule->packets[i]);
1498 counter_u64_free(rule->bytes[i]);
1500 counter_u64_free(rule->states_cur);
1501 counter_u64_free(rule->states_tot);
1502 counter_u64_free(rule->src_nodes);
1503 free(rule, M_PFRULE);
1507 pf_kpooladdr_to_pooladdr(const struct pf_kpooladdr *kpool,
1508 struct pf_pooladdr *pool)
1511 bzero(pool, sizeof(*pool));
1512 bcopy(&kpool->addr, &pool->addr, sizeof(pool->addr));
1513 strlcpy(pool->ifname, kpool->ifname, sizeof(pool->ifname));
1517 pf_pooladdr_to_kpooladdr(const struct pf_pooladdr *pool,
1518 struct pf_kpooladdr *kpool)
1521 bzero(kpool, sizeof(*kpool));
1522 bcopy(&pool->addr, &kpool->addr, sizeof(kpool->addr));
1523 strlcpy(kpool->ifname, pool->ifname, sizeof(kpool->ifname));
1527 pf_kpool_to_pool(const struct pf_kpool *kpool, struct pf_pool *pool)
1529 bzero(pool, sizeof(*pool));
1531 bcopy(&kpool->key, &pool->key, sizeof(pool->key));
1532 bcopy(&kpool->counter, &pool->counter, sizeof(pool->counter));
1534 pool->tblidx = kpool->tblidx;
1535 pool->proxy_port[0] = kpool->proxy_port[0];
1536 pool->proxy_port[1] = kpool->proxy_port[1];
1537 pool->opts = kpool->opts;
1541 pf_pool_to_kpool(const struct pf_pool *pool, struct pf_kpool *kpool)
1543 _Static_assert(sizeof(pool->key) == sizeof(kpool->key), "");
1544 _Static_assert(sizeof(pool->counter) == sizeof(kpool->counter), "");
1546 bzero(kpool, sizeof(*kpool));
1548 bcopy(&pool->key, &kpool->key, sizeof(kpool->key));
1549 bcopy(&pool->counter, &kpool->counter, sizeof(kpool->counter));
1551 kpool->tblidx = pool->tblidx;
1552 kpool->proxy_port[0] = pool->proxy_port[0];
1553 kpool->proxy_port[1] = pool->proxy_port[1];
1554 kpool->opts = pool->opts;
1560 pf_krule_to_rule(const struct pf_krule *krule, struct pf_rule *rule)
1563 bzero(rule, sizeof(*rule));
1565 bcopy(&krule->src, &rule->src, sizeof(rule->src));
1566 bcopy(&krule->dst, &rule->dst, sizeof(rule->dst));
1568 for (int i = 0; i < PF_SKIP_COUNT; ++i) {
1569 if (rule->skip[i].ptr == NULL)
1570 rule->skip[i].nr = -1;
1572 rule->skip[i].nr = krule->skip[i].ptr->nr;
1575 strlcpy(rule->label, krule->label[0], sizeof(rule->label));
1576 strlcpy(rule->ifname, krule->ifname, sizeof(rule->ifname));
1577 strlcpy(rule->qname, krule->qname, sizeof(rule->qname));
1578 strlcpy(rule->pqname, krule->pqname, sizeof(rule->pqname));
1579 strlcpy(rule->tagname, krule->tagname, sizeof(rule->tagname));
1580 strlcpy(rule->match_tagname, krule->match_tagname,
1581 sizeof(rule->match_tagname));
1582 strlcpy(rule->overload_tblname, krule->overload_tblname,
1583 sizeof(rule->overload_tblname));
1585 pf_kpool_to_pool(&krule->rpool, &rule->rpool);
1587 rule->evaluations = counter_u64_fetch(krule->evaluations);
1588 for (int i = 0; i < 2; i++) {
1589 rule->packets[i] = counter_u64_fetch(krule->packets[i]);
1590 rule->bytes[i] = counter_u64_fetch(krule->bytes[i]);
1593 /* kif, anchor, overload_tbl are not copied over. */
1595 rule->os_fingerprint = krule->os_fingerprint;
1597 rule->rtableid = krule->rtableid;
1598 bcopy(krule->timeout, rule->timeout, sizeof(krule->timeout));
1599 rule->max_states = krule->max_states;
1600 rule->max_src_nodes = krule->max_src_nodes;
1601 rule->max_src_states = krule->max_src_states;
1602 rule->max_src_conn = krule->max_src_conn;
1603 rule->max_src_conn_rate.limit = krule->max_src_conn_rate.limit;
1604 rule->max_src_conn_rate.seconds = krule->max_src_conn_rate.seconds;
1605 rule->qid = krule->qid;
1606 rule->pqid = krule->pqid;
1607 rule->nr = krule->nr;
1608 rule->prob = krule->prob;
1609 rule->cuid = krule->cuid;
1610 rule->cpid = krule->cpid;
1612 rule->return_icmp = krule->return_icmp;
1613 rule->return_icmp6 = krule->return_icmp6;
1614 rule->max_mss = krule->max_mss;
1615 rule->tag = krule->tag;
1616 rule->match_tag = krule->match_tag;
1617 rule->scrub_flags = krule->scrub_flags;
1619 bcopy(&krule->uid, &rule->uid, sizeof(krule->uid));
1620 bcopy(&krule->gid, &rule->gid, sizeof(krule->gid));
1622 rule->rule_flag = krule->rule_flag;
1623 rule->action = krule->action;
1624 rule->direction = krule->direction;
1625 rule->log = krule->log;
1626 rule->logif = krule->logif;
1627 rule->quick = krule->quick;
1628 rule->ifnot = krule->ifnot;
1629 rule->match_tag_not = krule->match_tag_not;
1630 rule->natpass = krule->natpass;
1632 rule->keep_state = krule->keep_state;
1633 rule->af = krule->af;
1634 rule->proto = krule->proto;
1635 rule->type = krule->type;
1636 rule->code = krule->code;
1637 rule->flags = krule->flags;
1638 rule->flagset = krule->flagset;
1639 rule->min_ttl = krule->min_ttl;
1640 rule->allow_opts = krule->allow_opts;
1641 rule->rt = krule->rt;
1642 rule->return_ttl = krule->return_ttl;
1643 rule->tos = krule->tos;
1644 rule->set_tos = krule->set_tos;
1645 rule->anchor_relative = krule->anchor_relative;
1646 rule->anchor_wildcard = krule->anchor_wildcard;
1648 rule->flush = krule->flush;
1649 rule->prio = krule->prio;
1650 rule->set_prio[0] = krule->set_prio[0];
1651 rule->set_prio[1] = krule->set_prio[1];
1653 bcopy(&krule->divert, &rule->divert, sizeof(krule->divert));
1655 rule->u_states_cur = counter_u64_fetch(krule->states_cur);
1656 rule->u_states_tot = counter_u64_fetch(krule->states_tot);
1657 rule->u_src_nodes = counter_u64_fetch(krule->src_nodes);
1661 pf_rule_to_krule(const struct pf_rule *rule, struct pf_krule *krule)
1666 if (rule->af == AF_INET) {
1667 return (EAFNOSUPPORT);
1671 if (rule->af == AF_INET6) {
1672 return (EAFNOSUPPORT);
1676 ret = pf_check_rule_addr(&rule->src);
1679 ret = pf_check_rule_addr(&rule->dst);
1683 bzero(krule, sizeof(*krule));
1685 bcopy(&rule->src, &krule->src, sizeof(rule->src));
1686 bcopy(&rule->dst, &krule->dst, sizeof(rule->dst));
1688 strlcpy(krule->label[0], rule->label, sizeof(rule->label));
1689 strlcpy(krule->ifname, rule->ifname, sizeof(rule->ifname));
1690 strlcpy(krule->qname, rule->qname, sizeof(rule->qname));
1691 strlcpy(krule->pqname, rule->pqname, sizeof(rule->pqname));
1692 strlcpy(krule->tagname, rule->tagname, sizeof(rule->tagname));
1693 strlcpy(krule->match_tagname, rule->match_tagname,
1694 sizeof(rule->match_tagname));
1695 strlcpy(krule->overload_tblname, rule->overload_tblname,
1696 sizeof(rule->overload_tblname));
1698 ret = pf_pool_to_kpool(&rule->rpool, &krule->rpool);
1702 /* Don't allow userspace to set evaulations, packets or bytes. */
1703 /* kif, anchor, overload_tbl are not copied over. */
1705 krule->os_fingerprint = rule->os_fingerprint;
1707 krule->rtableid = rule->rtableid;
1708 bcopy(rule->timeout, krule->timeout, sizeof(krule->timeout));
1709 krule->max_states = rule->max_states;
1710 krule->max_src_nodes = rule->max_src_nodes;
1711 krule->max_src_states = rule->max_src_states;
1712 krule->max_src_conn = rule->max_src_conn;
1713 krule->max_src_conn_rate.limit = rule->max_src_conn_rate.limit;
1714 krule->max_src_conn_rate.seconds = rule->max_src_conn_rate.seconds;
1715 krule->qid = rule->qid;
1716 krule->pqid = rule->pqid;
1717 krule->nr = rule->nr;
1718 krule->prob = rule->prob;
1719 krule->cuid = rule->cuid;
1720 krule->cpid = rule->cpid;
1722 krule->return_icmp = rule->return_icmp;
1723 krule->return_icmp6 = rule->return_icmp6;
1724 krule->max_mss = rule->max_mss;
1725 krule->tag = rule->tag;
1726 krule->match_tag = rule->match_tag;
1727 krule->scrub_flags = rule->scrub_flags;
1729 bcopy(&rule->uid, &krule->uid, sizeof(krule->uid));
1730 bcopy(&rule->gid, &krule->gid, sizeof(krule->gid));
1732 krule->rule_flag = rule->rule_flag;
1733 krule->action = rule->action;
1734 krule->direction = rule->direction;
1735 krule->log = rule->log;
1736 krule->logif = rule->logif;
1737 krule->quick = rule->quick;
1738 krule->ifnot = rule->ifnot;
1739 krule->match_tag_not = rule->match_tag_not;
1740 krule->natpass = rule->natpass;
1742 krule->keep_state = rule->keep_state;
1743 krule->af = rule->af;
1744 krule->proto = rule->proto;
1745 krule->type = rule->type;
1746 krule->code = rule->code;
1747 krule->flags = rule->flags;
1748 krule->flagset = rule->flagset;
1749 krule->min_ttl = rule->min_ttl;
1750 krule->allow_opts = rule->allow_opts;
1751 krule->rt = rule->rt;
1752 krule->return_ttl = rule->return_ttl;
1753 krule->tos = rule->tos;
1754 krule->set_tos = rule->set_tos;
1755 krule->anchor_relative = rule->anchor_relative;
1756 krule->anchor_wildcard = rule->anchor_wildcard;
1758 krule->flush = rule->flush;
1759 krule->prio = rule->prio;
1760 krule->set_prio[0] = rule->set_prio[0];
1761 krule->set_prio[1] = rule->set_prio[1];
1763 bcopy(&rule->divert, &krule->divert, sizeof(krule->divert));
1769 pf_state_kill_to_kstate_kill(const struct pfioc_state_kill *psk,
1770 struct pf_kstate_kill *kill)
1772 bzero(kill, sizeof(*kill));
1774 bcopy(&psk->psk_pfcmp, &kill->psk_pfcmp, sizeof(kill->psk_pfcmp));
1775 kill->psk_af = psk->psk_af;
1776 kill->psk_proto = psk->psk_proto;
1777 bcopy(&psk->psk_src, &kill->psk_src, sizeof(kill->psk_src));
1778 bcopy(&psk->psk_dst, &kill->psk_dst, sizeof(kill->psk_dst));
1779 strlcpy(kill->psk_ifname, psk->psk_ifname, sizeof(kill->psk_ifname));
1780 strlcpy(kill->psk_label, psk->psk_label, sizeof(kill->psk_label));
1786 pf_ioctl_addrule(struct pf_krule *rule, uint32_t ticket,
1787 uint32_t pool_ticket, const char *anchor, const char *anchor_call,
1790 struct pf_kruleset *ruleset;
1791 struct pf_krule *tail;
1792 struct pf_kpooladdr *pa;
1793 struct pfi_kkif *kif = NULL;
1797 if ((rule->return_icmp >> 8) > ICMP_MAXTYPE) {
1799 goto errout_unlocked;
1802 #define ERROUT(x) ERROUT_FUNCTION(errout, x)
1804 if (rule->ifname[0])
1805 kif = pf_kkif_create(M_WAITOK);
1806 rule->evaluations = counter_u64_alloc(M_WAITOK);
1807 for (int i = 0; i < 2; i++) {
1808 rule->packets[i] = counter_u64_alloc(M_WAITOK);
1809 rule->bytes[i] = counter_u64_alloc(M_WAITOK);
1811 rule->states_cur = counter_u64_alloc(M_WAITOK);
1812 rule->states_tot = counter_u64_alloc(M_WAITOK);
1813 rule->src_nodes = counter_u64_alloc(M_WAITOK);
1814 rule->cuid = td->td_ucred->cr_ruid;
1815 rule->cpid = td->td_proc ? td->td_proc->p_pid : 0;
1816 TAILQ_INIT(&rule->rpool.list);
1819 ruleset = pf_find_kruleset(anchor);
1820 if (ruleset == NULL)
1822 rs_num = pf_get_ruleset_number(rule->action);
1823 if (rs_num >= PF_RULESET_MAX)
1825 if (ticket != ruleset->rules[rs_num].inactive.ticket) {
1826 DPFPRINTF(PF_DEBUG_MISC,
1827 ("ticket: %d != [%d]%d\n", ticket, rs_num,
1828 ruleset->rules[rs_num].inactive.ticket));
1831 if (pool_ticket != V_ticket_pabuf) {
1832 DPFPRINTF(PF_DEBUG_MISC,
1833 ("pool_ticket: %d != %d\n", pool_ticket,
1838 tail = TAILQ_LAST(ruleset->rules[rs_num].inactive.ptr,
1841 rule->nr = tail->nr + 1;
1844 if (rule->ifname[0]) {
1845 rule->kif = pfi_kkif_attach(kif, rule->ifname);
1847 pfi_kkif_ref(rule->kif);
1851 if (rule->rtableid > 0 && rule->rtableid >= rt_numfibs)
1856 if (rule->qname[0] != 0) {
1857 if ((rule->qid = pf_qname2qid(rule->qname)) == 0)
1859 else if (rule->pqname[0] != 0) {
1861 pf_qname2qid(rule->pqname)) == 0)
1864 rule->pqid = rule->qid;
1867 if (rule->tagname[0])
1868 if ((rule->tag = pf_tagname2tag(rule->tagname)) == 0)
1870 if (rule->match_tagname[0])
1871 if ((rule->match_tag =
1872 pf_tagname2tag(rule->match_tagname)) == 0)
1874 if (rule->rt && !rule->direction)
1878 if (rule->logif >= PFLOGIFS_MAX)
1880 if (pf_addr_setup(ruleset, &rule->src.addr, rule->af))
1882 if (pf_addr_setup(ruleset, &rule->dst.addr, rule->af))
1884 if (pf_kanchor_setup(rule, ruleset, anchor_call))
1886 if (rule->scrub_flags & PFSTATE_SETPRIO &&
1887 (rule->set_prio[0] > PF_PRIO_MAX ||
1888 rule->set_prio[1] > PF_PRIO_MAX))
1890 TAILQ_FOREACH(pa, &V_pf_pabuf, entries)
1891 if (pa->addr.type == PF_ADDR_TABLE) {
1892 pa->addr.p.tbl = pfr_attach_table(ruleset,
1893 pa->addr.v.tblname);
1894 if (pa->addr.p.tbl == NULL)
1898 rule->overload_tbl = NULL;
1899 if (rule->overload_tblname[0]) {
1900 if ((rule->overload_tbl = pfr_attach_table(ruleset,
1901 rule->overload_tblname)) == NULL)
1904 rule->overload_tbl->pfrkt_flags |=
1908 pf_mv_kpool(&V_pf_pabuf, &rule->rpool.list);
1909 if (((((rule->action == PF_NAT) || (rule->action == PF_RDR) ||
1910 (rule->action == PF_BINAT)) && rule->anchor == NULL) ||
1911 (rule->rt > PF_NOPFROUTE)) &&
1912 (TAILQ_FIRST(&rule->rpool.list) == NULL))
1921 rule->rpool.cur = TAILQ_FIRST(&rule->rpool.list);
1922 counter_u64_zero(rule->evaluations);
1923 for (int i = 0; i < 2; i++) {
1924 counter_u64_zero(rule->packets[i]);
1925 counter_u64_zero(rule->bytes[i]);
1927 TAILQ_INSERT_TAIL(ruleset->rules[rs_num].inactive.ptr,
1929 ruleset->rules[rs_num].inactive.rcount++;
1939 pf_krule_free(rule);
1944 pf_label_match(const struct pf_krule *rule, const char *label)
1948 while (*rule->label[i]) {
1949 if (strcmp(rule->label[i], label) == 0)
1958 pf_kill_matching_state(struct pf_state_key_cmp *key, int dir)
1960 struct pf_kstate *match;
1962 unsigned int killed = 0;
1964 /* Call with unlocked hashrow */
1966 match = pf_find_state_all(key, dir, &more);
1967 if (match && !more) {
1968 pf_unlink_state(match, 0);
1976 pf_killstates_row(struct pf_kstate_kill *psk, struct pf_idhash *ih)
1978 struct pf_kstate *s;
1979 struct pf_state_key *sk;
1980 struct pf_addr *srcaddr, *dstaddr;
1981 struct pf_state_key_cmp match_key;
1982 int idx, killed = 0;
1984 u_int16_t srcport, dstport;
1985 struct pfi_kkif *kif;
1987 relock_DIOCKILLSTATES:
1988 PF_HASHROW_LOCK(ih);
1989 LIST_FOREACH(s, &ih->states, entry) {
1990 /* For floating states look at the original kif. */
1991 kif = s->kif == V_pfi_all ? s->orig_kif : s->kif;
1993 sk = s->key[PF_SK_WIRE];
1994 if (s->direction == PF_OUT) {
1995 srcaddr = &sk->addr[1];
1996 dstaddr = &sk->addr[0];
1997 srcport = sk->port[1];
1998 dstport = sk->port[0];
2000 srcaddr = &sk->addr[0];
2001 dstaddr = &sk->addr[1];
2002 srcport = sk->port[0];
2003 dstport = sk->port[1];
2006 if (psk->psk_af && sk->af != psk->psk_af)
2009 if (psk->psk_proto && psk->psk_proto != sk->proto)
2012 if (! PF_MATCHA(psk->psk_src.neg, &psk->psk_src.addr.v.a.addr,
2013 &psk->psk_src.addr.v.a.mask, srcaddr, sk->af))
2016 if (! PF_MATCHA(psk->psk_dst.neg, &psk->psk_dst.addr.v.a.addr,
2017 &psk->psk_dst.addr.v.a.mask, dstaddr, sk->af))
2020 if (! PF_MATCHA(psk->psk_rt_addr.neg,
2021 &psk->psk_rt_addr.addr.v.a.addr,
2022 &psk->psk_rt_addr.addr.v.a.mask,
2023 &s->rt_addr, sk->af))
2026 if (psk->psk_src.port_op != 0 &&
2027 ! pf_match_port(psk->psk_src.port_op,
2028 psk->psk_src.port[0], psk->psk_src.port[1], srcport))
2031 if (psk->psk_dst.port_op != 0 &&
2032 ! pf_match_port(psk->psk_dst.port_op,
2033 psk->psk_dst.port[0], psk->psk_dst.port[1], dstport))
2036 if (psk->psk_label[0] &&
2037 ! pf_label_match(s->rule.ptr, psk->psk_label))
2040 if (psk->psk_ifname[0] && strcmp(psk->psk_ifname,
2044 if (psk->psk_kill_match) {
2045 /* Create the key to find matching states, with lock
2048 bzero(&match_key, sizeof(match_key));
2050 if (s->direction == PF_OUT) {
2058 match_key.af = s->key[idx]->af;
2059 match_key.proto = s->key[idx]->proto;
2060 PF_ACPY(&match_key.addr[0],
2061 &s->key[idx]->addr[1], match_key.af);
2062 match_key.port[0] = s->key[idx]->port[1];
2063 PF_ACPY(&match_key.addr[1],
2064 &s->key[idx]->addr[0], match_key.af);
2065 match_key.port[1] = s->key[idx]->port[0];
2068 pf_unlink_state(s, PF_ENTER_LOCKED);
2071 if (psk->psk_kill_match)
2072 killed += pf_kill_matching_state(&match_key, dir);
2074 goto relock_DIOCKILLSTATES;
2076 PF_HASHROW_UNLOCK(ih);
2082 pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td)
2085 PF_RULES_RLOCK_TRACKER;
2087 #define ERROUT_IOCTL(target, x) \
2090 SDT_PROBE3(pf, ioctl, ioctl, error, cmd, error, __LINE__); \
2095 /* XXX keep in sync with switch() below */
2096 if (securelevel_gt(td->td_ucred, 2))
2104 case DIOCGETSTATENV:
2105 case DIOCSETSTATUSIF:
2111 case DIOCGETSTATESNV:
2112 case DIOCGETTIMEOUT:
2113 case DIOCCLRRULECTRS:
2115 case DIOCGETALTQSV0:
2116 case DIOCGETALTQSV1:
2119 case DIOCGETQSTATSV0:
2120 case DIOCGETQSTATSV1:
2121 case DIOCGETRULESETS:
2122 case DIOCGETRULESET:
2123 case DIOCRGETTABLES:
2124 case DIOCRGETTSTATS:
2125 case DIOCRCLRTSTATS:
2131 case DIOCRGETASTATS:
2132 case DIOCRCLRASTATS:
2135 case DIOCGETSRCNODES:
2136 case DIOCCLRSRCNODES:
2137 case DIOCIGETIFACES:
2138 case DIOCGIFSPEEDV0:
2139 case DIOCGIFSPEEDV1:
2143 case DIOCRCLRTABLES:
2144 case DIOCRADDTABLES:
2145 case DIOCRDELTABLES:
2146 case DIOCRSETTFLAGS:
2147 if (((struct pfioc_table *)addr)->pfrio_flags &
2149 break; /* dummy operation ok */
2155 if (!(flags & FWRITE))
2161 case DIOCGETSTATENV:
2164 case DIOCGETSTATESNV:
2165 case DIOCGETTIMEOUT:
2167 case DIOCGETALTQSV0:
2168 case DIOCGETALTQSV1:
2171 case DIOCGETQSTATSV0:
2172 case DIOCGETQSTATSV1:
2173 case DIOCGETRULESETS:
2174 case DIOCGETRULESET:
2176 case DIOCRGETTABLES:
2177 case DIOCRGETTSTATS:
2179 case DIOCRGETASTATS:
2182 case DIOCGETSRCNODES:
2183 case DIOCIGETIFACES:
2184 case DIOCGIFSPEEDV1:
2185 case DIOCGIFSPEEDV0:
2188 case DIOCRCLRTABLES:
2189 case DIOCRADDTABLES:
2190 case DIOCRDELTABLES:
2191 case DIOCRCLRTSTATS:
2196 case DIOCRSETTFLAGS:
2197 if (((struct pfioc_table *)addr)->pfrio_flags &
2199 flags |= FWRITE; /* need write lock for dummy */
2200 break; /* dummy operation ok */
2204 if (((struct pfioc_rule *)addr)->action ==
2212 CURVNET_SET(TD_TO_VNET(td));
2216 sx_xlock(&pf_ioctl_lock);
2217 if (V_pf_status.running)
2223 V_pf_status.running = 1;
2224 V_pf_status.since = time_second;
2227 V_pf_stateid[cpu] = time_second;
2229 DPFPRINTF(PF_DEBUG_MISC, ("pf: started\n"));
2234 sx_xlock(&pf_ioctl_lock);
2235 if (!V_pf_status.running)
2238 V_pf_status.running = 0;
2240 V_pf_status.since = time_second;
2241 DPFPRINTF(PF_DEBUG_MISC, ("pf: stopped\n"));
2245 case DIOCADDRULENV: {
2246 struct pfioc_nv *nv = (struct pfioc_nv *)addr;
2247 nvlist_t *nvl = NULL;
2248 void *nvlpacked = NULL;
2249 struct pf_krule *rule = NULL;
2250 const char *anchor = "", *anchor_call = "";
2251 uint32_t ticket = 0, pool_ticket = 0;
2253 #define ERROUT(x) ERROUT_IOCTL(DIOCADDRULENV_error, x)
2255 if (nv->len > pf_ioctl_maxcount)
2258 nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK);
2259 error = copyin(nv->data, nvlpacked, nv->len);
2263 nvl = nvlist_unpack(nvlpacked, nv->len, 0);
2267 if (! nvlist_exists_number(nvl, "ticket"))
2269 ticket = nvlist_get_number(nvl, "ticket");
2271 if (! nvlist_exists_number(nvl, "pool_ticket"))
2273 pool_ticket = nvlist_get_number(nvl, "pool_ticket");
2275 if (! nvlist_exists_nvlist(nvl, "rule"))
2278 rule = malloc(sizeof(*rule), M_PFRULE, M_WAITOK | M_ZERO);
2279 error = pf_nvrule_to_krule(nvlist_get_nvlist(nvl, "rule"),
2284 if (nvlist_exists_string(nvl, "anchor"))
2285 anchor = nvlist_get_string(nvl, "anchor");
2286 if (nvlist_exists_string(nvl, "anchor_call"))
2287 anchor_call = nvlist_get_string(nvl, "anchor_call");
2289 if ((error = nvlist_error(nvl)))
2292 /* Frees rule on error */
2293 error = pf_ioctl_addrule(rule, ticket, pool_ticket, anchor,
2296 nvlist_destroy(nvl);
2297 free(nvlpacked, M_TEMP);
2300 DIOCADDRULENV_error:
2301 pf_krule_free(rule);
2302 nvlist_destroy(nvl);
2303 free(nvlpacked, M_TEMP);
2308 struct pfioc_rule *pr = (struct pfioc_rule *)addr;
2309 struct pf_krule *rule;
2311 rule = malloc(sizeof(*rule), M_PFRULE, M_WAITOK);
2312 error = pf_rule_to_krule(&pr->rule, rule);
2314 free(rule, M_PFRULE);
2318 pr->anchor[sizeof(pr->anchor) - 1] = 0;
2320 /* Frees rule on error */
2321 error = pf_ioctl_addrule(rule, pr->ticket, pr->pool_ticket,
2322 pr->anchor, pr->anchor_call, td);
2326 case DIOCGETRULES: {
2327 struct pfioc_rule *pr = (struct pfioc_rule *)addr;
2328 struct pf_kruleset *ruleset;
2329 struct pf_krule *tail;
2333 pr->anchor[sizeof(pr->anchor) - 1] = 0;
2334 ruleset = pf_find_kruleset(pr->anchor);
2335 if (ruleset == NULL) {
2340 rs_num = pf_get_ruleset_number(pr->rule.action);
2341 if (rs_num >= PF_RULESET_MAX) {
2346 tail = TAILQ_LAST(ruleset->rules[rs_num].active.ptr,
2349 pr->nr = tail->nr + 1;
2352 pr->ticket = ruleset->rules[rs_num].active.ticket;
2358 struct pfioc_rule *pr = (struct pfioc_rule *)addr;
2359 struct pf_kruleset *ruleset;
2360 struct pf_krule *rule;
2364 pr->anchor[sizeof(pr->anchor) - 1] = 0;
2365 ruleset = pf_find_kruleset(pr->anchor);
2366 if (ruleset == NULL) {
2371 rs_num = pf_get_ruleset_number(pr->rule.action);
2372 if (rs_num >= PF_RULESET_MAX) {
2377 if (pr->ticket != ruleset->rules[rs_num].active.ticket) {
2382 rule = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr);
2383 while ((rule != NULL) && (rule->nr != pr->nr))
2384 rule = TAILQ_NEXT(rule, entries);
2391 pf_krule_to_rule(rule, &pr->rule);
2393 if (pf_kanchor_copyout(ruleset, rule, pr)) {
2398 pf_addr_copyout(&pr->rule.src.addr);
2399 pf_addr_copyout(&pr->rule.dst.addr);
2401 if (pr->action == PF_GET_CLR_CNTR) {
2402 counter_u64_zero(rule->evaluations);
2403 for (int i = 0; i < 2; i++) {
2404 counter_u64_zero(rule->packets[i]);
2405 counter_u64_zero(rule->bytes[i]);
2407 counter_u64_zero(rule->states_tot);
2413 case DIOCGETRULENV: {
2414 struct pfioc_nv *nv = (struct pfioc_nv *)addr;
2415 nvlist_t *nvrule = NULL;
2416 nvlist_t *nvl = NULL;
2417 struct pf_kruleset *ruleset;
2418 struct pf_krule *rule;
2419 void *nvlpacked = NULL;
2421 bool clear_counter = false;
2423 #define ERROUT(x) ERROUT_IOCTL(DIOCGETRULENV_error, x)
2425 if (nv->len > pf_ioctl_maxcount)
2428 /* Copy the request in */
2429 nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK);
2430 if (nvlpacked == NULL)
2433 error = copyin(nv->data, nvlpacked, nv->len);
2437 nvl = nvlist_unpack(nvlpacked, nv->len, 0);
2441 if (! nvlist_exists_string(nvl, "anchor"))
2443 if (! nvlist_exists_number(nvl, "ruleset"))
2445 if (! nvlist_exists_number(nvl, "ticket"))
2447 if (! nvlist_exists_number(nvl, "nr"))
2450 if (nvlist_exists_bool(nvl, "clear_counter"))
2451 clear_counter = nvlist_get_bool(nvl, "clear_counter");
2453 if (clear_counter && !(flags & FWRITE))
2456 nr = nvlist_get_number(nvl, "nr");
2459 ruleset = pf_find_kruleset(nvlist_get_string(nvl, "anchor"));
2460 if (ruleset == NULL) {
2465 rs_num = pf_get_ruleset_number(nvlist_get_number(nvl, "ruleset"));
2466 if (rs_num >= PF_RULESET_MAX) {
2471 if (nvlist_get_number(nvl, "ticket") !=
2472 ruleset->rules[rs_num].active.ticket) {
2477 if ((error = nvlist_error(nvl))) {
2482 rule = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr);
2483 while ((rule != NULL) && (rule->nr != nr))
2484 rule = TAILQ_NEXT(rule, entries);
2490 nvrule = pf_krule_to_nvrule(rule);
2492 nvlist_destroy(nvl);
2493 nvl = nvlist_create(0);
2498 nvlist_add_number(nvl, "nr", nr);
2499 nvlist_add_nvlist(nvl, "rule", nvrule);
2500 nvlist_destroy(nvrule);
2502 if (pf_kanchor_nvcopyout(ruleset, rule, nvl)) {
2507 free(nvlpacked, M_NVLIST);
2508 nvlpacked = nvlist_pack(nvl, &nv->len);
2509 if (nvlpacked == NULL) {
2514 if (nv->size == 0) {
2518 else if (nv->size < nv->len) {
2523 if (clear_counter) {
2524 counter_u64_zero(rule->evaluations);
2525 for (int i = 0; i < 2; i++) {
2526 counter_u64_zero(rule->packets[i]);
2527 counter_u64_zero(rule->bytes[i]);
2529 counter_u64_zero(rule->states_tot);
2533 error = copyout(nvlpacked, nv->data, nv->len);
2536 DIOCGETRULENV_error:
2537 free(nvlpacked, M_NVLIST);
2538 nvlist_destroy(nvrule);
2539 nvlist_destroy(nvl);
2544 case DIOCCHANGERULE: {
2545 struct pfioc_rule *pcr = (struct pfioc_rule *)addr;
2546 struct pf_kruleset *ruleset;
2547 struct pf_krule *oldrule = NULL, *newrule = NULL;
2548 struct pfi_kkif *kif = NULL;
2549 struct pf_kpooladdr *pa;
2553 if (pcr->action < PF_CHANGE_ADD_HEAD ||
2554 pcr->action > PF_CHANGE_GET_TICKET) {
2558 if (pcr->rule.return_icmp >> 8 > ICMP_MAXTYPE) {
2563 if (pcr->action != PF_CHANGE_REMOVE) {
2564 newrule = malloc(sizeof(*newrule), M_PFRULE, M_WAITOK);
2565 error = pf_rule_to_krule(&pcr->rule, newrule);
2567 free(newrule, M_PFRULE);
2571 if (newrule->ifname[0])
2572 kif = pf_kkif_create(M_WAITOK);
2573 newrule->evaluations = counter_u64_alloc(M_WAITOK);
2574 for (int i = 0; i < 2; i++) {
2575 newrule->packets[i] =
2576 counter_u64_alloc(M_WAITOK);
2578 counter_u64_alloc(M_WAITOK);
2580 newrule->states_cur = counter_u64_alloc(M_WAITOK);
2581 newrule->states_tot = counter_u64_alloc(M_WAITOK);
2582 newrule->src_nodes = counter_u64_alloc(M_WAITOK);
2583 newrule->cuid = td->td_ucred->cr_ruid;
2584 newrule->cpid = td->td_proc ? td->td_proc->p_pid : 0;
2585 TAILQ_INIT(&newrule->rpool.list);
2587 #define ERROUT(x) { error = (x); goto DIOCCHANGERULE_error; }
2590 if (!(pcr->action == PF_CHANGE_REMOVE ||
2591 pcr->action == PF_CHANGE_GET_TICKET) &&
2592 pcr->pool_ticket != V_ticket_pabuf)
2595 ruleset = pf_find_kruleset(pcr->anchor);
2596 if (ruleset == NULL)
2599 rs_num = pf_get_ruleset_number(pcr->rule.action);
2600 if (rs_num >= PF_RULESET_MAX)
2603 if (pcr->action == PF_CHANGE_GET_TICKET) {
2604 pcr->ticket = ++ruleset->rules[rs_num].active.ticket;
2606 } else if (pcr->ticket !=
2607 ruleset->rules[rs_num].active.ticket)
2610 if (pcr->action != PF_CHANGE_REMOVE) {
2611 if (newrule->ifname[0]) {
2612 newrule->kif = pfi_kkif_attach(kif,
2615 pfi_kkif_ref(newrule->kif);
2617 newrule->kif = NULL;
2619 if (newrule->rtableid > 0 &&
2620 newrule->rtableid >= rt_numfibs)
2625 if (newrule->qname[0] != 0) {
2627 pf_qname2qid(newrule->qname)) == 0)
2629 else if (newrule->pqname[0] != 0) {
2630 if ((newrule->pqid =
2631 pf_qname2qid(newrule->pqname)) == 0)
2634 newrule->pqid = newrule->qid;
2637 if (newrule->tagname[0])
2639 pf_tagname2tag(newrule->tagname)) == 0)
2641 if (newrule->match_tagname[0])
2642 if ((newrule->match_tag = pf_tagname2tag(
2643 newrule->match_tagname)) == 0)
2645 if (newrule->rt && !newrule->direction)
2649 if (newrule->logif >= PFLOGIFS_MAX)
2651 if (pf_addr_setup(ruleset, &newrule->src.addr, newrule->af))
2653 if (pf_addr_setup(ruleset, &newrule->dst.addr, newrule->af))
2655 if (pf_kanchor_setup(newrule, ruleset, pcr->anchor_call))
2657 TAILQ_FOREACH(pa, &V_pf_pabuf, entries)
2658 if (pa->addr.type == PF_ADDR_TABLE) {
2660 pfr_attach_table(ruleset,
2661 pa->addr.v.tblname);
2662 if (pa->addr.p.tbl == NULL)
2666 newrule->overload_tbl = NULL;
2667 if (newrule->overload_tblname[0]) {
2668 if ((newrule->overload_tbl = pfr_attach_table(
2669 ruleset, newrule->overload_tblname)) ==
2673 newrule->overload_tbl->pfrkt_flags |=
2677 pf_mv_kpool(&V_pf_pabuf, &newrule->rpool.list);
2678 if (((((newrule->action == PF_NAT) ||
2679 (newrule->action == PF_RDR) ||
2680 (newrule->action == PF_BINAT) ||
2681 (newrule->rt > PF_NOPFROUTE)) &&
2682 !newrule->anchor)) &&
2683 (TAILQ_FIRST(&newrule->rpool.list) == NULL))
2687 pf_free_rule(newrule);
2692 newrule->rpool.cur = TAILQ_FIRST(&newrule->rpool.list);
2694 pf_empty_kpool(&V_pf_pabuf);
2696 if (pcr->action == PF_CHANGE_ADD_HEAD)
2697 oldrule = TAILQ_FIRST(
2698 ruleset->rules[rs_num].active.ptr);
2699 else if (pcr->action == PF_CHANGE_ADD_TAIL)
2700 oldrule = TAILQ_LAST(
2701 ruleset->rules[rs_num].active.ptr, pf_krulequeue);
2703 oldrule = TAILQ_FIRST(
2704 ruleset->rules[rs_num].active.ptr);
2705 while ((oldrule != NULL) && (oldrule->nr != pcr->nr))
2706 oldrule = TAILQ_NEXT(oldrule, entries);
2707 if (oldrule == NULL) {
2708 if (newrule != NULL)
2709 pf_free_rule(newrule);
2716 if (pcr->action == PF_CHANGE_REMOVE) {
2717 pf_unlink_rule(ruleset->rules[rs_num].active.ptr,
2719 ruleset->rules[rs_num].active.rcount--;
2721 if (oldrule == NULL)
2723 ruleset->rules[rs_num].active.ptr,
2725 else if (pcr->action == PF_CHANGE_ADD_HEAD ||
2726 pcr->action == PF_CHANGE_ADD_BEFORE)
2727 TAILQ_INSERT_BEFORE(oldrule, newrule, entries);
2730 ruleset->rules[rs_num].active.ptr,
2731 oldrule, newrule, entries);
2732 ruleset->rules[rs_num].active.rcount++;
2736 TAILQ_FOREACH(oldrule,
2737 ruleset->rules[rs_num].active.ptr, entries)
2740 ruleset->rules[rs_num].active.ticket++;
2742 pf_calc_skip_steps(ruleset->rules[rs_num].active.ptr);
2743 pf_remove_if_empty_kruleset(ruleset);
2749 DIOCCHANGERULE_error:
2751 pf_krule_free(newrule);
2756 case DIOCCLRSTATES: {
2757 struct pfioc_state_kill *psk = (struct pfioc_state_kill *)addr;
2758 struct pf_kstate_kill kill;
2760 error = pf_state_kill_to_kstate_kill(psk, &kill);
2764 psk->psk_killed = pf_clear_states(&kill);
2768 case DIOCCLRSTATESNV: {
2769 error = pf_clearstates_nv((struct pfioc_nv *)addr);
2773 case DIOCKILLSTATES: {
2774 struct pfioc_state_kill *psk = (struct pfioc_state_kill *)addr;
2775 struct pf_kstate_kill kill;
2777 error = pf_state_kill_to_kstate_kill(psk, &kill);
2781 psk->psk_killed = 0;
2782 error = pf_killstates(&kill, &psk->psk_killed);
2786 case DIOCKILLSTATESNV: {
2787 error = pf_killstates_nv((struct pfioc_nv *)addr);
2791 case DIOCADDSTATE: {
2792 struct pfioc_state *ps = (struct pfioc_state *)addr;
2793 struct pfsync_state *sp = &ps->state;
2795 if (sp->timeout >= PFTM_MAX) {
2799 if (V_pfsync_state_import_ptr != NULL) {
2801 error = V_pfsync_state_import_ptr(sp, PFSYNC_SI_IOCTL);
2808 case DIOCGETSTATE: {
2809 struct pfioc_state *ps = (struct pfioc_state *)addr;
2810 struct pf_kstate *s;
2812 s = pf_find_state_byid(ps->state.id, ps->state.creatorid);
2818 pfsync_state_export(&ps->state, s);
2823 case DIOCGETSTATENV: {
2824 error = pf_getstate((struct pfioc_nv *)addr);
2828 case DIOCGETSTATES: {
2829 struct pfioc_states *ps = (struct pfioc_states *)addr;
2830 struct pf_kstate *s;
2831 struct pfsync_state *pstore, *p;
2834 if (ps->ps_len <= 0) {
2835 nr = uma_zone_get_cur(V_pf_state_z);
2836 ps->ps_len = sizeof(struct pfsync_state) * nr;
2840 p = pstore = malloc(ps->ps_len, M_TEMP, M_WAITOK | M_ZERO);
2843 for (i = 0; i <= pf_hashmask; i++) {
2844 struct pf_idhash *ih = &V_pf_idhash[i];
2846 PF_HASHROW_LOCK(ih);
2847 LIST_FOREACH(s, &ih->states, entry) {
2848 if (s->timeout == PFTM_UNLINKED)
2851 if ((nr+1) * sizeof(*p) > ps->ps_len) {
2852 PF_HASHROW_UNLOCK(ih);
2853 goto DIOCGETSTATES_full;
2855 pfsync_state_export(p, s);
2859 PF_HASHROW_UNLOCK(ih);
2862 error = copyout(pstore, ps->ps_states,
2863 sizeof(struct pfsync_state) * nr);
2865 free(pstore, M_TEMP);
2868 ps->ps_len = sizeof(struct pfsync_state) * nr;
2869 free(pstore, M_TEMP);
2874 case DIOCGETSTATESNV: {
2875 error = pf_getstates((struct pfioc_nv *)addr);
2879 case DIOCGETSTATUS: {
2880 struct pf_status *s = (struct pf_status *)addr;
2883 s->running = V_pf_status.running;
2884 s->since = V_pf_status.since;
2885 s->debug = V_pf_status.debug;
2886 s->hostid = V_pf_status.hostid;
2887 s->states = V_pf_status.states;
2888 s->src_nodes = V_pf_status.src_nodes;
2890 for (int i = 0; i < PFRES_MAX; i++)
2892 counter_u64_fetch(V_pf_status.counters[i]);
2893 for (int i = 0; i < LCNT_MAX; i++)
2895 counter_u64_fetch(V_pf_status.lcounters[i]);
2896 for (int i = 0; i < FCNT_MAX; i++)
2898 counter_u64_fetch(V_pf_status.fcounters[i]);
2899 for (int i = 0; i < SCNT_MAX; i++)
2901 counter_u64_fetch(V_pf_status.scounters[i]);
2903 bcopy(V_pf_status.ifname, s->ifname, IFNAMSIZ);
2904 bcopy(V_pf_status.pf_chksum, s->pf_chksum,
2905 PF_MD5_DIGEST_LENGTH);
2907 pfi_update_status(s->ifname, s);
2912 case DIOCSETSTATUSIF: {
2913 struct pfioc_if *pi = (struct pfioc_if *)addr;
2915 if (pi->ifname[0] == 0) {
2916 bzero(V_pf_status.ifname, IFNAMSIZ);
2920 strlcpy(V_pf_status.ifname, pi->ifname, IFNAMSIZ);
2925 case DIOCCLRSTATUS: {
2927 for (int i = 0; i < PFRES_MAX; i++)
2928 counter_u64_zero(V_pf_status.counters[i]);
2929 for (int i = 0; i < FCNT_MAX; i++)
2930 counter_u64_zero(V_pf_status.fcounters[i]);
2931 for (int i = 0; i < SCNT_MAX; i++)
2932 counter_u64_zero(V_pf_status.scounters[i]);
2933 for (int i = 0; i < LCNT_MAX; i++)
2934 counter_u64_zero(V_pf_status.lcounters[i]);
2935 V_pf_status.since = time_second;
2936 if (*V_pf_status.ifname)
2937 pfi_update_status(V_pf_status.ifname, NULL);
2943 struct pfioc_natlook *pnl = (struct pfioc_natlook *)addr;
2944 struct pf_state_key *sk;
2945 struct pf_kstate *state;
2946 struct pf_state_key_cmp key;
2947 int m = 0, direction = pnl->direction;
2950 /* NATLOOK src and dst are reversed, so reverse sidx/didx */
2951 sidx = (direction == PF_IN) ? 1 : 0;
2952 didx = (direction == PF_IN) ? 0 : 1;
2955 PF_AZERO(&pnl->saddr, pnl->af) ||
2956 PF_AZERO(&pnl->daddr, pnl->af) ||
2957 ((pnl->proto == IPPROTO_TCP ||
2958 pnl->proto == IPPROTO_UDP) &&
2959 (!pnl->dport || !pnl->sport)))
2962 bzero(&key, sizeof(key));
2964 key.proto = pnl->proto;
2965 PF_ACPY(&key.addr[sidx], &pnl->saddr, pnl->af);
2966 key.port[sidx] = pnl->sport;
2967 PF_ACPY(&key.addr[didx], &pnl->daddr, pnl->af);
2968 key.port[didx] = pnl->dport;
2970 state = pf_find_state_all(&key, direction, &m);
2973 error = E2BIG; /* more than one state */
2974 else if (state != NULL) {
2975 /* XXXGL: not locked read */
2976 sk = state->key[sidx];
2977 PF_ACPY(&pnl->rsaddr, &sk->addr[sidx], sk->af);
2978 pnl->rsport = sk->port[sidx];
2979 PF_ACPY(&pnl->rdaddr, &sk->addr[didx], sk->af);
2980 pnl->rdport = sk->port[didx];
2987 case DIOCSETTIMEOUT: {
2988 struct pfioc_tm *pt = (struct pfioc_tm *)addr;
2991 if (pt->timeout < 0 || pt->timeout >= PFTM_MAX ||
2997 old = V_pf_default_rule.timeout[pt->timeout];
2998 if (pt->timeout == PFTM_INTERVAL && pt->seconds == 0)
3000 V_pf_default_rule.timeout[pt->timeout] = pt->seconds;
3001 if (pt->timeout == PFTM_INTERVAL && pt->seconds < old)
3002 wakeup(pf_purge_thread);
3008 case DIOCGETTIMEOUT: {
3009 struct pfioc_tm *pt = (struct pfioc_tm *)addr;
3011 if (pt->timeout < 0 || pt->timeout >= PFTM_MAX) {
3016 pt->seconds = V_pf_default_rule.timeout[pt->timeout];
3021 case DIOCGETLIMIT: {
3022 struct pfioc_limit *pl = (struct pfioc_limit *)addr;
3024 if (pl->index < 0 || pl->index >= PF_LIMIT_MAX) {
3029 pl->limit = V_pf_limits[pl->index].limit;
3034 case DIOCSETLIMIT: {
3035 struct pfioc_limit *pl = (struct pfioc_limit *)addr;
3039 if (pl->index < 0 || pl->index >= PF_LIMIT_MAX ||
3040 V_pf_limits[pl->index].zone == NULL) {
3045 uma_zone_set_max(V_pf_limits[pl->index].zone, pl->limit);
3046 old_limit = V_pf_limits[pl->index].limit;
3047 V_pf_limits[pl->index].limit = pl->limit;
3048 pl->limit = old_limit;
3053 case DIOCSETDEBUG: {
3054 u_int32_t *level = (u_int32_t *)addr;
3057 V_pf_status.debug = *level;
3062 case DIOCCLRRULECTRS: {
3063 /* obsoleted by DIOCGETRULE with action=PF_GET_CLR_CNTR */
3064 struct pf_kruleset *ruleset = &pf_main_ruleset;
3065 struct pf_krule *rule;
3069 ruleset->rules[PF_RULESET_FILTER].active.ptr, entries) {
3070 counter_u64_zero(rule->evaluations);
3071 for (int i = 0; i < 2; i++) {
3072 counter_u64_zero(rule->packets[i]);
3073 counter_u64_zero(rule->bytes[i]);
3080 case DIOCGIFSPEEDV0:
3081 case DIOCGIFSPEEDV1: {
3082 struct pf_ifspeed_v1 *psp = (struct pf_ifspeed_v1 *)addr;
3083 struct pf_ifspeed_v1 ps;
3086 if (psp->ifname[0] != 0) {
3087 /* Can we completely trust user-land? */
3088 strlcpy(ps.ifname, psp->ifname, IFNAMSIZ);
3089 ifp = ifunit(ps.ifname);
3092 (u_int32_t)uqmin(ifp->if_baudrate, UINT_MAX);
3093 if (cmd == DIOCGIFSPEEDV1)
3094 psp->baudrate = ifp->if_baudrate;
3103 case DIOCSTARTALTQ: {
3104 struct pf_altq *altq;
3107 /* enable all altq interfaces on active list */
3108 TAILQ_FOREACH(altq, V_pf_altq_ifs_active, entries) {
3109 if ((altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
3110 error = pf_enable_altq(altq);
3116 V_pf_altq_running = 1;
3118 DPFPRINTF(PF_DEBUG_MISC, ("altq: started\n"));
3122 case DIOCSTOPALTQ: {
3123 struct pf_altq *altq;
3126 /* disable all altq interfaces on active list */
3127 TAILQ_FOREACH(altq, V_pf_altq_ifs_active, entries) {
3128 if ((altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
3129 error = pf_disable_altq(altq);
3135 V_pf_altq_running = 0;
3137 DPFPRINTF(PF_DEBUG_MISC, ("altq: stopped\n"));
3142 case DIOCADDALTQV1: {
3143 struct pfioc_altq_v1 *pa = (struct pfioc_altq_v1 *)addr;
3144 struct pf_altq *altq, *a;
3147 altq = malloc(sizeof(*altq), M_PFALTQ, M_WAITOK | M_ZERO);
3148 error = pf_import_kaltq(pa, altq, IOCPARM_LEN(cmd));
3151 altq->local_flags = 0;
3154 if (pa->ticket != V_ticket_altqs_inactive) {
3156 free(altq, M_PFALTQ);
3162 * if this is for a queue, find the discipline and
3163 * copy the necessary fields
3165 if (altq->qname[0] != 0) {
3166 if ((altq->qid = pf_qname2qid(altq->qname)) == 0) {
3169 free(altq, M_PFALTQ);
3172 altq->altq_disc = NULL;
3173 TAILQ_FOREACH(a, V_pf_altq_ifs_inactive, entries) {
3174 if (strncmp(a->ifname, altq->ifname,
3176 altq->altq_disc = a->altq_disc;
3182 if ((ifp = ifunit(altq->ifname)) == NULL)
3183 altq->local_flags |= PFALTQ_FLAG_IF_REMOVED;
3185 error = altq_add(ifp, altq);
3189 free(altq, M_PFALTQ);
3193 if (altq->qname[0] != 0)
3194 TAILQ_INSERT_TAIL(V_pf_altqs_inactive, altq, entries);
3196 TAILQ_INSERT_TAIL(V_pf_altq_ifs_inactive, altq, entries);
3197 /* version error check done on import above */
3198 pf_export_kaltq(altq, pa, IOCPARM_LEN(cmd));
3203 case DIOCGETALTQSV0:
3204 case DIOCGETALTQSV1: {
3205 struct pfioc_altq_v1 *pa = (struct pfioc_altq_v1 *)addr;
3206 struct pf_altq *altq;
3210 TAILQ_FOREACH(altq, V_pf_altq_ifs_active, entries)
3212 TAILQ_FOREACH(altq, V_pf_altqs_active, entries)
3214 pa->ticket = V_ticket_altqs_active;
3220 case DIOCGETALTQV1: {
3221 struct pfioc_altq_v1 *pa = (struct pfioc_altq_v1 *)addr;
3222 struct pf_altq *altq;
3225 if (pa->ticket != V_ticket_altqs_active) {
3230 altq = pf_altq_get_nth_active(pa->nr);
3236 pf_export_kaltq(altq, pa, IOCPARM_LEN(cmd));
3241 case DIOCCHANGEALTQV0:
3242 case DIOCCHANGEALTQV1:
3243 /* CHANGEALTQ not supported yet! */
3247 case DIOCGETQSTATSV0:
3248 case DIOCGETQSTATSV1: {
3249 struct pfioc_qstats_v1 *pq = (struct pfioc_qstats_v1 *)addr;
3250 struct pf_altq *altq;
3255 if (pq->ticket != V_ticket_altqs_active) {
3260 nbytes = pq->nbytes;
3261 altq = pf_altq_get_nth_active(pq->nr);
3268 if ((altq->local_flags & PFALTQ_FLAG_IF_REMOVED) != 0) {
3274 if (cmd == DIOCGETQSTATSV0)
3275 version = 0; /* DIOCGETQSTATSV0 means stats struct v0 */
3277 version = pq->version;
3278 error = altq_getqstats(altq, pq->buf, &nbytes, version);
3280 pq->scheduler = altq->scheduler;
3281 pq->nbytes = nbytes;
3287 case DIOCBEGINADDRS: {
3288 struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr;
3291 pf_empty_kpool(&V_pf_pabuf);
3292 pp->ticket = ++V_ticket_pabuf;
3298 struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr;
3299 struct pf_kpooladdr *pa;
3300 struct pfi_kkif *kif = NULL;
3303 if (pp->af == AF_INET) {
3304 error = EAFNOSUPPORT;
3309 if (pp->af == AF_INET6) {
3310 error = EAFNOSUPPORT;
3314 if (pp->addr.addr.type != PF_ADDR_ADDRMASK &&
3315 pp->addr.addr.type != PF_ADDR_DYNIFTL &&
3316 pp->addr.addr.type != PF_ADDR_TABLE) {
3320 if (pp->addr.addr.p.dyn != NULL) {
3324 pa = malloc(sizeof(*pa), M_PFRULE, M_WAITOK);
3325 pf_pooladdr_to_kpooladdr(&pp->addr, pa);
3327 kif = pf_kkif_create(M_WAITOK);
3329 if (pp->ticket != V_ticket_pabuf) {
3337 if (pa->ifname[0]) {
3338 pa->kif = pfi_kkif_attach(kif, pa->ifname);
3340 pfi_kkif_ref(pa->kif);
3343 if (pa->addr.type == PF_ADDR_DYNIFTL && ((error =
3344 pfi_dynaddr_setup(&pa->addr, pp->af)) != 0)) {
3346 pfi_kkif_unref(pa->kif);
3351 TAILQ_INSERT_TAIL(&V_pf_pabuf, pa, entries);
3356 case DIOCGETADDRS: {
3357 struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr;
3358 struct pf_kpool *pool;
3359 struct pf_kpooladdr *pa;
3363 pool = pf_get_kpool(pp->anchor, pp->ticket, pp->r_action,
3364 pp->r_num, 0, 1, 0);
3370 TAILQ_FOREACH(pa, &pool->list, entries)
3377 struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr;
3378 struct pf_kpool *pool;
3379 struct pf_kpooladdr *pa;
3383 pool = pf_get_kpool(pp->anchor, pp->ticket, pp->r_action,
3384 pp->r_num, 0, 1, 1);
3390 pa = TAILQ_FIRST(&pool->list);
3391 while ((pa != NULL) && (nr < pp->nr)) {
3392 pa = TAILQ_NEXT(pa, entries);
3400 pf_kpooladdr_to_pooladdr(pa, &pp->addr);
3401 pf_addr_copyout(&pp->addr.addr);
3406 case DIOCCHANGEADDR: {
3407 struct pfioc_pooladdr *pca = (struct pfioc_pooladdr *)addr;
3408 struct pf_kpool *pool;
3409 struct pf_kpooladdr *oldpa = NULL, *newpa = NULL;
3410 struct pf_kruleset *ruleset;
3411 struct pfi_kkif *kif = NULL;
3413 if (pca->action < PF_CHANGE_ADD_HEAD ||
3414 pca->action > PF_CHANGE_REMOVE) {
3418 if (pca->addr.addr.type != PF_ADDR_ADDRMASK &&
3419 pca->addr.addr.type != PF_ADDR_DYNIFTL &&
3420 pca->addr.addr.type != PF_ADDR_TABLE) {
3424 if (pca->addr.addr.p.dyn != NULL) {
3429 if (pca->action != PF_CHANGE_REMOVE) {
3431 if (pca->af == AF_INET) {
3432 error = EAFNOSUPPORT;
3437 if (pca->af == AF_INET6) {
3438 error = EAFNOSUPPORT;
3442 newpa = malloc(sizeof(*newpa), M_PFRULE, M_WAITOK);
3443 bcopy(&pca->addr, newpa, sizeof(struct pf_pooladdr));
3444 if (newpa->ifname[0])
3445 kif = pf_kkif_create(M_WAITOK);
3448 #define ERROUT(x) ERROUT_IOCTL(DIOCCHANGEADDR_error, x)
3450 ruleset = pf_find_kruleset(pca->anchor);
3451 if (ruleset == NULL)
3454 pool = pf_get_kpool(pca->anchor, pca->ticket, pca->r_action,
3455 pca->r_num, pca->r_last, 1, 1);
3459 if (pca->action != PF_CHANGE_REMOVE) {
3460 if (newpa->ifname[0]) {
3461 newpa->kif = pfi_kkif_attach(kif, newpa->ifname);
3462 pfi_kkif_ref(newpa->kif);
3466 switch (newpa->addr.type) {
3467 case PF_ADDR_DYNIFTL:
3468 error = pfi_dynaddr_setup(&newpa->addr,
3472 newpa->addr.p.tbl = pfr_attach_table(ruleset,
3473 newpa->addr.v.tblname);
3474 if (newpa->addr.p.tbl == NULL)
3479 goto DIOCCHANGEADDR_error;
3482 switch (pca->action) {
3483 case PF_CHANGE_ADD_HEAD:
3484 oldpa = TAILQ_FIRST(&pool->list);
3486 case PF_CHANGE_ADD_TAIL:
3487 oldpa = TAILQ_LAST(&pool->list, pf_kpalist);
3490 oldpa = TAILQ_FIRST(&pool->list);
3491 for (int i = 0; oldpa && i < pca->nr; i++)
3492 oldpa = TAILQ_NEXT(oldpa, entries);
3498 if (pca->action == PF_CHANGE_REMOVE) {
3499 TAILQ_REMOVE(&pool->list, oldpa, entries);
3500 switch (oldpa->addr.type) {
3501 case PF_ADDR_DYNIFTL:
3502 pfi_dynaddr_remove(oldpa->addr.p.dyn);
3505 pfr_detach_table(oldpa->addr.p.tbl);
3509 pfi_kkif_unref(oldpa->kif);
3510 free(oldpa, M_PFRULE);
3513 TAILQ_INSERT_TAIL(&pool->list, newpa, entries);
3514 else if (pca->action == PF_CHANGE_ADD_HEAD ||
3515 pca->action == PF_CHANGE_ADD_BEFORE)
3516 TAILQ_INSERT_BEFORE(oldpa, newpa, entries);
3518 TAILQ_INSERT_AFTER(&pool->list, oldpa,
3522 pool->cur = TAILQ_FIRST(&pool->list);
3523 PF_ACPY(&pool->counter, &pool->cur->addr.v.a.addr, pca->af);
3528 DIOCCHANGEADDR_error:
3529 if (newpa != NULL) {
3531 pfi_kkif_unref(newpa->kif);
3532 free(newpa, M_PFRULE);
3539 case DIOCGETRULESETS: {
3540 struct pfioc_ruleset *pr = (struct pfioc_ruleset *)addr;
3541 struct pf_kruleset *ruleset;
3542 struct pf_kanchor *anchor;
3545 pr->path[sizeof(pr->path) - 1] = 0;
3546 if ((ruleset = pf_find_kruleset(pr->path)) == NULL) {
3552 if (ruleset->anchor == NULL) {
3553 /* XXX kludge for pf_main_ruleset */
3554 RB_FOREACH(anchor, pf_kanchor_global, &V_pf_anchors)
3555 if (anchor->parent == NULL)
3558 RB_FOREACH(anchor, pf_kanchor_node,
3559 &ruleset->anchor->children)
3566 case DIOCGETRULESET: {
3567 struct pfioc_ruleset *pr = (struct pfioc_ruleset *)addr;
3568 struct pf_kruleset *ruleset;
3569 struct pf_kanchor *anchor;
3573 pr->path[sizeof(pr->path) - 1] = 0;
3574 if ((ruleset = pf_find_kruleset(pr->path)) == NULL) {
3580 if (ruleset->anchor == NULL) {
3581 /* XXX kludge for pf_main_ruleset */
3582 RB_FOREACH(anchor, pf_kanchor_global, &V_pf_anchors)
3583 if (anchor->parent == NULL && nr++ == pr->nr) {
3584 strlcpy(pr->name, anchor->name,
3589 RB_FOREACH(anchor, pf_kanchor_node,
3590 &ruleset->anchor->children)
3591 if (nr++ == pr->nr) {
3592 strlcpy(pr->name, anchor->name,
3603 case DIOCRCLRTABLES: {
3604 struct pfioc_table *io = (struct pfioc_table *)addr;
3606 if (io->pfrio_esize != 0) {
3611 error = pfr_clr_tables(&io->pfrio_table, &io->pfrio_ndel,
3612 io->pfrio_flags | PFR_FLAG_USERIOCTL);
3617 case DIOCRADDTABLES: {
3618 struct pfioc_table *io = (struct pfioc_table *)addr;
3619 struct pfr_table *pfrts;
3622 if (io->pfrio_esize != sizeof(struct pfr_table)) {
3627 if (io->pfrio_size < 0 || io->pfrio_size > pf_ioctl_maxcount ||
3628 WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_table))) {
3633 totlen = io->pfrio_size * sizeof(struct pfr_table);
3634 pfrts = mallocarray(io->pfrio_size, sizeof(struct pfr_table),
3636 error = copyin(io->pfrio_buffer, pfrts, totlen);
3638 free(pfrts, M_TEMP);
3642 error = pfr_add_tables(pfrts, io->pfrio_size,
3643 &io->pfrio_nadd, io->pfrio_flags | PFR_FLAG_USERIOCTL);
3645 free(pfrts, M_TEMP);
3649 case DIOCRDELTABLES: {
3650 struct pfioc_table *io = (struct pfioc_table *)addr;
3651 struct pfr_table *pfrts;
3654 if (io->pfrio_esize != sizeof(struct pfr_table)) {
3659 if (io->pfrio_size < 0 || io->pfrio_size > pf_ioctl_maxcount ||
3660 WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_table))) {
3665 totlen = io->pfrio_size * sizeof(struct pfr_table);
3666 pfrts = mallocarray(io->pfrio_size, sizeof(struct pfr_table),
3668 error = copyin(io->pfrio_buffer, pfrts, totlen);
3670 free(pfrts, M_TEMP);
3674 error = pfr_del_tables(pfrts, io->pfrio_size,
3675 &io->pfrio_ndel, io->pfrio_flags | PFR_FLAG_USERIOCTL);
3677 free(pfrts, M_TEMP);
3681 case DIOCRGETTABLES: {
3682 struct pfioc_table *io = (struct pfioc_table *)addr;
3683 struct pfr_table *pfrts;
3687 if (io->pfrio_esize != sizeof(struct pfr_table)) {
3692 n = pfr_table_count(&io->pfrio_table, io->pfrio_flags);
3698 io->pfrio_size = min(io->pfrio_size, n);
3700 totlen = io->pfrio_size * sizeof(struct pfr_table);
3702 pfrts = mallocarray(io->pfrio_size, sizeof(struct pfr_table),
3704 if (pfrts == NULL) {
3709 error = pfr_get_tables(&io->pfrio_table, pfrts,
3710 &io->pfrio_size, io->pfrio_flags | PFR_FLAG_USERIOCTL);
3713 error = copyout(pfrts, io->pfrio_buffer, totlen);
3714 free(pfrts, M_TEMP);
3718 case DIOCRGETTSTATS: {
3719 struct pfioc_table *io = (struct pfioc_table *)addr;
3720 struct pfr_tstats *pfrtstats;
3724 if (io->pfrio_esize != sizeof(struct pfr_tstats)) {
3728 PF_TABLE_STATS_LOCK();
3730 n = pfr_table_count(&io->pfrio_table, io->pfrio_flags);
3733 PF_TABLE_STATS_UNLOCK();
3737 io->pfrio_size = min(io->pfrio_size, n);
3739 totlen = io->pfrio_size * sizeof(struct pfr_tstats);
3740 pfrtstats = mallocarray(io->pfrio_size,
3741 sizeof(struct pfr_tstats), M_TEMP, M_NOWAIT);
3742 if (pfrtstats == NULL) {
3745 PF_TABLE_STATS_UNLOCK();
3748 error = pfr_get_tstats(&io->pfrio_table, pfrtstats,
3749 &io->pfrio_size, io->pfrio_flags | PFR_FLAG_USERIOCTL);
3751 PF_TABLE_STATS_UNLOCK();
3753 error = copyout(pfrtstats, io->pfrio_buffer, totlen);
3754 free(pfrtstats, M_TEMP);
3758 case DIOCRCLRTSTATS: {
3759 struct pfioc_table *io = (struct pfioc_table *)addr;
3760 struct pfr_table *pfrts;
3763 if (io->pfrio_esize != sizeof(struct pfr_table)) {
3768 if (io->pfrio_size < 0 || io->pfrio_size > pf_ioctl_maxcount ||
3769 WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_table))) {
3770 /* We used to count tables and use the minimum required
3771 * size, so we didn't fail on overly large requests.
3773 io->pfrio_size = pf_ioctl_maxcount;
3777 totlen = io->pfrio_size * sizeof(struct pfr_table);
3778 pfrts = mallocarray(io->pfrio_size, sizeof(struct pfr_table),
3780 error = copyin(io->pfrio_buffer, pfrts, totlen);
3782 free(pfrts, M_TEMP);
3786 PF_TABLE_STATS_LOCK();
3788 error = pfr_clr_tstats(pfrts, io->pfrio_size,
3789 &io->pfrio_nzero, io->pfrio_flags | PFR_FLAG_USERIOCTL);
3791 PF_TABLE_STATS_UNLOCK();
3792 free(pfrts, M_TEMP);
3796 case DIOCRSETTFLAGS: {
3797 struct pfioc_table *io = (struct pfioc_table *)addr;
3798 struct pfr_table *pfrts;
3802 if (io->pfrio_esize != sizeof(struct pfr_table)) {
3808 n = pfr_table_count(&io->pfrio_table, io->pfrio_flags);
3815 io->pfrio_size = min(io->pfrio_size, n);
3818 totlen = io->pfrio_size * sizeof(struct pfr_table);
3819 pfrts = mallocarray(io->pfrio_size, sizeof(struct pfr_table),
3821 error = copyin(io->pfrio_buffer, pfrts, totlen);
3823 free(pfrts, M_TEMP);
3827 error = pfr_set_tflags(pfrts, io->pfrio_size,
3828 io->pfrio_setflag, io->pfrio_clrflag, &io->pfrio_nchange,
3829 &io->pfrio_ndel, io->pfrio_flags | PFR_FLAG_USERIOCTL);
3831 free(pfrts, M_TEMP);
3835 case DIOCRCLRADDRS: {
3836 struct pfioc_table *io = (struct pfioc_table *)addr;
3838 if (io->pfrio_esize != 0) {
3843 error = pfr_clr_addrs(&io->pfrio_table, &io->pfrio_ndel,
3844 io->pfrio_flags | PFR_FLAG_USERIOCTL);
3849 case DIOCRADDADDRS: {
3850 struct pfioc_table *io = (struct pfioc_table *)addr;
3851 struct pfr_addr *pfras;
3854 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
3858 if (io->pfrio_size < 0 ||
3859 io->pfrio_size > pf_ioctl_maxcount ||
3860 WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_addr))) {
3864 totlen = io->pfrio_size * sizeof(struct pfr_addr);
3865 pfras = mallocarray(io->pfrio_size, sizeof(struct pfr_addr),
3867 error = copyin(io->pfrio_buffer, pfras, totlen);
3869 free(pfras, M_TEMP);
3873 error = pfr_add_addrs(&io->pfrio_table, pfras,
3874 io->pfrio_size, &io->pfrio_nadd, io->pfrio_flags |
3875 PFR_FLAG_USERIOCTL);
3877 if (error == 0 && io->pfrio_flags & PFR_FLAG_FEEDBACK)
3878 error = copyout(pfras, io->pfrio_buffer, totlen);
3879 free(pfras, M_TEMP);
3883 case DIOCRDELADDRS: {
3884 struct pfioc_table *io = (struct pfioc_table *)addr;
3885 struct pfr_addr *pfras;
3888 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
3892 if (io->pfrio_size < 0 ||
3893 io->pfrio_size > pf_ioctl_maxcount ||
3894 WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_addr))) {
3898 totlen = io->pfrio_size * sizeof(struct pfr_addr);
3899 pfras = mallocarray(io->pfrio_size, sizeof(struct pfr_addr),
3901 error = copyin(io->pfrio_buffer, pfras, totlen);
3903 free(pfras, M_TEMP);
3907 error = pfr_del_addrs(&io->pfrio_table, pfras,
3908 io->pfrio_size, &io->pfrio_ndel, io->pfrio_flags |
3909 PFR_FLAG_USERIOCTL);
3911 if (error == 0 && io->pfrio_flags & PFR_FLAG_FEEDBACK)
3912 error = copyout(pfras, io->pfrio_buffer, totlen);
3913 free(pfras, M_TEMP);
3917 case DIOCRSETADDRS: {
3918 struct pfioc_table *io = (struct pfioc_table *)addr;
3919 struct pfr_addr *pfras;
3920 size_t totlen, count;
3922 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
3926 if (io->pfrio_size < 0 || io->pfrio_size2 < 0) {
3930 count = max(io->pfrio_size, io->pfrio_size2);
3931 if (count > pf_ioctl_maxcount ||
3932 WOULD_OVERFLOW(count, sizeof(struct pfr_addr))) {
3936 totlen = count * sizeof(struct pfr_addr);
3937 pfras = mallocarray(count, sizeof(struct pfr_addr), M_TEMP,
3939 error = copyin(io->pfrio_buffer, pfras, totlen);
3941 free(pfras, M_TEMP);
3945 error = pfr_set_addrs(&io->pfrio_table, pfras,
3946 io->pfrio_size, &io->pfrio_size2, &io->pfrio_nadd,
3947 &io->pfrio_ndel, &io->pfrio_nchange, io->pfrio_flags |
3948 PFR_FLAG_USERIOCTL, 0);
3950 if (error == 0 && io->pfrio_flags & PFR_FLAG_FEEDBACK)
3951 error = copyout(pfras, io->pfrio_buffer, totlen);
3952 free(pfras, M_TEMP);
3956 case DIOCRGETADDRS: {
3957 struct pfioc_table *io = (struct pfioc_table *)addr;
3958 struct pfr_addr *pfras;
3961 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
3965 if (io->pfrio_size < 0 ||
3966 io->pfrio_size > pf_ioctl_maxcount ||
3967 WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_addr))) {
3971 totlen = io->pfrio_size * sizeof(struct pfr_addr);
3972 pfras = mallocarray(io->pfrio_size, sizeof(struct pfr_addr),
3975 error = pfr_get_addrs(&io->pfrio_table, pfras,
3976 &io->pfrio_size, io->pfrio_flags | PFR_FLAG_USERIOCTL);
3979 error = copyout(pfras, io->pfrio_buffer, totlen);
3980 free(pfras, M_TEMP);
3984 case DIOCRGETASTATS: {
3985 struct pfioc_table *io = (struct pfioc_table *)addr;
3986 struct pfr_astats *pfrastats;
3989 if (io->pfrio_esize != sizeof(struct pfr_astats)) {
3993 if (io->pfrio_size < 0 ||
3994 io->pfrio_size > pf_ioctl_maxcount ||
3995 WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_astats))) {
3999 totlen = io->pfrio_size * sizeof(struct pfr_astats);
4000 pfrastats = mallocarray(io->pfrio_size,
4001 sizeof(struct pfr_astats), M_TEMP, M_WAITOK);
4003 error = pfr_get_astats(&io->pfrio_table, pfrastats,
4004 &io->pfrio_size, io->pfrio_flags | PFR_FLAG_USERIOCTL);
4007 error = copyout(pfrastats, io->pfrio_buffer, totlen);
4008 free(pfrastats, M_TEMP);
4012 case DIOCRCLRASTATS: {
4013 struct pfioc_table *io = (struct pfioc_table *)addr;
4014 struct pfr_addr *pfras;
4017 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
4021 if (io->pfrio_size < 0 ||
4022 io->pfrio_size > pf_ioctl_maxcount ||
4023 WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_addr))) {
4027 totlen = io->pfrio_size * sizeof(struct pfr_addr);
4028 pfras = mallocarray(io->pfrio_size, sizeof(struct pfr_addr),
4030 error = copyin(io->pfrio_buffer, pfras, totlen);
4032 free(pfras, M_TEMP);
4036 error = pfr_clr_astats(&io->pfrio_table, pfras,
4037 io->pfrio_size, &io->pfrio_nzero, io->pfrio_flags |
4038 PFR_FLAG_USERIOCTL);
4040 if (error == 0 && io->pfrio_flags & PFR_FLAG_FEEDBACK)
4041 error = copyout(pfras, io->pfrio_buffer, totlen);
4042 free(pfras, M_TEMP);
4046 case DIOCRTSTADDRS: {
4047 struct pfioc_table *io = (struct pfioc_table *)addr;
4048 struct pfr_addr *pfras;
4051 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
4055 if (io->pfrio_size < 0 ||
4056 io->pfrio_size > pf_ioctl_maxcount ||
4057 WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_addr))) {
4061 totlen = io->pfrio_size * sizeof(struct pfr_addr);
4062 pfras = mallocarray(io->pfrio_size, sizeof(struct pfr_addr),
4064 error = copyin(io->pfrio_buffer, pfras, totlen);
4066 free(pfras, M_TEMP);
4070 error = pfr_tst_addrs(&io->pfrio_table, pfras,
4071 io->pfrio_size, &io->pfrio_nmatch, io->pfrio_flags |
4072 PFR_FLAG_USERIOCTL);
4075 error = copyout(pfras, io->pfrio_buffer, totlen);
4076 free(pfras, M_TEMP);
4080 case DIOCRINADEFINE: {
4081 struct pfioc_table *io = (struct pfioc_table *)addr;
4082 struct pfr_addr *pfras;
4085 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
4089 if (io->pfrio_size < 0 ||
4090 io->pfrio_size > pf_ioctl_maxcount ||
4091 WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_addr))) {
4095 totlen = io->pfrio_size * sizeof(struct pfr_addr);
4096 pfras = mallocarray(io->pfrio_size, sizeof(struct pfr_addr),
4098 error = copyin(io->pfrio_buffer, pfras, totlen);
4100 free(pfras, M_TEMP);
4104 error = pfr_ina_define(&io->pfrio_table, pfras,
4105 io->pfrio_size, &io->pfrio_nadd, &io->pfrio_naddr,
4106 io->pfrio_ticket, io->pfrio_flags | PFR_FLAG_USERIOCTL);
4108 free(pfras, M_TEMP);
4113 struct pf_osfp_ioctl *io = (struct pf_osfp_ioctl *)addr;
4115 error = pf_osfp_add(io);
4121 struct pf_osfp_ioctl *io = (struct pf_osfp_ioctl *)addr;
4123 error = pf_osfp_get(io);
4129 struct pfioc_trans *io = (struct pfioc_trans *)addr;
4130 struct pfioc_trans_e *ioes, *ioe;
4134 if (io->esize != sizeof(*ioe)) {
4139 io->size > pf_ioctl_maxcount ||
4140 WOULD_OVERFLOW(io->size, sizeof(struct pfioc_trans_e))) {
4144 totlen = sizeof(struct pfioc_trans_e) * io->size;
4145 ioes = mallocarray(io->size, sizeof(struct pfioc_trans_e),
4147 error = copyin(io->array, ioes, totlen);
4153 for (i = 0, ioe = ioes; i < io->size; i++, ioe++) {
4154 switch (ioe->rs_num) {
4156 case PF_RULESET_ALTQ:
4157 if (ioe->anchor[0]) {
4163 if ((error = pf_begin_altq(&ioe->ticket))) {
4170 case PF_RULESET_TABLE:
4172 struct pfr_table table;
4174 bzero(&table, sizeof(table));
4175 strlcpy(table.pfrt_anchor, ioe->anchor,
4176 sizeof(table.pfrt_anchor));
4177 if ((error = pfr_ina_begin(&table,
4178 &ioe->ticket, NULL, 0))) {
4186 if ((error = pf_begin_rules(&ioe->ticket,
4187 ioe->rs_num, ioe->anchor))) {
4196 error = copyout(ioes, io->array, totlen);
4201 case DIOCXROLLBACK: {
4202 struct pfioc_trans *io = (struct pfioc_trans *)addr;
4203 struct pfioc_trans_e *ioe, *ioes;
4207 if (io->esize != sizeof(*ioe)) {
4212 io->size > pf_ioctl_maxcount ||
4213 WOULD_OVERFLOW(io->size, sizeof(struct pfioc_trans_e))) {
4217 totlen = sizeof(struct pfioc_trans_e) * io->size;
4218 ioes = mallocarray(io->size, sizeof(struct pfioc_trans_e),
4220 error = copyin(io->array, ioes, totlen);
4226 for (i = 0, ioe = ioes; i < io->size; i++, ioe++) {
4227 switch (ioe->rs_num) {
4229 case PF_RULESET_ALTQ:
4230 if (ioe->anchor[0]) {
4236 if ((error = pf_rollback_altq(ioe->ticket))) {
4239 goto fail; /* really bad */
4243 case PF_RULESET_TABLE:
4245 struct pfr_table table;
4247 bzero(&table, sizeof(table));
4248 strlcpy(table.pfrt_anchor, ioe->anchor,
4249 sizeof(table.pfrt_anchor));
4250 if ((error = pfr_ina_rollback(&table,
4251 ioe->ticket, NULL, 0))) {
4254 goto fail; /* really bad */
4259 if ((error = pf_rollback_rules(ioe->ticket,
4260 ioe->rs_num, ioe->anchor))) {
4263 goto fail; /* really bad */
4274 struct pfioc_trans *io = (struct pfioc_trans *)addr;
4275 struct pfioc_trans_e *ioe, *ioes;
4276 struct pf_kruleset *rs;
4280 if (io->esize != sizeof(*ioe)) {
4286 io->size > pf_ioctl_maxcount ||
4287 WOULD_OVERFLOW(io->size, sizeof(struct pfioc_trans_e))) {
4292 totlen = sizeof(struct pfioc_trans_e) * io->size;
4293 ioes = mallocarray(io->size, sizeof(struct pfioc_trans_e),
4295 error = copyin(io->array, ioes, totlen);
4301 /* First makes sure everything will succeed. */
4302 for (i = 0, ioe = ioes; i < io->size; i++, ioe++) {
4303 switch (ioe->rs_num) {
4305 case PF_RULESET_ALTQ:
4306 if (ioe->anchor[0]) {
4312 if (!V_altqs_inactive_open || ioe->ticket !=
4313 V_ticket_altqs_inactive) {
4321 case PF_RULESET_TABLE:
4322 rs = pf_find_kruleset(ioe->anchor);
4323 if (rs == NULL || !rs->topen || ioe->ticket !=
4332 if (ioe->rs_num < 0 || ioe->rs_num >=
4339 rs = pf_find_kruleset(ioe->anchor);
4341 !rs->rules[ioe->rs_num].inactive.open ||
4342 rs->rules[ioe->rs_num].inactive.ticket !=
4352 /* Now do the commit - no errors should happen here. */
4353 for (i = 0, ioe = ioes; i < io->size; i++, ioe++) {
4354 switch (ioe->rs_num) {
4356 case PF_RULESET_ALTQ:
4357 if ((error = pf_commit_altq(ioe->ticket))) {
4360 goto fail; /* really bad */
4364 case PF_RULESET_TABLE:
4366 struct pfr_table table;
4368 bzero(&table, sizeof(table));
4369 strlcpy(table.pfrt_anchor, ioe->anchor,
4370 sizeof(table.pfrt_anchor));
4371 if ((error = pfr_ina_commit(&table,
4372 ioe->ticket, NULL, NULL, 0))) {
4375 goto fail; /* really bad */
4380 if ((error = pf_commit_rules(ioe->ticket,
4381 ioe->rs_num, ioe->anchor))) {
4384 goto fail; /* really bad */
4394 case DIOCGETSRCNODES: {
4395 struct pfioc_src_nodes *psn = (struct pfioc_src_nodes *)addr;
4396 struct pf_srchash *sh;
4397 struct pf_ksrc_node *n;
4398 struct pf_src_node *p, *pstore;
4401 for (i = 0, sh = V_pf_srchash; i <= pf_srchashmask;
4403 PF_HASHROW_LOCK(sh);
4404 LIST_FOREACH(n, &sh->nodes, entry)
4406 PF_HASHROW_UNLOCK(sh);
4409 psn->psn_len = min(psn->psn_len,
4410 sizeof(struct pf_src_node) * nr);
4412 if (psn->psn_len == 0) {
4413 psn->psn_len = sizeof(struct pf_src_node) * nr;
4419 p = pstore = malloc(psn->psn_len, M_TEMP, M_WAITOK | M_ZERO);
4420 for (i = 0, sh = V_pf_srchash; i <= pf_srchashmask;
4422 PF_HASHROW_LOCK(sh);
4423 LIST_FOREACH(n, &sh->nodes, entry) {
4425 if ((nr + 1) * sizeof(*p) > (unsigned)psn->psn_len)
4428 pf_src_node_copy(n, p);
4433 PF_HASHROW_UNLOCK(sh);
4435 error = copyout(pstore, psn->psn_src_nodes,
4436 sizeof(struct pf_src_node) * nr);
4438 free(pstore, M_TEMP);
4441 psn->psn_len = sizeof(struct pf_src_node) * nr;
4442 free(pstore, M_TEMP);
4446 case DIOCCLRSRCNODES: {
4447 pf_clear_srcnodes(NULL);
4448 pf_purge_expired_src_nodes();
4452 case DIOCKILLSRCNODES:
4453 pf_kill_srcnodes((struct pfioc_src_node_kill *)addr);
4456 case DIOCKEEPCOUNTERS:
4457 error = pf_keepcounters((struct pfioc_nv *)addr);
4460 case DIOCSETHOSTID: {
4461 u_int32_t *hostid = (u_int32_t *)addr;
4465 V_pf_status.hostid = arc4random();
4467 V_pf_status.hostid = *hostid;
4478 case DIOCIGETIFACES: {
4479 struct pfioc_iface *io = (struct pfioc_iface *)addr;
4480 struct pfi_kif *ifstore;
4483 if (io->pfiio_esize != sizeof(struct pfi_kif)) {
4488 if (io->pfiio_size < 0 ||
4489 io->pfiio_size > pf_ioctl_maxcount ||
4490 WOULD_OVERFLOW(io->pfiio_size, sizeof(struct pfi_kif))) {
4495 bufsiz = io->pfiio_size * sizeof(struct pfi_kif);
4496 ifstore = mallocarray(io->pfiio_size, sizeof(struct pfi_kif),
4500 pfi_get_ifaces(io->pfiio_name, ifstore, &io->pfiio_size);
4502 error = copyout(ifstore, io->pfiio_buffer, bufsiz);
4503 free(ifstore, M_TEMP);
4507 case DIOCSETIFFLAG: {
4508 struct pfioc_iface *io = (struct pfioc_iface *)addr;
4511 error = pfi_set_flags(io->pfiio_name, io->pfiio_flags);
4516 case DIOCCLRIFFLAG: {
4517 struct pfioc_iface *io = (struct pfioc_iface *)addr;
4520 error = pfi_clear_flags(io->pfiio_name, io->pfiio_flags);
4530 if (sx_xlocked(&pf_ioctl_lock))
4531 sx_xunlock(&pf_ioctl_lock);
4540 pfsync_state_export(struct pfsync_state *sp, struct pf_kstate *st)
4542 bzero(sp, sizeof(struct pfsync_state));
4544 /* copy from state key */
4545 sp->key[PF_SK_WIRE].addr[0] = st->key[PF_SK_WIRE]->addr[0];
4546 sp->key[PF_SK_WIRE].addr[1] = st->key[PF_SK_WIRE]->addr[1];
4547 sp->key[PF_SK_WIRE].port[0] = st->key[PF_SK_WIRE]->port[0];
4548 sp->key[PF_SK_WIRE].port[1] = st->key[PF_SK_WIRE]->port[1];
4549 sp->key[PF_SK_STACK].addr[0] = st->key[PF_SK_STACK]->addr[0];
4550 sp->key[PF_SK_STACK].addr[1] = st->key[PF_SK_STACK]->addr[1];
4551 sp->key[PF_SK_STACK].port[0] = st->key[PF_SK_STACK]->port[0];
4552 sp->key[PF_SK_STACK].port[1] = st->key[PF_SK_STACK]->port[1];
4553 sp->proto = st->key[PF_SK_WIRE]->proto;
4554 sp->af = st->key[PF_SK_WIRE]->af;
4556 /* copy from state */
4557 strlcpy(sp->ifname, st->kif->pfik_name, sizeof(sp->ifname));
4558 bcopy(&st->rt_addr, &sp->rt_addr, sizeof(sp->rt_addr));
4559 sp->creation = htonl(time_uptime - st->creation);
4560 sp->expire = pf_state_expires(st);
4561 if (sp->expire <= time_uptime)
4562 sp->expire = htonl(0);
4564 sp->expire = htonl(sp->expire - time_uptime);
4566 sp->direction = st->direction;
4568 sp->timeout = st->timeout;
4569 sp->state_flags = st->state_flags;
4571 sp->sync_flags |= PFSYNC_FLAG_SRCNODE;
4572 if (st->nat_src_node)
4573 sp->sync_flags |= PFSYNC_FLAG_NATSRCNODE;
4576 sp->creatorid = st->creatorid;
4577 pf_state_peer_hton(&st->src, &sp->src);
4578 pf_state_peer_hton(&st->dst, &sp->dst);
4580 if (st->rule.ptr == NULL)
4581 sp->rule = htonl(-1);
4583 sp->rule = htonl(st->rule.ptr->nr);
4584 if (st->anchor.ptr == NULL)
4585 sp->anchor = htonl(-1);
4587 sp->anchor = htonl(st->anchor.ptr->nr);
4588 if (st->nat_rule.ptr == NULL)
4589 sp->nat_rule = htonl(-1);
4591 sp->nat_rule = htonl(st->nat_rule.ptr->nr);
4593 pf_state_counter_hton(st->packets[0], sp->packets[0]);
4594 pf_state_counter_hton(st->packets[1], sp->packets[1]);
4595 pf_state_counter_hton(st->bytes[0], sp->bytes[0]);
4596 pf_state_counter_hton(st->bytes[1], sp->bytes[1]);
4601 pf_tbladdr_copyout(struct pf_addr_wrap *aw)
4603 struct pfr_ktable *kt;
4605 KASSERT(aw->type == PF_ADDR_TABLE, ("%s: type %u", __func__, aw->type));
4608 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root != NULL)
4609 kt = kt->pfrkt_root;
4611 aw->p.tblcnt = (kt->pfrkt_flags & PFR_TFLAG_ACTIVE) ?
4616 * XXX - Check for version missmatch!!!
4619 pf_clear_all_states(void)
4621 struct pf_kstate *s;
4624 for (i = 0; i <= pf_hashmask; i++) {
4625 struct pf_idhash *ih = &V_pf_idhash[i];
4627 PF_HASHROW_LOCK(ih);
4628 LIST_FOREACH(s, &ih->states, entry) {
4629 s->timeout = PFTM_PURGE;
4630 /* Don't send out individual delete messages. */
4631 s->state_flags |= PFSTATE_NOSYNC;
4632 pf_unlink_state(s, PF_ENTER_LOCKED);
4635 PF_HASHROW_UNLOCK(ih);
4640 pf_clear_tables(void)
4642 struct pfioc_table io;
4645 bzero(&io, sizeof(io));
4647 error = pfr_clr_tables(&io.pfrio_table, &io.pfrio_ndel,
4654 pf_clear_srcnodes(struct pf_ksrc_node *n)
4656 struct pf_kstate *s;
4659 for (i = 0; i <= pf_hashmask; i++) {
4660 struct pf_idhash *ih = &V_pf_idhash[i];
4662 PF_HASHROW_LOCK(ih);
4663 LIST_FOREACH(s, &ih->states, entry) {
4664 if (n == NULL || n == s->src_node)
4666 if (n == NULL || n == s->nat_src_node)
4667 s->nat_src_node = NULL;
4669 PF_HASHROW_UNLOCK(ih);
4673 struct pf_srchash *sh;
4675 for (i = 0, sh = V_pf_srchash; i <= pf_srchashmask;
4677 PF_HASHROW_LOCK(sh);
4678 LIST_FOREACH(n, &sh->nodes, entry) {
4682 PF_HASHROW_UNLOCK(sh);
4685 /* XXX: hash slot should already be locked here. */
4692 pf_kill_srcnodes(struct pfioc_src_node_kill *psnk)
4694 struct pf_ksrc_node_list kill;
4697 for (int i = 0; i <= pf_srchashmask; i++) {
4698 struct pf_srchash *sh = &V_pf_srchash[i];
4699 struct pf_ksrc_node *sn, *tmp;
4701 PF_HASHROW_LOCK(sh);
4702 LIST_FOREACH_SAFE(sn, &sh->nodes, entry, tmp)
4703 if (PF_MATCHA(psnk->psnk_src.neg,
4704 &psnk->psnk_src.addr.v.a.addr,
4705 &psnk->psnk_src.addr.v.a.mask,
4706 &sn->addr, sn->af) &&
4707 PF_MATCHA(psnk->psnk_dst.neg,
4708 &psnk->psnk_dst.addr.v.a.addr,
4709 &psnk->psnk_dst.addr.v.a.mask,
4710 &sn->raddr, sn->af)) {
4711 pf_unlink_src_node(sn);
4712 LIST_INSERT_HEAD(&kill, sn, entry);
4715 PF_HASHROW_UNLOCK(sh);
4718 for (int i = 0; i <= pf_hashmask; i++) {
4719 struct pf_idhash *ih = &V_pf_idhash[i];
4720 struct pf_kstate *s;
4722 PF_HASHROW_LOCK(ih);
4723 LIST_FOREACH(s, &ih->states, entry) {
4724 if (s->src_node && s->src_node->expire == 1)
4726 if (s->nat_src_node && s->nat_src_node->expire == 1)
4727 s->nat_src_node = NULL;
4729 PF_HASHROW_UNLOCK(ih);
4732 psnk->psnk_killed = pf_free_src_nodes(&kill);
4736 pf_keepcounters(struct pfioc_nv *nv)
4738 nvlist_t *nvl = NULL;
4739 void *nvlpacked = NULL;
4742 #define ERROUT(x) ERROUT_FUNCTION(on_error, x)
4744 if (nv->len > pf_ioctl_maxcount)
4747 nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK);
4748 if (nvlpacked == NULL)
4751 error = copyin(nv->data, nvlpacked, nv->len);
4755 nvl = nvlist_unpack(nvlpacked, nv->len, 0);
4759 if (! nvlist_exists_bool(nvl, "keep_counters"))
4762 V_pf_status.keep_counters = nvlist_get_bool(nvl, "keep_counters");
4765 nvlist_destroy(nvl);
4766 free(nvlpacked, M_TEMP);
4771 pf_clear_states(const struct pf_kstate_kill *kill)
4773 struct pf_state_key_cmp match_key;
4774 struct pf_kstate *s;
4775 struct pfi_kkif *kif;
4777 unsigned int killed = 0, dir;
4779 for (unsigned int i = 0; i <= pf_hashmask; i++) {
4780 struct pf_idhash *ih = &V_pf_idhash[i];
4782 relock_DIOCCLRSTATES:
4783 PF_HASHROW_LOCK(ih);
4784 LIST_FOREACH(s, &ih->states, entry) {
4785 /* For floating states look at the original kif. */
4786 kif = s->kif == V_pfi_all ? s->orig_kif : s->kif;
4788 if (kill->psk_ifname[0] &&
4789 strcmp(kill->psk_ifname,
4793 if (kill->psk_kill_match) {
4794 bzero(&match_key, sizeof(match_key));
4796 if (s->direction == PF_OUT) {
4804 match_key.af = s->key[idx]->af;
4805 match_key.proto = s->key[idx]->proto;
4806 PF_ACPY(&match_key.addr[0],
4807 &s->key[idx]->addr[1], match_key.af);
4808 match_key.port[0] = s->key[idx]->port[1];
4809 PF_ACPY(&match_key.addr[1],
4810 &s->key[idx]->addr[0], match_key.af);
4811 match_key.port[1] = s->key[idx]->port[0];
4815 * Don't send out individual
4818 s->state_flags |= PFSTATE_NOSYNC;
4819 pf_unlink_state(s, PF_ENTER_LOCKED);
4822 if (kill->psk_kill_match)
4823 killed += pf_kill_matching_state(&match_key,
4826 goto relock_DIOCCLRSTATES;
4828 PF_HASHROW_UNLOCK(ih);
4831 if (V_pfsync_clear_states_ptr != NULL)
4832 V_pfsync_clear_states_ptr(V_pf_status.hostid, kill->psk_ifname);
4838 pf_killstates(struct pf_kstate_kill *kill, unsigned int *killed)
4840 struct pf_kstate *s;
4842 if (kill->psk_pfcmp.id) {
4843 if (kill->psk_pfcmp.creatorid == 0)
4844 kill->psk_pfcmp.creatorid = V_pf_status.hostid;
4845 if ((s = pf_find_state_byid(kill->psk_pfcmp.id,
4846 kill->psk_pfcmp.creatorid))) {
4847 pf_unlink_state(s, PF_ENTER_LOCKED);
4853 for (unsigned int i = 0; i <= pf_hashmask; i++)
4854 *killed += pf_killstates_row(kill, &V_pf_idhash[i]);
4860 pf_killstates_nv(struct pfioc_nv *nv)
4862 struct pf_kstate_kill kill;
4863 nvlist_t *nvl = NULL;
4864 void *nvlpacked = NULL;
4866 unsigned int killed = 0;
4868 #define ERROUT(x) ERROUT_FUNCTION(on_error, x)
4870 if (nv->len > pf_ioctl_maxcount)
4873 nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK);
4874 if (nvlpacked == NULL)
4877 error = copyin(nv->data, nvlpacked, nv->len);
4881 nvl = nvlist_unpack(nvlpacked, nv->len, 0);
4885 error = pf_nvstate_kill_to_kstate_kill(nvl, &kill);
4889 error = pf_killstates(&kill, &killed);
4893 free(nvlpacked, M_NVLIST);
4895 nvlist_destroy(nvl);
4896 nvl = nvlist_create(0);
4900 nvlist_add_number(nvl, "killed", killed);
4902 nvlpacked = nvlist_pack(nvl, &nv->len);
4903 if (nvlpacked == NULL)
4908 else if (nv->size < nv->len)
4911 error = copyout(nvlpacked, nv->data, nv->len);
4914 nvlist_destroy(nvl);
4915 free(nvlpacked, M_NVLIST);
4920 pf_clearstates_nv(struct pfioc_nv *nv)
4922 struct pf_kstate_kill kill;
4923 nvlist_t *nvl = NULL;
4924 void *nvlpacked = NULL;
4926 unsigned int killed;
4928 #define ERROUT(x) ERROUT_FUNCTION(on_error, x)
4930 if (nv->len > pf_ioctl_maxcount)
4933 nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK);
4934 if (nvlpacked == NULL)
4937 error = copyin(nv->data, nvlpacked, nv->len);
4941 nvl = nvlist_unpack(nvlpacked, nv->len, 0);
4945 error = pf_nvstate_kill_to_kstate_kill(nvl, &kill);
4949 killed = pf_clear_states(&kill);
4951 free(nvlpacked, M_NVLIST);
4953 nvlist_destroy(nvl);
4954 nvl = nvlist_create(0);
4958 nvlist_add_number(nvl, "killed", killed);
4960 nvlpacked = nvlist_pack(nvl, &nv->len);
4961 if (nvlpacked == NULL)
4966 else if (nv->size < nv->len)
4969 error = copyout(nvlpacked, nv->data, nv->len);
4973 nvlist_destroy(nvl);
4974 free(nvlpacked, M_NVLIST);
4979 pf_getstate(struct pfioc_nv *nv)
4981 nvlist_t *nvl = NULL, *nvls;
4982 void *nvlpacked = NULL;
4983 struct pf_kstate *s = NULL;
4985 uint64_t id, creatorid;
4987 #define ERROUT(x) ERROUT_FUNCTION(errout, x)
4989 if (nv->len > pf_ioctl_maxcount)
4992 nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK);
4993 if (nvlpacked == NULL)
4996 error = copyin(nv->data, nvlpacked, nv->len);
5000 nvl = nvlist_unpack(nvlpacked, nv->len, 0);
5004 PFNV_CHK(pf_nvuint64(nvl, "id", &id));
5005 PFNV_CHK(pf_nvuint64(nvl, "creatorid", &creatorid));
5007 s = pf_find_state_byid(id, creatorid);
5011 free(nvlpacked, M_NVLIST);
5013 nvlist_destroy(nvl);
5014 nvl = nvlist_create(0);
5018 nvls = pf_state_to_nvstate(s);
5022 nvlist_add_nvlist(nvl, "state", nvls);
5023 nvlist_destroy(nvls);
5025 nvlpacked = nvlist_pack(nvl, &nv->len);
5026 if (nvlpacked == NULL)
5031 else if (nv->size < nv->len)
5034 error = copyout(nvlpacked, nv->data, nv->len);
5040 free(nvlpacked, M_NVLIST);
5041 nvlist_destroy(nvl);
5046 pf_getstates(struct pfioc_nv *nv)
5048 nvlist_t *nvl = NULL, *nvls;
5049 void *nvlpacked = NULL;
5050 struct pf_kstate *s = NULL;
5054 #define ERROUT(x) ERROUT_FUNCTION(errout, x)
5056 nvl = nvlist_create(0);
5060 nvlist_add_number(nvl, "count", uma_zone_get_cur(V_pf_state_z));
5062 for (int i = 0; i < pf_hashmask; i++) {
5063 struct pf_idhash *ih = &V_pf_idhash[i];
5065 /* Avoid taking the lock if there are no states in the row. */
5066 if (LIST_EMPTY(&ih->states))
5069 PF_HASHROW_LOCK(ih);
5070 LIST_FOREACH(s, &ih->states, entry) {
5071 if (s->timeout == PFTM_UNLINKED)
5074 if (SIGPENDING(curthread)) {
5075 PF_HASHROW_UNLOCK(ih);
5079 nvls = pf_state_to_nvstate(s);
5081 PF_HASHROW_UNLOCK(ih);
5084 if ((nvlist_size(nvl) + nvlist_size(nvls)) > nv->size) {
5085 /* We've run out of room for more states. */
5086 nvlist_destroy(nvls);
5087 PF_HASHROW_UNLOCK(ih);
5088 goto DIOCGETSTATESNV_full;
5090 nvlist_append_nvlist_array(nvl, "states", nvls);
5091 nvlist_destroy(nvls);
5094 PF_HASHROW_UNLOCK(ih);
5097 /* We've managed to put them all the available space. Let's make sure
5098 * 'count' matches our array (that's racy, because we don't hold a lock
5099 * over all states, only over each row individually. */
5100 (void)nvlist_take_number(nvl, "count");
5101 nvlist_add_number(nvl, "count", count);
5103 DIOCGETSTATESNV_full:
5105 nvlpacked = nvlist_pack(nvl, &nv->len);
5106 if (nvlpacked == NULL)
5111 else if (nv->size < nv->len)
5114 error = copyout(nvlpacked, nv->data, nv->len);
5118 free(nvlpacked, M_NVLIST);
5119 nvlist_destroy(nvl);
5124 * XXX - Check for version missmatch!!!
5128 * Duplicate pfctl -Fa operation to get rid of as much as we can.
5138 if ((error = pf_begin_rules(&t[0], PF_RULESET_SCRUB, &nn))
5140 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: SCRUB\n"));
5143 if ((error = pf_begin_rules(&t[1], PF_RULESET_FILTER, &nn))
5145 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: FILTER\n"));
5146 break; /* XXX: rollback? */
5148 if ((error = pf_begin_rules(&t[2], PF_RULESET_NAT, &nn))
5150 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: NAT\n"));
5151 break; /* XXX: rollback? */
5153 if ((error = pf_begin_rules(&t[3], PF_RULESET_BINAT, &nn))
5155 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: BINAT\n"));
5156 break; /* XXX: rollback? */
5158 if ((error = pf_begin_rules(&t[4], PF_RULESET_RDR, &nn))
5160 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: RDR\n"));
5161 break; /* XXX: rollback? */
5164 /* XXX: these should always succeed here */
5165 pf_commit_rules(t[0], PF_RULESET_SCRUB, &nn);
5166 pf_commit_rules(t[1], PF_RULESET_FILTER, &nn);
5167 pf_commit_rules(t[2], PF_RULESET_NAT, &nn);
5168 pf_commit_rules(t[3], PF_RULESET_BINAT, &nn);
5169 pf_commit_rules(t[4], PF_RULESET_RDR, &nn);
5171 if ((error = pf_clear_tables()) != 0)
5175 if ((error = pf_begin_altq(&t[0])) != 0) {
5176 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: ALTQ\n"));
5179 pf_commit_altq(t[0]);
5182 pf_clear_all_states();
5184 pf_clear_srcnodes(NULL);
5186 /* status does not use malloced mem so no need to cleanup */
5187 /* fingerprints and interfaces have their own cleanup code */
5193 static pfil_return_t
5194 pf_check_return(int chk, struct mbuf **m)
5200 return (PFIL_CONSUMED);
5209 return (PFIL_DROPPED);
5214 static pfil_return_t
5215 pf_check_in(struct mbuf **m, struct ifnet *ifp, int flags,
5216 void *ruleset __unused, struct inpcb *inp)
5220 chk = pf_test(PF_IN, flags, ifp, m, inp);
5222 return (pf_check_return(chk, m));
5225 static pfil_return_t
5226 pf_check_out(struct mbuf **m, struct ifnet *ifp, int flags,
5227 void *ruleset __unused, struct inpcb *inp)
5231 chk = pf_test(PF_OUT, flags, ifp, m, inp);
5233 return (pf_check_return(chk, m));
5238 static pfil_return_t
5239 pf_check6_in(struct mbuf **m, struct ifnet *ifp, int flags,
5240 void *ruleset __unused, struct inpcb *inp)
5245 * In case of loopback traffic IPv6 uses the real interface in
5246 * order to support scoped addresses. In order to support stateful
5247 * filtering we have change this to lo0 as it is the case in IPv4.
5249 CURVNET_SET(ifp->if_vnet);
5250 chk = pf_test6(PF_IN, flags, (*m)->m_flags & M_LOOP ? V_loif : ifp, m, inp);
5253 return (pf_check_return(chk, m));
5256 static pfil_return_t
5257 pf_check6_out(struct mbuf **m, struct ifnet *ifp, int flags,
5258 void *ruleset __unused, struct inpcb *inp)
5262 CURVNET_SET(ifp->if_vnet);
5263 chk = pf_test6(PF_OUT, flags, ifp, m, inp);
5266 return (pf_check_return(chk, m));
5271 VNET_DEFINE_STATIC(pfil_hook_t, pf_ip4_in_hook);
5272 VNET_DEFINE_STATIC(pfil_hook_t, pf_ip4_out_hook);
5273 #define V_pf_ip4_in_hook VNET(pf_ip4_in_hook)
5274 #define V_pf_ip4_out_hook VNET(pf_ip4_out_hook)
5277 VNET_DEFINE_STATIC(pfil_hook_t, pf_ip6_in_hook);
5278 VNET_DEFINE_STATIC(pfil_hook_t, pf_ip6_out_hook);
5279 #define V_pf_ip6_in_hook VNET(pf_ip6_in_hook)
5280 #define V_pf_ip6_out_hook VNET(pf_ip6_out_hook)
5286 struct pfil_hook_args pha;
5287 struct pfil_link_args pla;
5290 if (V_pf_pfil_hooked)
5293 pha.pa_version = PFIL_VERSION;
5294 pha.pa_modname = "pf";
5295 pha.pa_ruleset = NULL;
5297 pla.pa_version = PFIL_VERSION;
5300 pha.pa_type = PFIL_TYPE_IP4;
5301 pha.pa_func = pf_check_in;
5302 pha.pa_flags = PFIL_IN;
5303 pha.pa_rulname = "default-in";
5304 V_pf_ip4_in_hook = pfil_add_hook(&pha);
5305 pla.pa_flags = PFIL_IN | PFIL_HEADPTR | PFIL_HOOKPTR;
5306 pla.pa_head = V_inet_pfil_head;
5307 pla.pa_hook = V_pf_ip4_in_hook;
5308 ret = pfil_link(&pla);
5310 pha.pa_func = pf_check_out;
5311 pha.pa_flags = PFIL_OUT;
5312 pha.pa_rulname = "default-out";
5313 V_pf_ip4_out_hook = pfil_add_hook(&pha);
5314 pla.pa_flags = PFIL_OUT | PFIL_HEADPTR | PFIL_HOOKPTR;
5315 pla.pa_head = V_inet_pfil_head;
5316 pla.pa_hook = V_pf_ip4_out_hook;
5317 ret = pfil_link(&pla);
5321 pha.pa_type = PFIL_TYPE_IP6;
5322 pha.pa_func = pf_check6_in;
5323 pha.pa_flags = PFIL_IN;
5324 pha.pa_rulname = "default-in6";
5325 V_pf_ip6_in_hook = pfil_add_hook(&pha);
5326 pla.pa_flags = PFIL_IN | PFIL_HEADPTR | PFIL_HOOKPTR;
5327 pla.pa_head = V_inet6_pfil_head;
5328 pla.pa_hook = V_pf_ip6_in_hook;
5329 ret = pfil_link(&pla);
5331 pha.pa_func = pf_check6_out;
5332 pha.pa_rulname = "default-out6";
5333 pha.pa_flags = PFIL_OUT;
5334 V_pf_ip6_out_hook = pfil_add_hook(&pha);
5335 pla.pa_flags = PFIL_OUT | PFIL_HEADPTR | PFIL_HOOKPTR;
5336 pla.pa_head = V_inet6_pfil_head;
5337 pla.pa_hook = V_pf_ip6_out_hook;
5338 ret = pfil_link(&pla);
5342 V_pf_pfil_hooked = 1;
5349 if (V_pf_pfil_hooked == 0)
5353 pfil_remove_hook(V_pf_ip4_in_hook);
5354 pfil_remove_hook(V_pf_ip4_out_hook);
5357 pfil_remove_hook(V_pf_ip6_in_hook);
5358 pfil_remove_hook(V_pf_ip6_out_hook);
5361 V_pf_pfil_hooked = 0;
5367 V_pf_tag_z = uma_zcreate("pf tags", sizeof(struct pf_tagname),
5368 NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, 0);
5370 pf_init_tagset(&V_pf_tags, &pf_rule_tag_hashsize,
5371 PF_RULE_TAG_HASH_SIZE_DEFAULT);
5373 pf_init_tagset(&V_pf_qids, &pf_queue_tag_hashsize,
5374 PF_QUEUE_TAG_HASH_SIZE_DEFAULT);
5378 V_pf_vnet_active = 1;
5386 rm_init(&pf_rules_lock, "pf rulesets");
5387 sx_init(&pf_ioctl_lock, "pf ioctl");
5388 sx_init(&pf_end_lock, "pf end thread");
5390 pf_mtag_initialize();
5392 pf_dev = make_dev(&pf_cdevsw, 0, UID_ROOT, GID_WHEEL, 0600, PF_NAME);
5397 error = kproc_create(pf_purge_thread, NULL, &pf_purge_proc, 0, 0, "pf purge");
5407 pf_unload_vnet(void)
5411 V_pf_vnet_active = 0;
5412 V_pf_status.running = 0;
5419 ret = swi_remove(V_pf_swi_cookie);
5421 ret = intr_event_destroy(V_pf_swi_ie);
5424 pf_unload_vnet_purge();
5426 pf_normalize_cleanup();
5433 if (IS_DEFAULT_VNET(curvnet))
5436 pf_cleanup_tagset(&V_pf_tags);
5438 pf_cleanup_tagset(&V_pf_qids);
5440 uma_zdestroy(V_pf_tag_z);
5442 /* Free counters last as we updated them during shutdown. */
5443 counter_u64_free(V_pf_default_rule.evaluations);
5444 for (int i = 0; i < 2; i++) {
5445 counter_u64_free(V_pf_default_rule.packets[i]);
5446 counter_u64_free(V_pf_default_rule.bytes[i]);
5448 counter_u64_free(V_pf_default_rule.states_cur);
5449 counter_u64_free(V_pf_default_rule.states_tot);
5450 counter_u64_free(V_pf_default_rule.src_nodes);
5452 for (int i = 0; i < PFRES_MAX; i++)
5453 counter_u64_free(V_pf_status.counters[i]);
5454 for (int i = 0; i < LCNT_MAX; i++)
5455 counter_u64_free(V_pf_status.lcounters[i]);
5456 for (int i = 0; i < FCNT_MAX; i++)
5457 counter_u64_free(V_pf_status.fcounters[i]);
5458 for (int i = 0; i < SCNT_MAX; i++)
5459 counter_u64_free(V_pf_status.scounters[i]);
5466 sx_xlock(&pf_end_lock);
5468 while (pf_end_threads < 2) {
5469 wakeup_one(pf_purge_thread);
5470 sx_sleep(pf_purge_proc, &pf_end_lock, 0, "pftmo", 0);
5472 sx_xunlock(&pf_end_lock);
5475 destroy_dev(pf_dev);
5479 rm_destroy(&pf_rules_lock);
5480 sx_destroy(&pf_ioctl_lock);
5481 sx_destroy(&pf_end_lock);
5485 vnet_pf_init(void *unused __unused)
5490 VNET_SYSINIT(vnet_pf_init, SI_SUB_PROTO_FIREWALL, SI_ORDER_THIRD,
5491 vnet_pf_init, NULL);
5494 vnet_pf_uninit(const void *unused __unused)
5499 SYSUNINIT(pf_unload, SI_SUB_PROTO_FIREWALL, SI_ORDER_SECOND, pf_unload, NULL);
5500 VNET_SYSUNINIT(vnet_pf_uninit, SI_SUB_PROTO_FIREWALL, SI_ORDER_THIRD,
5501 vnet_pf_uninit, NULL);
5504 pf_modevent(module_t mod, int type, void *data)
5513 /* Handled in SYSUNINIT(pf_unload) to ensure it's done after
5514 * the vnet_pf_uninit()s */
5524 static moduledata_t pf_mod = {
5530 DECLARE_MODULE(pf, pf_mod, SI_SUB_PROTO_FIREWALL, SI_ORDER_SECOND);
5531 MODULE_VERSION(pf, PF_MODVER);
projects / FreeBSD / FreeBSD.git / blob