2 * SPDX-License-Identifier: BSD-2-Clause
4 * Copyright (c) 2001 Daniel Hartmeier
5 * Copyright (c) 2002,2003 Henning Brauer
6 * Copyright (c) 2012 Gleb Smirnoff <glebius@FreeBSD.org>
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
13 * - Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * - Redistributions in binary form must reproduce the above
16 * copyright notice, this list of conditions and the following
17 * disclaimer in the documentation and/or other materials provided
18 * with the distribution.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
23 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
24 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
26 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
27 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
28 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
30 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31 * POSSIBILITY OF SUCH DAMAGE.
33 * Effort sponsored in part by the Defense Advanced Research Projects
34 * Agency (DARPA) and Air Force Research Laboratory, Air Force
35 * Materiel Command, USAF, under agreement number F30602-01-2-0537.
37 * $OpenBSD: pf_ioctl.c,v 1.213 2009/02/15 21:46:12 mbalmer Exp $
40 #include <sys/cdefs.h>
41 __FBSDID("$FreeBSD$");
44 #include "opt_inet6.h"
48 #include <sys/param.h>
49 #include <sys/_bitset.h>
50 #include <sys/bitset.h>
53 #include <sys/endian.h>
54 #include <sys/fcntl.h>
55 #include <sys/filio.h>
57 #include <sys/interrupt.h>
59 #include <sys/kernel.h>
60 #include <sys/kthread.h>
63 #include <sys/module.h>
67 #include <sys/socket.h>
68 #include <sys/sysctl.h>
70 #include <sys/ucred.h>
73 #include <net/if_var.h>
75 #include <net/route.h>
77 #include <net/pfvar.h>
78 #include <net/if_pfsync.h>
79 #include <net/if_pflog.h>
81 #include <netinet/in.h>
82 #include <netinet/ip.h>
83 #include <netinet/ip_var.h>
84 #include <netinet6/ip6_var.h>
85 #include <netinet/ip_icmp.h>
86 #include <netpfil/pf/pf_nv.h>
89 #include <netinet/ip6.h>
93 #include <net/altq/altq.h>
96 static struct pf_kpool *pf_get_kpool(char *, u_int32_t, u_int8_t, u_int32_t,
97 u_int8_t, u_int8_t, u_int8_t);
99 static void pf_mv_kpool(struct pf_kpalist *, struct pf_kpalist *);
100 static void pf_empty_kpool(struct pf_kpalist *);
101 static int pfioctl(struct cdev *, u_long, caddr_t, int,
104 static int pf_begin_altq(u_int32_t *);
105 static int pf_rollback_altq(u_int32_t);
106 static int pf_commit_altq(u_int32_t);
107 static int pf_enable_altq(struct pf_altq *);
108 static int pf_disable_altq(struct pf_altq *);
109 static u_int32_t pf_qname2qid(char *);
110 static void pf_qid_unref(u_int32_t);
112 static int pf_begin_rules(u_int32_t *, int, const char *);
113 static int pf_rollback_rules(u_int32_t, int, char *);
114 static int pf_setup_pfsync_matching(struct pf_kruleset *);
115 static void pf_hash_rule(MD5_CTX *, struct pf_krule *);
116 static void pf_hash_rule_addr(MD5_CTX *, struct pf_rule_addr *);
117 static int pf_commit_rules(u_int32_t, int, char *);
118 static int pf_addr_setup(struct pf_kruleset *,
119 struct pf_addr_wrap *, sa_family_t);
120 static void pf_addr_copyout(struct pf_addr_wrap *);
121 static void pf_src_node_copy(const struct pf_ksrc_node *,
122 struct pf_src_node *);
124 static int pf_export_kaltq(struct pf_altq *,
125 struct pfioc_altq_v1 *, size_t);
126 static int pf_import_kaltq(struct pfioc_altq_v1 *,
127 struct pf_altq *, size_t);
130 VNET_DEFINE(struct pf_krule, pf_default_rule);
133 VNET_DEFINE_STATIC(int, pf_altq_running);
134 #define V_pf_altq_running VNET(pf_altq_running)
137 #define TAGID_MAX 50000
139 TAILQ_ENTRY(pf_tagname) namehash_entries;
140 TAILQ_ENTRY(pf_tagname) taghash_entries;
141 char name[PF_TAG_NAME_SIZE];
147 TAILQ_HEAD(, pf_tagname) *namehash;
148 TAILQ_HEAD(, pf_tagname) *taghash;
151 BITSET_DEFINE(, TAGID_MAX) avail;
154 VNET_DEFINE(struct pf_tagset, pf_tags);
155 #define V_pf_tags VNET(pf_tags)
156 static unsigned int pf_rule_tag_hashsize;
157 #define PF_RULE_TAG_HASH_SIZE_DEFAULT 128
158 SYSCTL_UINT(_net_pf, OID_AUTO, rule_tag_hashsize, CTLFLAG_RDTUN,
159 &pf_rule_tag_hashsize, PF_RULE_TAG_HASH_SIZE_DEFAULT,
160 "Size of pf(4) rule tag hashtable");
163 VNET_DEFINE(struct pf_tagset, pf_qids);
164 #define V_pf_qids VNET(pf_qids)
165 static unsigned int pf_queue_tag_hashsize;
166 #define PF_QUEUE_TAG_HASH_SIZE_DEFAULT 128
167 SYSCTL_UINT(_net_pf, OID_AUTO, queue_tag_hashsize, CTLFLAG_RDTUN,
168 &pf_queue_tag_hashsize, PF_QUEUE_TAG_HASH_SIZE_DEFAULT,
169 "Size of pf(4) queue tag hashtable");
171 VNET_DEFINE(uma_zone_t, pf_tag_z);
172 #define V_pf_tag_z VNET(pf_tag_z)
173 static MALLOC_DEFINE(M_PFALTQ, "pf_altq", "pf(4) altq configuration db");
174 static MALLOC_DEFINE(M_PFRULE, "pf_rule", "pf(4) rules");
176 #if (PF_QNAME_SIZE != PF_TAG_NAME_SIZE)
177 #error PF_QNAME_SIZE must be equal to PF_TAG_NAME_SIZE
180 static void pf_init_tagset(struct pf_tagset *, unsigned int *,
182 static void pf_cleanup_tagset(struct pf_tagset *);
183 static uint16_t tagname2hashindex(const struct pf_tagset *, const char *);
184 static uint16_t tag2hashindex(const struct pf_tagset *, uint16_t);
185 static u_int16_t tagname2tag(struct pf_tagset *, char *);
186 static u_int16_t pf_tagname2tag(char *);
187 static void tag_unref(struct pf_tagset *, u_int16_t);
189 #define DPFPRINTF(n, x) if (V_pf_status.debug >= (n)) printf x
194 * XXX - These are new and need to be checked when moveing to a new version
196 static void pf_clear_states(void);
197 static int pf_clear_tables(void);
198 static void pf_clear_srcnodes(struct pf_ksrc_node *);
199 static void pf_kill_srcnodes(struct pfioc_src_node_kill *);
200 static int pf_keepcounters(struct pfioc_nv *);
201 static void pf_tbladdr_copyout(struct pf_addr_wrap *);
204 * Wrapper functions for pfil(9) hooks
207 static pfil_return_t pf_check_in(struct mbuf **m, struct ifnet *ifp,
208 int flags, void *ruleset __unused, struct inpcb *inp);
209 static pfil_return_t pf_check_out(struct mbuf **m, struct ifnet *ifp,
210 int flags, void *ruleset __unused, struct inpcb *inp);
213 static pfil_return_t pf_check6_in(struct mbuf **m, struct ifnet *ifp,
214 int flags, void *ruleset __unused, struct inpcb *inp);
215 static pfil_return_t pf_check6_out(struct mbuf **m, struct ifnet *ifp,
216 int flags, void *ruleset __unused, struct inpcb *inp);
219 static void hook_pf(void);
220 static void dehook_pf(void);
221 static int shutdown_pf(void);
222 static int pf_load(void);
223 static void pf_unload(void);
225 static struct cdevsw pf_cdevsw = {
228 .d_version = D_VERSION,
231 volatile VNET_DEFINE_STATIC(int, pf_pfil_hooked);
232 #define V_pf_pfil_hooked VNET(pf_pfil_hooked)
235 * We need a flag that is neither hooked nor running to know when
236 * the VNET is "valid". We primarily need this to control (global)
237 * external event, e.g., eventhandlers.
239 VNET_DEFINE(int, pf_vnet_active);
240 #define V_pf_vnet_active VNET(pf_vnet_active)
243 struct proc *pf_purge_proc;
245 struct rmlock pf_rules_lock;
246 struct sx pf_ioctl_lock;
247 struct sx pf_end_lock;
250 VNET_DEFINE(pfsync_state_import_t *, pfsync_state_import_ptr);
251 VNET_DEFINE(pfsync_insert_state_t *, pfsync_insert_state_ptr);
252 VNET_DEFINE(pfsync_update_state_t *, pfsync_update_state_ptr);
253 VNET_DEFINE(pfsync_delete_state_t *, pfsync_delete_state_ptr);
254 VNET_DEFINE(pfsync_clear_states_t *, pfsync_clear_states_ptr);
255 VNET_DEFINE(pfsync_defer_t *, pfsync_defer_ptr);
256 pfsync_detach_ifnet_t *pfsync_detach_ifnet_ptr;
259 pflog_packet_t *pflog_packet_ptr = NULL;
261 extern u_long pf_ioctl_maxcount;
266 u_int32_t *my_timeout = V_pf_default_rule.timeout;
270 pfi_initialize_vnet();
273 V_pf_limits[PF_LIMIT_STATES].limit = PFSTATE_HIWAT;
274 V_pf_limits[PF_LIMIT_SRC_NODES].limit = PFSNODE_HIWAT;
276 RB_INIT(&V_pf_anchors);
277 pf_init_kruleset(&pf_main_ruleset);
279 /* default rule should never be garbage collected */
280 V_pf_default_rule.entries.tqe_prev = &V_pf_default_rule.entries.tqe_next;
281 #ifdef PF_DEFAULT_TO_DROP
282 V_pf_default_rule.action = PF_DROP;
284 V_pf_default_rule.action = PF_PASS;
286 V_pf_default_rule.nr = -1;
287 V_pf_default_rule.rtableid = -1;
289 V_pf_default_rule.evaluations = counter_u64_alloc(M_WAITOK);
290 for (int i = 0; i < 2; i++) {
291 V_pf_default_rule.packets[i] = counter_u64_alloc(M_WAITOK);
292 V_pf_default_rule.bytes[i] = counter_u64_alloc(M_WAITOK);
294 V_pf_default_rule.states_cur = counter_u64_alloc(M_WAITOK);
295 V_pf_default_rule.states_tot = counter_u64_alloc(M_WAITOK);
296 V_pf_default_rule.src_nodes = counter_u64_alloc(M_WAITOK);
298 /* initialize default timeouts */
299 my_timeout[PFTM_TCP_FIRST_PACKET] = PFTM_TCP_FIRST_PACKET_VAL;
300 my_timeout[PFTM_TCP_OPENING] = PFTM_TCP_OPENING_VAL;
301 my_timeout[PFTM_TCP_ESTABLISHED] = PFTM_TCP_ESTABLISHED_VAL;
302 my_timeout[PFTM_TCP_CLOSING] = PFTM_TCP_CLOSING_VAL;
303 my_timeout[PFTM_TCP_FIN_WAIT] = PFTM_TCP_FIN_WAIT_VAL;
304 my_timeout[PFTM_TCP_CLOSED] = PFTM_TCP_CLOSED_VAL;
305 my_timeout[PFTM_UDP_FIRST_PACKET] = PFTM_UDP_FIRST_PACKET_VAL;
306 my_timeout[PFTM_UDP_SINGLE] = PFTM_UDP_SINGLE_VAL;
307 my_timeout[PFTM_UDP_MULTIPLE] = PFTM_UDP_MULTIPLE_VAL;
308 my_timeout[PFTM_ICMP_FIRST_PACKET] = PFTM_ICMP_FIRST_PACKET_VAL;
309 my_timeout[PFTM_ICMP_ERROR_REPLY] = PFTM_ICMP_ERROR_REPLY_VAL;
310 my_timeout[PFTM_OTHER_FIRST_PACKET] = PFTM_OTHER_FIRST_PACKET_VAL;
311 my_timeout[PFTM_OTHER_SINGLE] = PFTM_OTHER_SINGLE_VAL;
312 my_timeout[PFTM_OTHER_MULTIPLE] = PFTM_OTHER_MULTIPLE_VAL;
313 my_timeout[PFTM_FRAG] = PFTM_FRAG_VAL;
314 my_timeout[PFTM_INTERVAL] = PFTM_INTERVAL_VAL;
315 my_timeout[PFTM_SRC_NODE] = PFTM_SRC_NODE_VAL;
316 my_timeout[PFTM_TS_DIFF] = PFTM_TS_DIFF_VAL;
317 my_timeout[PFTM_ADAPTIVE_START] = PFSTATE_ADAPT_START;
318 my_timeout[PFTM_ADAPTIVE_END] = PFSTATE_ADAPT_END;
320 bzero(&V_pf_status, sizeof(V_pf_status));
321 V_pf_status.debug = PF_DEBUG_URGENT;
323 V_pf_pfil_hooked = 0;
325 /* XXX do our best to avoid a conflict */
326 V_pf_status.hostid = arc4random();
328 for (int i = 0; i < PFRES_MAX; i++)
329 V_pf_status.counters[i] = counter_u64_alloc(M_WAITOK);
330 for (int i = 0; i < LCNT_MAX; i++)
331 V_pf_status.lcounters[i] = counter_u64_alloc(M_WAITOK);
332 for (int i = 0; i < FCNT_MAX; i++)
333 V_pf_status.fcounters[i] = counter_u64_alloc(M_WAITOK);
334 for (int i = 0; i < SCNT_MAX; i++)
335 V_pf_status.scounters[i] = counter_u64_alloc(M_WAITOK);
337 if (swi_add(&V_pf_swi_ie, "pf send", pf_intr, curvnet, SWI_NET,
338 INTR_MPSAFE, &V_pf_swi_cookie) != 0)
339 /* XXXGL: leaked all above. */
343 static struct pf_kpool *
344 pf_get_kpool(char *anchor, u_int32_t ticket, u_int8_t rule_action,
345 u_int32_t rule_number, u_int8_t r_last, u_int8_t active,
346 u_int8_t check_ticket)
348 struct pf_kruleset *ruleset;
349 struct pf_krule *rule;
352 ruleset = pf_find_kruleset(anchor);
355 rs_num = pf_get_ruleset_number(rule_action);
356 if (rs_num >= PF_RULESET_MAX)
359 if (check_ticket && ticket !=
360 ruleset->rules[rs_num].active.ticket)
363 rule = TAILQ_LAST(ruleset->rules[rs_num].active.ptr,
366 rule = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr);
368 if (check_ticket && ticket !=
369 ruleset->rules[rs_num].inactive.ticket)
372 rule = TAILQ_LAST(ruleset->rules[rs_num].inactive.ptr,
375 rule = TAILQ_FIRST(ruleset->rules[rs_num].inactive.ptr);
378 while ((rule != NULL) && (rule->nr != rule_number))
379 rule = TAILQ_NEXT(rule, entries);
384 return (&rule->rpool);
388 pf_mv_kpool(struct pf_kpalist *poola, struct pf_kpalist *poolb)
390 struct pf_kpooladdr *mv_pool_pa;
392 while ((mv_pool_pa = TAILQ_FIRST(poola)) != NULL) {
393 TAILQ_REMOVE(poola, mv_pool_pa, entries);
394 TAILQ_INSERT_TAIL(poolb, mv_pool_pa, entries);
399 pf_empty_kpool(struct pf_kpalist *poola)
401 struct pf_kpooladdr *pa;
403 while ((pa = TAILQ_FIRST(poola)) != NULL) {
404 switch (pa->addr.type) {
405 case PF_ADDR_DYNIFTL:
406 pfi_dynaddr_remove(pa->addr.p.dyn);
409 /* XXX: this could be unfinished pooladdr on pabuf */
410 if (pa->addr.p.tbl != NULL)
411 pfr_detach_table(pa->addr.p.tbl);
415 pfi_kkif_unref(pa->kif);
416 TAILQ_REMOVE(poola, pa, entries);
422 pf_unlink_rule(struct pf_krulequeue *rulequeue, struct pf_krule *rule)
427 TAILQ_REMOVE(rulequeue, rule, entries);
429 PF_UNLNKDRULES_LOCK();
430 rule->rule_ref |= PFRULE_REFS;
431 TAILQ_INSERT_TAIL(&V_pf_unlinked_rules, rule, entries);
432 PF_UNLNKDRULES_UNLOCK();
436 pf_free_rule(struct pf_krule *rule)
442 tag_unref(&V_pf_tags, rule->tag);
444 tag_unref(&V_pf_tags, rule->match_tag);
446 if (rule->pqid != rule->qid)
447 pf_qid_unref(rule->pqid);
448 pf_qid_unref(rule->qid);
450 switch (rule->src.addr.type) {
451 case PF_ADDR_DYNIFTL:
452 pfi_dynaddr_remove(rule->src.addr.p.dyn);
455 pfr_detach_table(rule->src.addr.p.tbl);
458 switch (rule->dst.addr.type) {
459 case PF_ADDR_DYNIFTL:
460 pfi_dynaddr_remove(rule->dst.addr.p.dyn);
463 pfr_detach_table(rule->dst.addr.p.tbl);
466 if (rule->overload_tbl)
467 pfr_detach_table(rule->overload_tbl);
469 pfi_kkif_unref(rule->kif);
470 pf_kanchor_remove(rule);
471 pf_empty_kpool(&rule->rpool.list);
477 pf_init_tagset(struct pf_tagset *ts, unsigned int *tunable_size,
478 unsigned int default_size)
481 unsigned int hashsize;
483 if (*tunable_size == 0 || !powerof2(*tunable_size))
484 *tunable_size = default_size;
486 hashsize = *tunable_size;
487 ts->namehash = mallocarray(hashsize, sizeof(*ts->namehash), M_PFHASH,
489 ts->taghash = mallocarray(hashsize, sizeof(*ts->taghash), M_PFHASH,
491 ts->mask = hashsize - 1;
492 ts->seed = arc4random();
493 for (i = 0; i < hashsize; i++) {
494 TAILQ_INIT(&ts->namehash[i]);
495 TAILQ_INIT(&ts->taghash[i]);
497 BIT_FILL(TAGID_MAX, &ts->avail);
501 pf_cleanup_tagset(struct pf_tagset *ts)
504 unsigned int hashsize;
505 struct pf_tagname *t, *tmp;
508 * Only need to clean up one of the hashes as each tag is hashed
511 hashsize = ts->mask + 1;
512 for (i = 0; i < hashsize; i++)
513 TAILQ_FOREACH_SAFE(t, &ts->namehash[i], namehash_entries, tmp)
514 uma_zfree(V_pf_tag_z, t);
516 free(ts->namehash, M_PFHASH);
517 free(ts->taghash, M_PFHASH);
521 tagname2hashindex(const struct pf_tagset *ts, const char *tagname)
525 len = strnlen(tagname, PF_TAG_NAME_SIZE - 1);
526 return (murmur3_32_hash(tagname, len, ts->seed) & ts->mask);
530 tag2hashindex(const struct pf_tagset *ts, uint16_t tag)
533 return (tag & ts->mask);
537 tagname2tag(struct pf_tagset *ts, char *tagname)
539 struct pf_tagname *tag;
545 index = tagname2hashindex(ts, tagname);
546 TAILQ_FOREACH(tag, &ts->namehash[index], namehash_entries)
547 if (strcmp(tagname, tag->name) == 0) {
555 * to avoid fragmentation, we do a linear search from the beginning
556 * and take the first free slot we find.
558 new_tagid = BIT_FFS(TAGID_MAX, &ts->avail);
560 * Tags are 1-based, with valid tags in the range [1..TAGID_MAX].
561 * BIT_FFS() returns a 1-based bit number, with 0 indicating no bits
562 * set. It may also return a bit number greater than TAGID_MAX due
563 * to rounding of the number of bits in the vector up to a multiple
564 * of the vector word size at declaration/allocation time.
566 if ((new_tagid == 0) || (new_tagid > TAGID_MAX))
569 /* Mark the tag as in use. Bits are 0-based for BIT_CLR() */
570 BIT_CLR(TAGID_MAX, new_tagid - 1, &ts->avail);
572 /* allocate and fill new struct pf_tagname */
573 tag = uma_zalloc(V_pf_tag_z, M_NOWAIT);
576 strlcpy(tag->name, tagname, sizeof(tag->name));
577 tag->tag = new_tagid;
580 /* Insert into namehash */
581 TAILQ_INSERT_TAIL(&ts->namehash[index], tag, namehash_entries);
583 /* Insert into taghash */
584 index = tag2hashindex(ts, new_tagid);
585 TAILQ_INSERT_TAIL(&ts->taghash[index], tag, taghash_entries);
591 tag_unref(struct pf_tagset *ts, u_int16_t tag)
593 struct pf_tagname *t;
598 index = tag2hashindex(ts, tag);
599 TAILQ_FOREACH(t, &ts->taghash[index], taghash_entries)
602 TAILQ_REMOVE(&ts->taghash[index], t,
604 index = tagname2hashindex(ts, t->name);
605 TAILQ_REMOVE(&ts->namehash[index], t,
607 /* Bits are 0-based for BIT_SET() */
608 BIT_SET(TAGID_MAX, tag - 1, &ts->avail);
609 uma_zfree(V_pf_tag_z, t);
616 pf_tagname2tag(char *tagname)
618 return (tagname2tag(&V_pf_tags, tagname));
623 pf_qname2qid(char *qname)
625 return ((u_int32_t)tagname2tag(&V_pf_qids, qname));
629 pf_qid_unref(u_int32_t qid)
631 tag_unref(&V_pf_qids, (u_int16_t)qid);
635 pf_begin_altq(u_int32_t *ticket)
637 struct pf_altq *altq, *tmp;
642 /* Purge the old altq lists */
643 TAILQ_FOREACH_SAFE(altq, V_pf_altq_ifs_inactive, entries, tmp) {
644 if ((altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
645 /* detach and destroy the discipline */
646 error = altq_remove(altq);
648 free(altq, M_PFALTQ);
650 TAILQ_INIT(V_pf_altq_ifs_inactive);
651 TAILQ_FOREACH_SAFE(altq, V_pf_altqs_inactive, entries, tmp) {
652 pf_qid_unref(altq->qid);
653 free(altq, M_PFALTQ);
655 TAILQ_INIT(V_pf_altqs_inactive);
658 *ticket = ++V_ticket_altqs_inactive;
659 V_altqs_inactive_open = 1;
664 pf_rollback_altq(u_int32_t ticket)
666 struct pf_altq *altq, *tmp;
671 if (!V_altqs_inactive_open || ticket != V_ticket_altqs_inactive)
673 /* Purge the old altq lists */
674 TAILQ_FOREACH_SAFE(altq, V_pf_altq_ifs_inactive, entries, tmp) {
675 if ((altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
676 /* detach and destroy the discipline */
677 error = altq_remove(altq);
679 free(altq, M_PFALTQ);
681 TAILQ_INIT(V_pf_altq_ifs_inactive);
682 TAILQ_FOREACH_SAFE(altq, V_pf_altqs_inactive, entries, tmp) {
683 pf_qid_unref(altq->qid);
684 free(altq, M_PFALTQ);
686 TAILQ_INIT(V_pf_altqs_inactive);
687 V_altqs_inactive_open = 0;
692 pf_commit_altq(u_int32_t ticket)
694 struct pf_altqqueue *old_altqs, *old_altq_ifs;
695 struct pf_altq *altq, *tmp;
700 if (!V_altqs_inactive_open || ticket != V_ticket_altqs_inactive)
703 /* swap altqs, keep the old. */
704 old_altqs = V_pf_altqs_active;
705 old_altq_ifs = V_pf_altq_ifs_active;
706 V_pf_altqs_active = V_pf_altqs_inactive;
707 V_pf_altq_ifs_active = V_pf_altq_ifs_inactive;
708 V_pf_altqs_inactive = old_altqs;
709 V_pf_altq_ifs_inactive = old_altq_ifs;
710 V_ticket_altqs_active = V_ticket_altqs_inactive;
712 /* Attach new disciplines */
713 TAILQ_FOREACH(altq, V_pf_altq_ifs_active, entries) {
714 if ((altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
715 /* attach the discipline */
716 error = altq_pfattach(altq);
717 if (error == 0 && V_pf_altq_running)
718 error = pf_enable_altq(altq);
724 /* Purge the old altq lists */
725 TAILQ_FOREACH_SAFE(altq, V_pf_altq_ifs_inactive, entries, tmp) {
726 if ((altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
727 /* detach and destroy the discipline */
728 if (V_pf_altq_running)
729 error = pf_disable_altq(altq);
730 err = altq_pfdetach(altq);
731 if (err != 0 && error == 0)
733 err = altq_remove(altq);
734 if (err != 0 && error == 0)
737 free(altq, M_PFALTQ);
739 TAILQ_INIT(V_pf_altq_ifs_inactive);
740 TAILQ_FOREACH_SAFE(altq, V_pf_altqs_inactive, entries, tmp) {
741 pf_qid_unref(altq->qid);
742 free(altq, M_PFALTQ);
744 TAILQ_INIT(V_pf_altqs_inactive);
746 V_altqs_inactive_open = 0;
751 pf_enable_altq(struct pf_altq *altq)
754 struct tb_profile tb;
757 if ((ifp = ifunit(altq->ifname)) == NULL)
760 if (ifp->if_snd.altq_type != ALTQT_NONE)
761 error = altq_enable(&ifp->if_snd);
763 /* set tokenbucket regulator */
764 if (error == 0 && ifp != NULL && ALTQ_IS_ENABLED(&ifp->if_snd)) {
765 tb.rate = altq->ifbandwidth;
766 tb.depth = altq->tbrsize;
767 error = tbr_set(&ifp->if_snd, &tb);
774 pf_disable_altq(struct pf_altq *altq)
777 struct tb_profile tb;
780 if ((ifp = ifunit(altq->ifname)) == NULL)
784 * when the discipline is no longer referenced, it was overridden
785 * by a new one. if so, just return.
787 if (altq->altq_disc != ifp->if_snd.altq_disc)
790 error = altq_disable(&ifp->if_snd);
793 /* clear tokenbucket regulator */
795 error = tbr_set(&ifp->if_snd, &tb);
802 pf_altq_ifnet_event_add(struct ifnet *ifp, int remove, u_int32_t ticket,
803 struct pf_altq *altq)
808 /* Deactivate the interface in question */
809 altq->local_flags &= ~PFALTQ_FLAG_IF_REMOVED;
810 if ((ifp1 = ifunit(altq->ifname)) == NULL ||
811 (remove && ifp1 == ifp)) {
812 altq->local_flags |= PFALTQ_FLAG_IF_REMOVED;
814 error = altq_add(ifp1, altq);
816 if (ticket != V_ticket_altqs_inactive)
820 free(altq, M_PFALTQ);
827 pf_altq_ifnet_event(struct ifnet *ifp, int remove)
829 struct pf_altq *a1, *a2, *a3;
834 * No need to re-evaluate the configuration for events on interfaces
835 * that do not support ALTQ, as it's not possible for such
836 * interfaces to be part of the configuration.
838 if (!ALTQ_IS_READY(&ifp->if_snd))
841 /* Interrupt userland queue modifications */
842 if (V_altqs_inactive_open)
843 pf_rollback_altq(V_ticket_altqs_inactive);
845 /* Start new altq ruleset */
846 if (pf_begin_altq(&ticket))
849 /* Copy the current active set */
850 TAILQ_FOREACH(a1, V_pf_altq_ifs_active, entries) {
851 a2 = malloc(sizeof(*a2), M_PFALTQ, M_NOWAIT);
856 bcopy(a1, a2, sizeof(struct pf_altq));
858 error = pf_altq_ifnet_event_add(ifp, remove, ticket, a2);
862 TAILQ_INSERT_TAIL(V_pf_altq_ifs_inactive, a2, entries);
866 TAILQ_FOREACH(a1, V_pf_altqs_active, entries) {
867 a2 = malloc(sizeof(*a2), M_PFALTQ, M_NOWAIT);
872 bcopy(a1, a2, sizeof(struct pf_altq));
874 if ((a2->qid = pf_qname2qid(a2->qname)) == 0) {
879 a2->altq_disc = NULL;
880 TAILQ_FOREACH(a3, V_pf_altq_ifs_inactive, entries) {
881 if (strncmp(a3->ifname, a2->ifname,
883 a2->altq_disc = a3->altq_disc;
887 error = pf_altq_ifnet_event_add(ifp, remove, ticket, a2);
891 TAILQ_INSERT_TAIL(V_pf_altqs_inactive, a2, entries);
896 pf_rollback_altq(ticket);
898 pf_commit_altq(ticket);
903 pf_begin_rules(u_int32_t *ticket, int rs_num, const char *anchor)
905 struct pf_kruleset *rs;
906 struct pf_krule *rule;
910 if (rs_num < 0 || rs_num >= PF_RULESET_MAX)
912 rs = pf_find_or_create_kruleset(anchor);
915 while ((rule = TAILQ_FIRST(rs->rules[rs_num].inactive.ptr)) != NULL) {
916 pf_unlink_rule(rs->rules[rs_num].inactive.ptr, rule);
917 rs->rules[rs_num].inactive.rcount--;
919 *ticket = ++rs->rules[rs_num].inactive.ticket;
920 rs->rules[rs_num].inactive.open = 1;
925 pf_rollback_rules(u_int32_t ticket, int rs_num, char *anchor)
927 struct pf_kruleset *rs;
928 struct pf_krule *rule;
932 if (rs_num < 0 || rs_num >= PF_RULESET_MAX)
934 rs = pf_find_kruleset(anchor);
935 if (rs == NULL || !rs->rules[rs_num].inactive.open ||
936 rs->rules[rs_num].inactive.ticket != ticket)
938 while ((rule = TAILQ_FIRST(rs->rules[rs_num].inactive.ptr)) != NULL) {
939 pf_unlink_rule(rs->rules[rs_num].inactive.ptr, rule);
940 rs->rules[rs_num].inactive.rcount--;
942 rs->rules[rs_num].inactive.open = 0;
946 #define PF_MD5_UPD(st, elm) \
947 MD5Update(ctx, (u_int8_t *) &(st)->elm, sizeof((st)->elm))
949 #define PF_MD5_UPD_STR(st, elm) \
950 MD5Update(ctx, (u_int8_t *) (st)->elm, strlen((st)->elm))
952 #define PF_MD5_UPD_HTONL(st, elm, stor) do { \
953 (stor) = htonl((st)->elm); \
954 MD5Update(ctx, (u_int8_t *) &(stor), sizeof(u_int32_t));\
957 #define PF_MD5_UPD_HTONS(st, elm, stor) do { \
958 (stor) = htons((st)->elm); \
959 MD5Update(ctx, (u_int8_t *) &(stor), sizeof(u_int16_t));\
963 pf_hash_rule_addr(MD5_CTX *ctx, struct pf_rule_addr *pfr)
965 PF_MD5_UPD(pfr, addr.type);
966 switch (pfr->addr.type) {
967 case PF_ADDR_DYNIFTL:
968 PF_MD5_UPD(pfr, addr.v.ifname);
969 PF_MD5_UPD(pfr, addr.iflags);
972 PF_MD5_UPD(pfr, addr.v.tblname);
974 case PF_ADDR_ADDRMASK:
976 PF_MD5_UPD(pfr, addr.v.a.addr.addr32);
977 PF_MD5_UPD(pfr, addr.v.a.mask.addr32);
981 PF_MD5_UPD(pfr, port[0]);
982 PF_MD5_UPD(pfr, port[1]);
983 PF_MD5_UPD(pfr, neg);
984 PF_MD5_UPD(pfr, port_op);
988 pf_hash_rule(MD5_CTX *ctx, struct pf_krule *rule)
993 pf_hash_rule_addr(ctx, &rule->src);
994 pf_hash_rule_addr(ctx, &rule->dst);
995 PF_MD5_UPD_STR(rule, label);
996 PF_MD5_UPD_STR(rule, ifname);
997 PF_MD5_UPD_STR(rule, match_tagname);
998 PF_MD5_UPD_HTONS(rule, match_tag, x); /* dup? */
999 PF_MD5_UPD_HTONL(rule, os_fingerprint, y);
1000 PF_MD5_UPD_HTONL(rule, prob, y);
1001 PF_MD5_UPD_HTONL(rule, uid.uid[0], y);
1002 PF_MD5_UPD_HTONL(rule, uid.uid[1], y);
1003 PF_MD5_UPD(rule, uid.op);
1004 PF_MD5_UPD_HTONL(rule, gid.gid[0], y);
1005 PF_MD5_UPD_HTONL(rule, gid.gid[1], y);
1006 PF_MD5_UPD(rule, gid.op);
1007 PF_MD5_UPD_HTONL(rule, rule_flag, y);
1008 PF_MD5_UPD(rule, action);
1009 PF_MD5_UPD(rule, direction);
1010 PF_MD5_UPD(rule, af);
1011 PF_MD5_UPD(rule, quick);
1012 PF_MD5_UPD(rule, ifnot);
1013 PF_MD5_UPD(rule, match_tag_not);
1014 PF_MD5_UPD(rule, natpass);
1015 PF_MD5_UPD(rule, keep_state);
1016 PF_MD5_UPD(rule, proto);
1017 PF_MD5_UPD(rule, type);
1018 PF_MD5_UPD(rule, code);
1019 PF_MD5_UPD(rule, flags);
1020 PF_MD5_UPD(rule, flagset);
1021 PF_MD5_UPD(rule, allow_opts);
1022 PF_MD5_UPD(rule, rt);
1023 PF_MD5_UPD(rule, tos);
1027 pf_krule_compare(struct pf_krule *a, struct pf_krule *b)
1030 u_int8_t digest[2][PF_MD5_DIGEST_LENGTH];
1034 pf_hash_rule(&ctx[0], a);
1035 pf_hash_rule(&ctx[1], b);
1036 MD5Final(digest[0], &ctx[0]);
1037 MD5Final(digest[1], &ctx[1]);
1039 return (memcmp(digest[0], digest[1], PF_MD5_DIGEST_LENGTH) == 0);
1043 pf_commit_rules(u_int32_t ticket, int rs_num, char *anchor)
1045 struct pf_kruleset *rs;
1046 struct pf_krule *rule, **old_array, *tail;
1047 struct pf_krulequeue *old_rules;
1049 u_int32_t old_rcount;
1053 if (rs_num < 0 || rs_num >= PF_RULESET_MAX)
1055 rs = pf_find_kruleset(anchor);
1056 if (rs == NULL || !rs->rules[rs_num].inactive.open ||
1057 ticket != rs->rules[rs_num].inactive.ticket)
1060 /* Calculate checksum for the main ruleset */
1061 if (rs == &pf_main_ruleset) {
1062 error = pf_setup_pfsync_matching(rs);
1067 /* Swap rules, keep the old. */
1068 old_rules = rs->rules[rs_num].active.ptr;
1069 old_rcount = rs->rules[rs_num].active.rcount;
1070 old_array = rs->rules[rs_num].active.ptr_array;
1072 rs->rules[rs_num].active.ptr =
1073 rs->rules[rs_num].inactive.ptr;
1074 rs->rules[rs_num].active.ptr_array =
1075 rs->rules[rs_num].inactive.ptr_array;
1076 rs->rules[rs_num].active.rcount =
1077 rs->rules[rs_num].inactive.rcount;
1079 /* Attempt to preserve counter information. */
1080 if (V_pf_status.keep_counters) {
1081 TAILQ_FOREACH(rule, rs->rules[rs_num].active.ptr,
1083 tail = TAILQ_FIRST(old_rules);
1084 while ((tail != NULL) && ! pf_krule_compare(tail, rule))
1085 tail = TAILQ_NEXT(tail, entries);
1087 counter_u64_add(rule->evaluations,
1088 counter_u64_fetch(tail->evaluations));
1089 counter_u64_add(rule->packets[0],
1090 counter_u64_fetch(tail->packets[0]));
1091 counter_u64_add(rule->packets[1],
1092 counter_u64_fetch(tail->packets[1]));
1093 counter_u64_add(rule->bytes[0],
1094 counter_u64_fetch(tail->bytes[0]));
1095 counter_u64_add(rule->bytes[1],
1096 counter_u64_fetch(tail->bytes[1]));
1101 rs->rules[rs_num].inactive.ptr = old_rules;
1102 rs->rules[rs_num].inactive.ptr_array = old_array;
1103 rs->rules[rs_num].inactive.rcount = old_rcount;
1105 rs->rules[rs_num].active.ticket =
1106 rs->rules[rs_num].inactive.ticket;
1107 pf_calc_skip_steps(rs->rules[rs_num].active.ptr);
1109 /* Purge the old rule list. */
1110 while ((rule = TAILQ_FIRST(old_rules)) != NULL)
1111 pf_unlink_rule(old_rules, rule);
1112 if (rs->rules[rs_num].inactive.ptr_array)
1113 free(rs->rules[rs_num].inactive.ptr_array, M_TEMP);
1114 rs->rules[rs_num].inactive.ptr_array = NULL;
1115 rs->rules[rs_num].inactive.rcount = 0;
1116 rs->rules[rs_num].inactive.open = 0;
1117 pf_remove_if_empty_kruleset(rs);
1123 pf_setup_pfsync_matching(struct pf_kruleset *rs)
1126 struct pf_krule *rule;
1128 u_int8_t digest[PF_MD5_DIGEST_LENGTH];
1131 for (rs_cnt = 0; rs_cnt < PF_RULESET_MAX; rs_cnt++) {
1132 /* XXX PF_RULESET_SCRUB as well? */
1133 if (rs_cnt == PF_RULESET_SCRUB)
1136 if (rs->rules[rs_cnt].inactive.ptr_array)
1137 free(rs->rules[rs_cnt].inactive.ptr_array, M_TEMP);
1138 rs->rules[rs_cnt].inactive.ptr_array = NULL;
1140 if (rs->rules[rs_cnt].inactive.rcount) {
1141 rs->rules[rs_cnt].inactive.ptr_array =
1142 malloc(sizeof(caddr_t) *
1143 rs->rules[rs_cnt].inactive.rcount,
1146 if (!rs->rules[rs_cnt].inactive.ptr_array)
1150 TAILQ_FOREACH(rule, rs->rules[rs_cnt].inactive.ptr,
1152 pf_hash_rule(&ctx, rule);
1153 (rs->rules[rs_cnt].inactive.ptr_array)[rule->nr] = rule;
1157 MD5Final(digest, &ctx);
1158 memcpy(V_pf_status.pf_chksum, digest, sizeof(V_pf_status.pf_chksum));
1163 pf_addr_setup(struct pf_kruleset *ruleset, struct pf_addr_wrap *addr,
1168 switch (addr->type) {
1170 addr->p.tbl = pfr_attach_table(ruleset, addr->v.tblname);
1171 if (addr->p.tbl == NULL)
1174 case PF_ADDR_DYNIFTL:
1175 error = pfi_dynaddr_setup(addr, af);
1183 pf_addr_copyout(struct pf_addr_wrap *addr)
1186 switch (addr->type) {
1187 case PF_ADDR_DYNIFTL:
1188 pfi_dynaddr_copyout(addr);
1191 pf_tbladdr_copyout(addr);
1197 pf_src_node_copy(const struct pf_ksrc_node *in, struct pf_src_node *out)
1199 int secs = time_uptime, diff;
1201 bzero(out, sizeof(struct pf_src_node));
1203 bcopy(&in->addr, &out->addr, sizeof(struct pf_addr));
1204 bcopy(&in->raddr, &out->raddr, sizeof(struct pf_addr));
1206 if (in->rule.ptr != NULL)
1207 out->rule.nr = in->rule.ptr->nr;
1209 for (int i = 0; i < 2; i++) {
1210 out->bytes[i] = counter_u64_fetch(in->bytes[i]);
1211 out->packets[i] = counter_u64_fetch(in->packets[i]);
1214 out->states = in->states;
1215 out->conn = in->conn;
1217 out->ruletype = in->ruletype;
1219 out->creation = secs - in->creation;
1220 if (out->expire > secs)
1221 out->expire -= secs;
1225 /* Adjust the connection rate estimate. */
1226 diff = secs - in->conn_rate.last;
1227 if (diff >= in->conn_rate.seconds)
1228 out->conn_rate.count = 0;
1230 out->conn_rate.count -=
1231 in->conn_rate.count * diff /
1232 in->conn_rate.seconds;
1237 * Handle export of struct pf_kaltq to user binaries that may be using any
1238 * version of struct pf_altq.
1241 pf_export_kaltq(struct pf_altq *q, struct pfioc_altq_v1 *pa, size_t ioc_size)
1245 if (ioc_size == sizeof(struct pfioc_altq_v0))
1248 version = pa->version;
1250 if (version > PFIOC_ALTQ_VERSION)
1253 #define ASSIGN(x) exported_q->x = q->x
1255 bcopy(&q->x, &exported_q->x, min(sizeof(q->x), sizeof(exported_q->x)))
1256 #define SATU16(x) (u_int32_t)uqmin((x), USHRT_MAX)
1257 #define SATU32(x) (u_int32_t)uqmin((x), UINT_MAX)
1261 struct pf_altq_v0 *exported_q =
1262 &((struct pfioc_altq_v0 *)pa)->altq;
1268 exported_q->tbrsize = SATU16(q->tbrsize);
1269 exported_q->ifbandwidth = SATU32(q->ifbandwidth);
1274 exported_q->bandwidth = SATU32(q->bandwidth);
1276 ASSIGN(local_flags);
1281 if (q->scheduler == ALTQT_HFSC) {
1282 #define ASSIGN_OPT(x) exported_q->pq_u.hfsc_opts.x = q->pq_u.hfsc_opts.x
1283 #define ASSIGN_OPT_SATU32(x) exported_q->pq_u.hfsc_opts.x = \
1284 SATU32(q->pq_u.hfsc_opts.x)
1286 ASSIGN_OPT_SATU32(rtsc_m1);
1288 ASSIGN_OPT_SATU32(rtsc_m2);
1290 ASSIGN_OPT_SATU32(lssc_m1);
1292 ASSIGN_OPT_SATU32(lssc_m2);
1294 ASSIGN_OPT_SATU32(ulsc_m1);
1296 ASSIGN_OPT_SATU32(ulsc_m2);
1301 #undef ASSIGN_OPT_SATU32
1309 struct pf_altq_v1 *exported_q =
1310 &((struct pfioc_altq_v1 *)pa)->altq;
1316 ASSIGN(ifbandwidth);
1323 ASSIGN(local_flags);
1333 panic("%s: unhandled struct pfioc_altq version", __func__);
1346 * Handle import to struct pf_kaltq of struct pf_altq from user binaries
1347 * that may be using any version of it.
1350 pf_import_kaltq(struct pfioc_altq_v1 *pa, struct pf_altq *q, size_t ioc_size)
1354 if (ioc_size == sizeof(struct pfioc_altq_v0))
1357 version = pa->version;
1359 if (version > PFIOC_ALTQ_VERSION)
1362 #define ASSIGN(x) q->x = imported_q->x
1364 bcopy(&imported_q->x, &q->x, min(sizeof(imported_q->x), sizeof(q->x)))
1368 struct pf_altq_v0 *imported_q =
1369 &((struct pfioc_altq_v0 *)pa)->altq;
1374 ASSIGN(tbrsize); /* 16-bit -> 32-bit */
1375 ASSIGN(ifbandwidth); /* 32-bit -> 64-bit */
1380 ASSIGN(bandwidth); /* 32-bit -> 64-bit */
1382 ASSIGN(local_flags);
1387 if (imported_q->scheduler == ALTQT_HFSC) {
1388 #define ASSIGN_OPT(x) q->pq_u.hfsc_opts.x = imported_q->pq_u.hfsc_opts.x
1391 * The m1 and m2 parameters are being copied from
1394 ASSIGN_OPT(rtsc_m1);
1396 ASSIGN_OPT(rtsc_m2);
1398 ASSIGN_OPT(lssc_m1);
1400 ASSIGN_OPT(lssc_m2);
1402 ASSIGN_OPT(ulsc_m1);
1404 ASSIGN_OPT(ulsc_m2);
1416 struct pf_altq_v1 *imported_q =
1417 &((struct pfioc_altq_v1 *)pa)->altq;
1423 ASSIGN(ifbandwidth);
1430 ASSIGN(local_flags);
1440 panic("%s: unhandled struct pfioc_altq version", __func__);
1450 static struct pf_altq *
1451 pf_altq_get_nth_active(u_int32_t n)
1453 struct pf_altq *altq;
1457 TAILQ_FOREACH(altq, V_pf_altq_ifs_active, entries) {
1463 TAILQ_FOREACH(altq, V_pf_altqs_active, entries) {
1474 pf_krule_free(struct pf_krule *rule)
1479 counter_u64_free(rule->evaluations);
1480 for (int i = 0; i < 2; i++) {
1481 counter_u64_free(rule->packets[i]);
1482 counter_u64_free(rule->bytes[i]);
1484 counter_u64_free(rule->states_cur);
1485 counter_u64_free(rule->states_tot);
1486 counter_u64_free(rule->src_nodes);
1487 free(rule, M_PFRULE);
1491 pf_kpooladdr_to_pooladdr(const struct pf_kpooladdr *kpool,
1492 struct pf_pooladdr *pool)
1495 bzero(pool, sizeof(*pool));
1496 bcopy(&kpool->addr, &pool->addr, sizeof(pool->addr));
1497 strlcpy(pool->ifname, kpool->ifname, sizeof(pool->ifname));
1501 pf_pooladdr_to_kpooladdr(const struct pf_pooladdr *pool,
1502 struct pf_kpooladdr *kpool)
1505 bzero(kpool, sizeof(*kpool));
1506 bcopy(&pool->addr, &kpool->addr, sizeof(kpool->addr));
1507 strlcpy(kpool->ifname, pool->ifname, sizeof(kpool->ifname));
1511 pf_kpool_to_pool(const struct pf_kpool *kpool, struct pf_pool *pool)
1513 bzero(pool, sizeof(*pool));
1515 bcopy(&kpool->key, &pool->key, sizeof(pool->key));
1516 bcopy(&kpool->counter, &pool->counter, sizeof(pool->counter));
1518 pool->tblidx = kpool->tblidx;
1519 pool->proxy_port[0] = kpool->proxy_port[0];
1520 pool->proxy_port[1] = kpool->proxy_port[1];
1521 pool->opts = kpool->opts;
1525 pf_pool_to_kpool(const struct pf_pool *pool, struct pf_kpool *kpool)
1527 _Static_assert(sizeof(pool->key) == sizeof(kpool->key), "");
1528 _Static_assert(sizeof(pool->counter) == sizeof(kpool->counter), "");
1530 bzero(kpool, sizeof(*kpool));
1532 bcopy(&pool->key, &kpool->key, sizeof(kpool->key));
1533 bcopy(&pool->counter, &kpool->counter, sizeof(kpool->counter));
1535 kpool->tblidx = pool->tblidx;
1536 kpool->proxy_port[0] = pool->proxy_port[0];
1537 kpool->proxy_port[1] = pool->proxy_port[1];
1538 kpool->opts = pool->opts;
1544 pf_krule_to_rule(const struct pf_krule *krule, struct pf_rule *rule)
1547 bzero(rule, sizeof(*rule));
1549 bcopy(&krule->src, &rule->src, sizeof(rule->src));
1550 bcopy(&krule->dst, &rule->dst, sizeof(rule->dst));
1552 for (int i = 0; i < PF_SKIP_COUNT; ++i) {
1553 if (rule->skip[i].ptr == NULL)
1554 rule->skip[i].nr = -1;
1556 rule->skip[i].nr = krule->skip[i].ptr->nr;
1559 strlcpy(rule->label, krule->label, sizeof(rule->label));
1560 strlcpy(rule->ifname, krule->ifname, sizeof(rule->ifname));
1561 strlcpy(rule->qname, krule->qname, sizeof(rule->qname));
1562 strlcpy(rule->pqname, krule->pqname, sizeof(rule->pqname));
1563 strlcpy(rule->tagname, krule->tagname, sizeof(rule->tagname));
1564 strlcpy(rule->match_tagname, krule->match_tagname,
1565 sizeof(rule->match_tagname));
1566 strlcpy(rule->overload_tblname, krule->overload_tblname,
1567 sizeof(rule->overload_tblname));
1569 pf_kpool_to_pool(&krule->rpool, &rule->rpool);
1571 rule->evaluations = counter_u64_fetch(krule->evaluations);
1572 for (int i = 0; i < 2; i++) {
1573 rule->packets[i] = counter_u64_fetch(krule->packets[i]);
1574 rule->bytes[i] = counter_u64_fetch(krule->bytes[i]);
1577 /* kif, anchor, overload_tbl are not copied over. */
1579 rule->os_fingerprint = krule->os_fingerprint;
1581 rule->rtableid = krule->rtableid;
1582 bcopy(krule->timeout, rule->timeout, sizeof(krule->timeout));
1583 rule->max_states = krule->max_states;
1584 rule->max_src_nodes = krule->max_src_nodes;
1585 rule->max_src_states = krule->max_src_states;
1586 rule->max_src_conn = krule->max_src_conn;
1587 rule->max_src_conn_rate.limit = krule->max_src_conn_rate.limit;
1588 rule->max_src_conn_rate.seconds = krule->max_src_conn_rate.seconds;
1589 rule->qid = krule->qid;
1590 rule->pqid = krule->pqid;
1591 rule->nr = krule->nr;
1592 rule->prob = krule->prob;
1593 rule->cuid = krule->cuid;
1594 rule->cpid = krule->cpid;
1596 rule->return_icmp = krule->return_icmp;
1597 rule->return_icmp6 = krule->return_icmp6;
1598 rule->max_mss = krule->max_mss;
1599 rule->tag = krule->tag;
1600 rule->match_tag = krule->match_tag;
1601 rule->scrub_flags = krule->scrub_flags;
1603 bcopy(&krule->uid, &rule->uid, sizeof(krule->uid));
1604 bcopy(&krule->gid, &rule->gid, sizeof(krule->gid));
1606 rule->rule_flag = krule->rule_flag;
1607 rule->action = krule->action;
1608 rule->direction = krule->direction;
1609 rule->log = krule->log;
1610 rule->logif = krule->logif;
1611 rule->quick = krule->quick;
1612 rule->ifnot = krule->ifnot;
1613 rule->match_tag_not = krule->match_tag_not;
1614 rule->natpass = krule->natpass;
1616 rule->keep_state = krule->keep_state;
1617 rule->af = krule->af;
1618 rule->proto = krule->proto;
1619 rule->type = krule->type;
1620 rule->code = krule->code;
1621 rule->flags = krule->flags;
1622 rule->flagset = krule->flagset;
1623 rule->min_ttl = krule->min_ttl;
1624 rule->allow_opts = krule->allow_opts;
1625 rule->rt = krule->rt;
1626 rule->return_ttl = krule->return_ttl;
1627 rule->tos = krule->tos;
1628 rule->set_tos = krule->set_tos;
1629 rule->anchor_relative = krule->anchor_relative;
1630 rule->anchor_wildcard = krule->anchor_wildcard;
1632 rule->flush = krule->flush;
1633 rule->prio = krule->prio;
1634 rule->set_prio[0] = krule->set_prio[0];
1635 rule->set_prio[1] = krule->set_prio[1];
1637 bcopy(&krule->divert, &rule->divert, sizeof(krule->divert));
1639 rule->u_states_cur = counter_u64_fetch(krule->states_cur);
1640 rule->u_states_tot = counter_u64_fetch(krule->states_tot);
1641 rule->u_src_nodes = counter_u64_fetch(krule->src_nodes);
1645 pf_check_rule_addr(const struct pf_rule_addr *addr)
1648 switch (addr->addr.type) {
1649 case PF_ADDR_ADDRMASK:
1650 case PF_ADDR_NOROUTE:
1651 case PF_ADDR_DYNIFTL:
1653 case PF_ADDR_URPFFAILED:
1660 if (addr->addr.p.dyn != NULL) {
1668 pf_nvaddr_to_addr(const nvlist_t *nvl, struct pf_addr *paddr)
1670 return (pf_nvbinary(nvl, "addr", paddr, sizeof(*paddr)));
1674 pf_addr_to_nvaddr(const struct pf_addr *paddr)
1678 nvl = nvlist_create(0);
1682 nvlist_add_binary(nvl, "addr", paddr, sizeof(*paddr));
1688 pf_nvmape_to_mape(const nvlist_t *nvl, struct pf_mape_portset *mape)
1692 bzero(mape, sizeof(*mape));
1693 PFNV_CHK(pf_nvuint8(nvl, "offset", &mape->offset));
1694 PFNV_CHK(pf_nvuint8(nvl, "psidlen", &mape->psidlen));
1695 PFNV_CHK(pf_nvuint16(nvl, "psid", &mape->psid));
1702 pf_mape_to_nvmape(const struct pf_mape_portset *mape)
1706 nvl = nvlist_create(0);
1710 nvlist_add_number(nvl, "offset", mape->offset);
1711 nvlist_add_number(nvl, "psidlen", mape->psidlen);
1712 nvlist_add_number(nvl, "psid", mape->psid);
1718 pf_nvpool_to_pool(const nvlist_t *nvl, struct pf_kpool *kpool)
1722 bzero(kpool, sizeof(*kpool));
1724 PFNV_CHK(pf_nvbinary(nvl, "key", &kpool->key, sizeof(kpool->key)));
1726 if (nvlist_exists_nvlist(nvl, "counter")) {
1727 PFNV_CHK(pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "counter"),
1731 PFNV_CHK(pf_nvint(nvl, "tblidx", &kpool->tblidx));
1732 PFNV_CHK(pf_nvuint16_array(nvl, "proxy_port", kpool->proxy_port, 2,
1734 PFNV_CHK(pf_nvuint8(nvl, "opts", &kpool->opts));
1736 if (nvlist_exists_nvlist(nvl, "mape")) {
1737 PFNV_CHK(pf_nvmape_to_mape(nvlist_get_nvlist(nvl, "mape"),
1746 pf_pool_to_nvpool(const struct pf_kpool *pool)
1751 nvl = nvlist_create(0);
1755 nvlist_add_binary(nvl, "key", &pool->key, sizeof(pool->key));
1756 tmp = pf_addr_to_nvaddr(&pool->counter);
1759 nvlist_add_nvlist(nvl, "counter", tmp);
1761 nvlist_add_number(nvl, "tblidx", pool->tblidx);
1762 pf_uint16_array_nv(nvl, "proxy_port", pool->proxy_port, 2);
1763 nvlist_add_number(nvl, "opts", pool->opts);
1765 tmp = pf_mape_to_nvmape(&pool->mape);
1768 nvlist_add_nvlist(nvl, "mape", tmp);
1773 nvlist_destroy(nvl);
1778 pf_nvaddr_wrap_to_addr_wrap(const nvlist_t *nvl, struct pf_addr_wrap *addr)
1782 bzero(addr, sizeof(*addr));
1784 PFNV_CHK(pf_nvuint8(nvl, "type", &addr->type));
1785 PFNV_CHK(pf_nvuint8(nvl, "iflags", &addr->iflags));
1786 PFNV_CHK(pf_nvstring(nvl, "ifname", addr->v.ifname,
1787 sizeof(addr->v.ifname)));
1788 PFNV_CHK(pf_nvstring(nvl, "tblname", addr->v.tblname,
1789 sizeof(addr->v.tblname)));
1791 if (! nvlist_exists_nvlist(nvl, "addr"))
1793 PFNV_CHK(pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "addr"),
1796 if (! nvlist_exists_nvlist(nvl, "mask"))
1798 PFNV_CHK(pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "mask"),
1801 switch (addr->type) {
1802 case PF_ADDR_DYNIFTL:
1805 case PF_ADDR_ADDRMASK:
1806 case PF_ADDR_NOROUTE:
1807 case PF_ADDR_URPFFAILED:
1818 pf_addr_wrap_to_nvaddr_wrap(const struct pf_addr_wrap *addr)
1823 nvl = nvlist_create(0);
1827 nvlist_add_number(nvl, "type", addr->type);
1828 nvlist_add_number(nvl, "iflags", addr->iflags);
1829 nvlist_add_string(nvl, "ifname", addr->v.ifname);
1830 nvlist_add_string(nvl, "tblname", addr->v.tblname);
1832 tmp = pf_addr_to_nvaddr(&addr->v.a.addr);
1835 nvlist_add_nvlist(nvl, "addr", tmp);
1836 tmp = pf_addr_to_nvaddr(&addr->v.a.mask);
1839 nvlist_add_nvlist(nvl, "mask", tmp);
1844 nvlist_destroy(nvl);
1849 pf_validate_op(uint8_t op)
1871 pf_nvrule_addr_to_rule_addr(const nvlist_t *nvl, struct pf_rule_addr *addr)
1875 if (! nvlist_exists_nvlist(nvl, "addr"))
1878 PFNV_CHK(pf_nvaddr_wrap_to_addr_wrap(nvlist_get_nvlist(nvl, "addr"),
1880 PFNV_CHK(pf_nvuint16_array(nvl, "port", addr->port, 2, NULL));
1881 PFNV_CHK(pf_nvuint8(nvl, "neg", &addr->neg));
1882 PFNV_CHK(pf_nvuint8(nvl, "port_op", &addr->port_op));
1884 PFNV_CHK(pf_validate_op(addr->port_op));
1891 pf_rule_addr_to_nvrule_addr(const struct pf_rule_addr *addr)
1896 nvl = nvlist_create(0);
1900 tmp = pf_addr_wrap_to_nvaddr_wrap(&addr->addr);
1903 nvlist_add_nvlist(nvl, "addr", tmp);
1904 pf_uint16_array_nv(nvl, "port", addr->port, 2);
1905 nvlist_add_number(nvl, "neg", addr->neg);
1906 nvlist_add_number(nvl, "port_op", addr->port_op);
1911 nvlist_destroy(nvl);
1916 pf_nvrule_uid_to_rule_uid(const nvlist_t *nvl, struct pf_rule_uid *uid)
1920 bzero(uid, sizeof(*uid));
1922 PFNV_CHK(pf_nvuint32_array(nvl, "uid", uid->uid, 2, NULL));
1923 PFNV_CHK(pf_nvuint8(nvl, "op", &uid->op));
1925 PFNV_CHK(pf_validate_op(uid->op));
1932 pf_rule_uid_to_nvrule_uid(const struct pf_rule_uid *uid)
1936 nvl = nvlist_create(0);
1940 pf_uint32_array_nv(nvl, "uid", uid->uid, 2);
1941 nvlist_add_number(nvl, "op", uid->op);
1947 pf_nvrule_gid_to_rule_gid(const nvlist_t *nvl, struct pf_rule_gid *gid)
1949 /* Cheat a little. These stucts are the same, other than the name of
1950 * the first field. */
1951 return (pf_nvrule_uid_to_rule_uid(nvl, (struct pf_rule_uid *)gid));
1955 pf_nvrule_to_krule(const nvlist_t *nvl, struct pf_krule **prule)
1957 struct pf_krule *rule;
1960 rule = malloc(sizeof(*rule), M_PFRULE, M_WAITOK | M_ZERO);
1962 PFNV_CHK(pf_nvuint32(nvl, "nr", &rule->nr));
1964 if (! nvlist_exists_nvlist(nvl, "src")) {
1968 error = pf_nvrule_addr_to_rule_addr(nvlist_get_nvlist(nvl, "src"),
1973 if (! nvlist_exists_nvlist(nvl, "dst")) {
1977 PFNV_CHK(pf_nvrule_addr_to_rule_addr(nvlist_get_nvlist(nvl, "dst"),
1980 PFNV_CHK(pf_nvstring(nvl, "label", rule->label, sizeof(rule->label)));
1981 PFNV_CHK(pf_nvstring(nvl, "ifname", rule->ifname,
1982 sizeof(rule->ifname)));
1983 PFNV_CHK(pf_nvstring(nvl, "qname", rule->qname, sizeof(rule->qname)));
1984 PFNV_CHK(pf_nvstring(nvl, "pqname", rule->pqname,
1985 sizeof(rule->pqname)));
1986 PFNV_CHK(pf_nvstring(nvl, "tagname", rule->tagname,
1987 sizeof(rule->tagname)));
1988 PFNV_CHK(pf_nvstring(nvl, "match_tagname", rule->match_tagname,
1989 sizeof(rule->match_tagname)));
1990 PFNV_CHK(pf_nvstring(nvl, "overload_tblname", rule->overload_tblname,
1991 sizeof(rule->overload_tblname)));
1993 if (! nvlist_exists_nvlist(nvl, "rpool")) {
1997 PFNV_CHK(pf_nvpool_to_pool(nvlist_get_nvlist(nvl, "rpool"),
2000 PFNV_CHK(pf_nvuint32(nvl, "os_fingerprint", &rule->os_fingerprint));
2002 PFNV_CHK(pf_nvint(nvl, "rtableid", &rule->rtableid));
2003 PFNV_CHK(pf_nvuint32_array(nvl, "timeout", rule->timeout, PFTM_MAX, NULL));
2004 PFNV_CHK(pf_nvuint32(nvl, "max_states", &rule->max_states));
2005 PFNV_CHK(pf_nvuint32(nvl, "max_src_nodes", &rule->max_src_nodes));
2006 PFNV_CHK(pf_nvuint32(nvl, "max_src_states", &rule->max_src_states));
2007 PFNV_CHK(pf_nvuint32(nvl, "max_src_conn", &rule->max_src_conn));
2008 PFNV_CHK(pf_nvuint32(nvl, "max_src_conn_rate.limit",
2009 &rule->max_src_conn_rate.limit));
2010 PFNV_CHK(pf_nvuint32(nvl, "max_src_conn_rate.seconds",
2011 &rule->max_src_conn_rate.seconds));
2012 PFNV_CHK(pf_nvuint32(nvl, "prob", &rule->prob));
2013 PFNV_CHK(pf_nvuint32(nvl, "cuid", &rule->cuid));
2014 PFNV_CHK(pf_nvuint32(nvl, "cpid", &rule->cpid));
2016 PFNV_CHK(pf_nvuint16(nvl, "return_icmp", &rule->return_icmp));
2017 PFNV_CHK(pf_nvuint16(nvl, "return_icmp6", &rule->return_icmp6));
2019 PFNV_CHK(pf_nvuint16(nvl, "max_mss", &rule->max_mss));
2020 PFNV_CHK(pf_nvuint16(nvl, "scrub_flags", &rule->scrub_flags));
2022 if (! nvlist_exists_nvlist(nvl, "uid")) {
2026 PFNV_CHK(pf_nvrule_uid_to_rule_uid(nvlist_get_nvlist(nvl, "uid"),
2029 if (! nvlist_exists_nvlist(nvl, "gid")) {
2033 PFNV_CHK(pf_nvrule_gid_to_rule_gid(nvlist_get_nvlist(nvl, "gid"),
2036 PFNV_CHK(pf_nvuint32(nvl, "rule_flag", &rule->rule_flag));
2037 PFNV_CHK(pf_nvuint8(nvl, "action", &rule->action));
2038 PFNV_CHK(pf_nvuint8(nvl, "direction", &rule->direction));
2039 PFNV_CHK(pf_nvuint8(nvl, "log", &rule->log));
2040 PFNV_CHK(pf_nvuint8(nvl, "logif", &rule->logif));
2041 PFNV_CHK(pf_nvuint8(nvl, "quick", &rule->quick));
2042 PFNV_CHK(pf_nvuint8(nvl, "ifnot", &rule->ifnot));
2043 PFNV_CHK(pf_nvuint8(nvl, "match_tag_not", &rule->match_tag_not));
2044 PFNV_CHK(pf_nvuint8(nvl, "natpass", &rule->natpass));
2046 PFNV_CHK(pf_nvuint8(nvl, "keep_state", &rule->keep_state));
2047 PFNV_CHK(pf_nvuint8(nvl, "af", &rule->af));
2048 PFNV_CHK(pf_nvuint8(nvl, "proto", &rule->proto));
2049 PFNV_CHK(pf_nvuint8(nvl, "type", &rule->type));
2050 PFNV_CHK(pf_nvuint8(nvl, "code", &rule->code));
2051 PFNV_CHK(pf_nvuint8(nvl, "flags", &rule->flags));
2052 PFNV_CHK(pf_nvuint8(nvl, "flagset", &rule->flagset));
2053 PFNV_CHK(pf_nvuint8(nvl, "min_ttl", &rule->min_ttl));
2054 PFNV_CHK(pf_nvuint8(nvl, "allow_opts", &rule->allow_opts));
2055 PFNV_CHK(pf_nvuint8(nvl, "rt", &rule->rt));
2056 PFNV_CHK(pf_nvuint8(nvl, "return_ttl", &rule->return_ttl));
2057 PFNV_CHK(pf_nvuint8(nvl, "tos", &rule->tos));
2058 PFNV_CHK(pf_nvuint8(nvl, "set_tos", &rule->set_tos));
2059 PFNV_CHK(pf_nvuint8(nvl, "anchor_relative", &rule->anchor_relative));
2060 PFNV_CHK(pf_nvuint8(nvl, "anchor_wildcard", &rule->anchor_wildcard));
2062 PFNV_CHK(pf_nvuint8(nvl, "flush", &rule->flush));
2063 PFNV_CHK(pf_nvuint8(nvl, "prio", &rule->prio));
2065 PFNV_CHK(pf_nvuint8_array(nvl, "set_prio", &rule->prio, 2, NULL));
2067 if (nvlist_exists_nvlist(nvl, "divert")) {
2068 const nvlist_t *nvldivert = nvlist_get_nvlist(nvl, "divert");
2070 if (! nvlist_exists_nvlist(nvldivert, "addr")) {
2074 PFNV_CHK(pf_nvaddr_to_addr(nvlist_get_nvlist(nvldivert, "addr"),
2075 &rule->divert.addr));
2076 PFNV_CHK(pf_nvuint16(nvldivert, "port", &rule->divert.port));
2081 if (rule->af == AF_INET) {
2082 error = EAFNOSUPPORT;
2087 if (rule->af == AF_INET6) {
2088 error = EAFNOSUPPORT;
2093 PFNV_CHK(pf_check_rule_addr(&rule->src));
2094 PFNV_CHK(pf_check_rule_addr(&rule->dst));
2101 pf_krule_free(rule);
2108 pf_divert_to_nvdivert(const struct pf_krule *rule)
2113 nvl = nvlist_create(0);
2117 tmp = pf_addr_to_nvaddr(&rule->divert.addr);
2120 nvlist_add_nvlist(nvl, "addr", tmp);
2121 nvlist_add_number(nvl, "port", rule->divert.port);
2126 nvlist_destroy(nvl);
2131 pf_krule_to_nvrule(const struct pf_krule *rule)
2133 nvlist_t *nvl, *tmp;
2135 nvl = nvlist_create(0);
2139 nvlist_add_number(nvl, "nr", rule->nr);
2140 tmp = pf_rule_addr_to_nvrule_addr(&rule->src);
2143 nvlist_add_nvlist(nvl, "src", tmp);
2144 tmp = pf_rule_addr_to_nvrule_addr(&rule->dst);
2147 nvlist_add_nvlist(nvl, "dst", tmp);
2149 for (int i = 0; i < PF_SKIP_COUNT; i++) {
2150 nvlist_append_number_array(nvl, "skip",
2151 rule->skip[i].ptr ? rule->skip[i].ptr->nr : -1);
2154 nvlist_add_string(nvl, "label", rule->label);
2155 nvlist_add_string(nvl, "ifname", rule->ifname);
2156 nvlist_add_string(nvl, "qname", rule->qname);
2157 nvlist_add_string(nvl, "pqname", rule->pqname);
2158 nvlist_add_string(nvl, "tagname", rule->tagname);
2159 nvlist_add_string(nvl, "match_tagname", rule->match_tagname);
2160 nvlist_add_string(nvl, "overload_tblname", rule->overload_tblname);
2162 tmp = pf_pool_to_nvpool(&rule->rpool);
2165 nvlist_add_nvlist(nvl, "rpool", tmp);
2167 nvlist_add_number(nvl, "evaluations",
2168 counter_u64_fetch(rule->evaluations));
2169 for (int i = 0; i < 2; i++) {
2170 nvlist_append_number_array(nvl, "packets",
2171 counter_u64_fetch(rule->packets[i]));
2172 nvlist_append_number_array(nvl, "bytes",
2173 counter_u64_fetch(rule->bytes[i]));
2176 nvlist_add_number(nvl, "os_fingerprint", rule->os_fingerprint);
2178 nvlist_add_number(nvl, "rtableid", rule->rtableid);
2179 pf_uint32_array_nv(nvl, "timeout", rule->timeout, PFTM_MAX);
2180 nvlist_add_number(nvl, "max_states", rule->max_states);
2181 nvlist_add_number(nvl, "max_src_nodes", rule->max_src_nodes);
2182 nvlist_add_number(nvl, "max_src_states", rule->max_src_states);
2183 nvlist_add_number(nvl, "max_src_conn", rule->max_src_conn);
2184 nvlist_add_number(nvl, "max_src_conn_rate.limit",
2185 rule->max_src_conn_rate.limit);
2186 nvlist_add_number(nvl, "max_src_conn_rate.seconds",
2187 rule->max_src_conn_rate.seconds);
2188 nvlist_add_number(nvl, "qid", rule->qid);
2189 nvlist_add_number(nvl, "pqid", rule->pqid);
2190 nvlist_add_number(nvl, "prob", rule->prob);
2191 nvlist_add_number(nvl, "cuid", rule->cuid);
2192 nvlist_add_number(nvl, "cpid", rule->cpid);
2194 nvlist_add_number(nvl, "states_cur",
2195 counter_u64_fetch(rule->states_cur));
2196 nvlist_add_number(nvl, "states_tot",
2197 counter_u64_fetch(rule->states_tot));
2198 nvlist_add_number(nvl, "src_nodes",
2199 counter_u64_fetch(rule->src_nodes));
2201 nvlist_add_number(nvl, "return_icmp", rule->return_icmp);
2202 nvlist_add_number(nvl, "return_icmp6", rule->return_icmp6);
2204 nvlist_add_number(nvl, "max_mss", rule->max_mss);
2205 nvlist_add_number(nvl, "scrub_flags", rule->scrub_flags);
2207 tmp = pf_rule_uid_to_nvrule_uid(&rule->uid);
2210 nvlist_add_nvlist(nvl, "uid", tmp);
2211 tmp = pf_rule_uid_to_nvrule_uid((const struct pf_rule_uid *)&rule->gid);
2214 nvlist_add_nvlist(nvl, "gid", tmp);
2216 nvlist_add_number(nvl, "rule_flag", rule->rule_flag);
2217 nvlist_add_number(nvl, "action", rule->action);
2218 nvlist_add_number(nvl, "direction", rule->direction);
2219 nvlist_add_number(nvl, "log", rule->log);
2220 nvlist_add_number(nvl, "logif", rule->logif);
2221 nvlist_add_number(nvl, "quick", rule->quick);
2222 nvlist_add_number(nvl, "ifnot", rule->ifnot);
2223 nvlist_add_number(nvl, "match_tag_not", rule->match_tag_not);
2224 nvlist_add_number(nvl, "natpass", rule->natpass);
2226 nvlist_add_number(nvl, "keep_state", rule->keep_state);
2227 nvlist_add_number(nvl, "af", rule->af);
2228 nvlist_add_number(nvl, "proto", rule->proto);
2229 nvlist_add_number(nvl, "type", rule->type);
2230 nvlist_add_number(nvl, "code", rule->code);
2231 nvlist_add_number(nvl, "flags", rule->flags);
2232 nvlist_add_number(nvl, "flagset", rule->flagset);
2233 nvlist_add_number(nvl, "min_ttl", rule->min_ttl);
2234 nvlist_add_number(nvl, "allow_opts", rule->allow_opts);
2235 nvlist_add_number(nvl, "rt", rule->rt);
2236 nvlist_add_number(nvl, "return_ttl", rule->return_ttl);
2237 nvlist_add_number(nvl, "tos", rule->tos);
2238 nvlist_add_number(nvl, "set_tos", rule->set_tos);
2239 nvlist_add_number(nvl, "anchor_relative", rule->anchor_relative);
2240 nvlist_add_number(nvl, "anchor_wildcard", rule->anchor_wildcard);
2242 nvlist_add_number(nvl, "flush", rule->flush);
2243 nvlist_add_number(nvl, "prio", rule->prio);
2245 pf_uint8_array_nv(nvl, "set_prio", &rule->prio, 2);
2247 tmp = pf_divert_to_nvdivert(rule);
2250 nvlist_add_nvlist(nvl, "divert", tmp);
2255 nvlist_destroy(nvl);
2260 pf_rule_to_krule(const struct pf_rule *rule, struct pf_krule *krule)
2265 if (rule->af == AF_INET) {
2266 return (EAFNOSUPPORT);
2270 if (rule->af == AF_INET6) {
2271 return (EAFNOSUPPORT);
2275 ret = pf_check_rule_addr(&rule->src);
2278 ret = pf_check_rule_addr(&rule->dst);
2282 bzero(krule, sizeof(*krule));
2284 bcopy(&rule->src, &krule->src, sizeof(rule->src));
2285 bcopy(&rule->dst, &krule->dst, sizeof(rule->dst));
2287 strlcpy(krule->label, rule->label, sizeof(rule->label));
2288 strlcpy(krule->ifname, rule->ifname, sizeof(rule->ifname));
2289 strlcpy(krule->qname, rule->qname, sizeof(rule->qname));
2290 strlcpy(krule->pqname, rule->pqname, sizeof(rule->pqname));
2291 strlcpy(krule->tagname, rule->tagname, sizeof(rule->tagname));
2292 strlcpy(krule->match_tagname, rule->match_tagname,
2293 sizeof(rule->match_tagname));
2294 strlcpy(krule->overload_tblname, rule->overload_tblname,
2295 sizeof(rule->overload_tblname));
2297 ret = pf_pool_to_kpool(&rule->rpool, &krule->rpool);
2301 /* Don't allow userspace to set evaulations, packets or bytes. */
2302 /* kif, anchor, overload_tbl are not copied over. */
2304 krule->os_fingerprint = rule->os_fingerprint;
2306 krule->rtableid = rule->rtableid;
2307 bcopy(rule->timeout, krule->timeout, sizeof(krule->timeout));
2308 krule->max_states = rule->max_states;
2309 krule->max_src_nodes = rule->max_src_nodes;
2310 krule->max_src_states = rule->max_src_states;
2311 krule->max_src_conn = rule->max_src_conn;
2312 krule->max_src_conn_rate.limit = rule->max_src_conn_rate.limit;
2313 krule->max_src_conn_rate.seconds = rule->max_src_conn_rate.seconds;
2314 krule->qid = rule->qid;
2315 krule->pqid = rule->pqid;
2316 krule->nr = rule->nr;
2317 krule->prob = rule->prob;
2318 krule->cuid = rule->cuid;
2319 krule->cpid = rule->cpid;
2321 krule->return_icmp = rule->return_icmp;
2322 krule->return_icmp6 = rule->return_icmp6;
2323 krule->max_mss = rule->max_mss;
2324 krule->tag = rule->tag;
2325 krule->match_tag = rule->match_tag;
2326 krule->scrub_flags = rule->scrub_flags;
2328 bcopy(&rule->uid, &krule->uid, sizeof(krule->uid));
2329 bcopy(&rule->gid, &krule->gid, sizeof(krule->gid));
2331 krule->rule_flag = rule->rule_flag;
2332 krule->action = rule->action;
2333 krule->direction = rule->direction;
2334 krule->log = rule->log;
2335 krule->logif = rule->logif;
2336 krule->quick = rule->quick;
2337 krule->ifnot = rule->ifnot;
2338 krule->match_tag_not = rule->match_tag_not;
2339 krule->natpass = rule->natpass;
2341 krule->keep_state = rule->keep_state;
2342 krule->af = rule->af;
2343 krule->proto = rule->proto;
2344 krule->type = rule->type;
2345 krule->code = rule->code;
2346 krule->flags = rule->flags;
2347 krule->flagset = rule->flagset;
2348 krule->min_ttl = rule->min_ttl;
2349 krule->allow_opts = rule->allow_opts;
2350 krule->rt = rule->rt;
2351 krule->return_ttl = rule->return_ttl;
2352 krule->tos = rule->tos;
2353 krule->set_tos = rule->set_tos;
2354 krule->anchor_relative = rule->anchor_relative;
2355 krule->anchor_wildcard = rule->anchor_wildcard;
2357 krule->flush = rule->flush;
2358 krule->prio = rule->prio;
2359 krule->set_prio[0] = rule->set_prio[0];
2360 krule->set_prio[1] = rule->set_prio[1];
2362 bcopy(&rule->divert, &krule->divert, sizeof(krule->divert));
2368 pf_ioctl_addrule(struct pf_krule *rule, uint32_t ticket,
2369 uint32_t pool_ticket, const char *anchor, const char *anchor_call,
2372 struct pf_kruleset *ruleset;
2373 struct pf_krule *tail;
2374 struct pf_kpooladdr *pa;
2375 struct pfi_kkif *kif = NULL;
2379 if ((rule->return_icmp >> 8) > ICMP_MAXTYPE) {
2381 goto errout_unlocked;
2384 #define ERROUT(x) { error = (x); goto errout; }
2386 if (rule->ifname[0])
2387 kif = pf_kkif_create(M_WAITOK);
2388 rule->evaluations = counter_u64_alloc(M_WAITOK);
2389 for (int i = 0; i < 2; i++) {
2390 rule->packets[i] = counter_u64_alloc(M_WAITOK);
2391 rule->bytes[i] = counter_u64_alloc(M_WAITOK);
2393 rule->states_cur = counter_u64_alloc(M_WAITOK);
2394 rule->states_tot = counter_u64_alloc(M_WAITOK);
2395 rule->src_nodes = counter_u64_alloc(M_WAITOK);
2396 rule->cuid = td->td_ucred->cr_ruid;
2397 rule->cpid = td->td_proc ? td->td_proc->p_pid : 0;
2398 TAILQ_INIT(&rule->rpool.list);
2401 ruleset = pf_find_kruleset(anchor);
2402 if (ruleset == NULL)
2404 rs_num = pf_get_ruleset_number(rule->action);
2405 if (rs_num >= PF_RULESET_MAX)
2407 if (ticket != ruleset->rules[rs_num].inactive.ticket) {
2408 DPFPRINTF(PF_DEBUG_MISC,
2409 ("ticket: %d != [%d]%d\n", ticket, rs_num,
2410 ruleset->rules[rs_num].inactive.ticket));
2413 if (pool_ticket != V_ticket_pabuf) {
2414 DPFPRINTF(PF_DEBUG_MISC,
2415 ("pool_ticket: %d != %d\n", pool_ticket,
2420 tail = TAILQ_LAST(ruleset->rules[rs_num].inactive.ptr,
2423 rule->nr = tail->nr + 1;
2426 if (rule->ifname[0]) {
2427 rule->kif = pfi_kkif_attach(kif, rule->ifname);
2429 pfi_kkif_ref(rule->kif);
2433 if (rule->rtableid > 0 && rule->rtableid >= rt_numfibs)
2438 if (rule->qname[0] != 0) {
2439 if ((rule->qid = pf_qname2qid(rule->qname)) == 0)
2441 else if (rule->pqname[0] != 0) {
2443 pf_qname2qid(rule->pqname)) == 0)
2446 rule->pqid = rule->qid;
2449 if (rule->tagname[0])
2450 if ((rule->tag = pf_tagname2tag(rule->tagname)) == 0)
2452 if (rule->match_tagname[0])
2453 if ((rule->match_tag =
2454 pf_tagname2tag(rule->match_tagname)) == 0)
2456 if (rule->rt && !rule->direction)
2460 if (rule->logif >= PFLOGIFS_MAX)
2462 if (pf_addr_setup(ruleset, &rule->src.addr, rule->af))
2464 if (pf_addr_setup(ruleset, &rule->dst.addr, rule->af))
2466 if (pf_kanchor_setup(rule, ruleset, anchor_call))
2468 if (rule->scrub_flags & PFSTATE_SETPRIO &&
2469 (rule->set_prio[0] > PF_PRIO_MAX ||
2470 rule->set_prio[1] > PF_PRIO_MAX))
2472 TAILQ_FOREACH(pa, &V_pf_pabuf, entries)
2473 if (pa->addr.type == PF_ADDR_TABLE) {
2474 pa->addr.p.tbl = pfr_attach_table(ruleset,
2475 pa->addr.v.tblname);
2476 if (pa->addr.p.tbl == NULL)
2480 rule->overload_tbl = NULL;
2481 if (rule->overload_tblname[0]) {
2482 if ((rule->overload_tbl = pfr_attach_table(ruleset,
2483 rule->overload_tblname)) == NULL)
2486 rule->overload_tbl->pfrkt_flags |=
2490 pf_mv_kpool(&V_pf_pabuf, &rule->rpool.list);
2491 if (((((rule->action == PF_NAT) || (rule->action == PF_RDR) ||
2492 (rule->action == PF_BINAT)) && rule->anchor == NULL) ||
2493 (rule->rt > PF_NOPFROUTE)) &&
2494 (TAILQ_FIRST(&rule->rpool.list) == NULL))
2503 rule->rpool.cur = TAILQ_FIRST(&rule->rpool.list);
2504 counter_u64_zero(rule->evaluations);
2505 for (int i = 0; i < 2; i++) {
2506 counter_u64_zero(rule->packets[i]);
2507 counter_u64_zero(rule->bytes[i]);
2509 TAILQ_INSERT_TAIL(ruleset->rules[rs_num].inactive.ptr,
2511 ruleset->rules[rs_num].inactive.rcount++;
2521 pf_krule_free(rule);
2526 pf_killstates_row(struct pfioc_state_kill *psk, struct pf_idhash *ih)
2529 struct pf_state_key *sk;
2530 struct pf_addr *srcaddr, *dstaddr;
2532 u_int16_t srcport, dstport;
2534 relock_DIOCKILLSTATES:
2535 PF_HASHROW_LOCK(ih);
2536 LIST_FOREACH(s, &ih->states, entry) {
2537 sk = s->key[PF_SK_WIRE];
2538 if (s->direction == PF_OUT) {
2539 srcaddr = &sk->addr[1];
2540 dstaddr = &sk->addr[0];
2541 srcport = sk->port[1];
2542 dstport = sk->port[0];
2544 srcaddr = &sk->addr[0];
2545 dstaddr = &sk->addr[1];
2546 srcport = sk->port[0];
2547 dstport = sk->port[1];
2550 if (psk->psk_af && sk->af != psk->psk_af)
2553 if (psk->psk_proto && psk->psk_proto != sk->proto)
2556 if (! PF_MATCHA(psk->psk_src.neg, &psk->psk_src.addr.v.a.addr,
2557 &psk->psk_src.addr.v.a.mask, srcaddr, sk->af))
2560 if (! PF_MATCHA(psk->psk_dst.neg, &psk->psk_dst.addr.v.a.addr,
2561 &psk->psk_dst.addr.v.a.mask, dstaddr, sk->af))
2564 if (psk->psk_src.port_op != 0 &&
2565 ! pf_match_port(psk->psk_src.port_op,
2566 psk->psk_src.port[0], psk->psk_src.port[1], srcport))
2569 if (psk->psk_dst.port_op != 0 &&
2570 ! pf_match_port(psk->psk_dst.port_op,
2571 psk->psk_dst.port[0], psk->psk_dst.port[1], dstport))
2574 if (psk->psk_label[0] && (! s->rule.ptr->label[0] ||
2575 strcmp(psk->psk_label, s->rule.ptr->label)))
2578 if (psk->psk_ifname[0] && strcmp(psk->psk_ifname,
2582 pf_unlink_state(s, PF_ENTER_LOCKED);
2584 goto relock_DIOCKILLSTATES;
2586 PF_HASHROW_UNLOCK(ih);
2592 pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td)
2595 PF_RULES_RLOCK_TRACKER;
2597 /* XXX keep in sync with switch() below */
2598 if (securelevel_gt(td->td_ucred, 2))
2606 case DIOCSETSTATUSIF:
2612 case DIOCGETTIMEOUT:
2613 case DIOCCLRRULECTRS:
2615 case DIOCGETALTQSV0:
2616 case DIOCGETALTQSV1:
2619 case DIOCGETQSTATSV0:
2620 case DIOCGETQSTATSV1:
2621 case DIOCGETRULESETS:
2622 case DIOCGETRULESET:
2623 case DIOCRGETTABLES:
2624 case DIOCRGETTSTATS:
2625 case DIOCRCLRTSTATS:
2631 case DIOCRGETASTATS:
2632 case DIOCRCLRASTATS:
2635 case DIOCGETSRCNODES:
2636 case DIOCCLRSRCNODES:
2637 case DIOCIGETIFACES:
2638 case DIOCGIFSPEEDV0:
2639 case DIOCGIFSPEEDV1:
2643 case DIOCRCLRTABLES:
2644 case DIOCRADDTABLES:
2645 case DIOCRDELTABLES:
2646 case DIOCRSETTFLAGS:
2647 if (((struct pfioc_table *)addr)->pfrio_flags &
2649 break; /* dummy operation ok */
2655 if (!(flags & FWRITE))
2663 case DIOCGETTIMEOUT:
2665 case DIOCGETALTQSV0:
2666 case DIOCGETALTQSV1:
2669 case DIOCGETQSTATSV0:
2670 case DIOCGETQSTATSV1:
2671 case DIOCGETRULESETS:
2672 case DIOCGETRULESET:
2674 case DIOCRGETTABLES:
2675 case DIOCRGETTSTATS:
2677 case DIOCRGETASTATS:
2680 case DIOCGETSRCNODES:
2681 case DIOCIGETIFACES:
2682 case DIOCGIFSPEEDV1:
2683 case DIOCGIFSPEEDV0:
2686 case DIOCRCLRTABLES:
2687 case DIOCRADDTABLES:
2688 case DIOCRDELTABLES:
2689 case DIOCRCLRTSTATS:
2694 case DIOCRSETTFLAGS:
2695 if (((struct pfioc_table *)addr)->pfrio_flags &
2697 flags |= FWRITE; /* need write lock for dummy */
2698 break; /* dummy operation ok */
2702 if (((struct pfioc_rule *)addr)->action ==
2710 CURVNET_SET(TD_TO_VNET(td));
2714 sx_xlock(&pf_ioctl_lock);
2715 if (V_pf_status.running)
2721 V_pf_status.running = 1;
2722 V_pf_status.since = time_second;
2725 V_pf_stateid[cpu] = time_second;
2727 DPFPRINTF(PF_DEBUG_MISC, ("pf: started\n"));
2732 sx_xlock(&pf_ioctl_lock);
2733 if (!V_pf_status.running)
2736 V_pf_status.running = 0;
2738 V_pf_status.since = time_second;
2739 DPFPRINTF(PF_DEBUG_MISC, ("pf: stopped\n"));
2743 case DIOCADDRULENV: {
2744 struct pfioc_nv *nv = (struct pfioc_nv *)addr;
2745 nvlist_t *nvl = NULL;
2746 void *nvlpacked = NULL;
2747 struct pf_krule *rule = NULL;
2748 const char *anchor = "", *anchor_call = "";
2749 uint32_t ticket = 0, pool_ticket = 0;
2751 #define ERROUT(x) do { error = (x); goto DIOCADDRULENV_error; } while (0)
2753 if (nv->len > pf_ioctl_maxcount)
2756 nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK);
2757 error = copyin(nv->data, nvlpacked, nv->len);
2761 nvl = nvlist_unpack(nvlpacked, nv->len, 0);
2765 if (! nvlist_exists_number(nvl, "ticket"))
2767 ticket = nvlist_get_number(nvl, "ticket");
2769 if (! nvlist_exists_number(nvl, "pool_ticket"))
2771 pool_ticket = nvlist_get_number(nvl, "pool_ticket");
2773 if (! nvlist_exists_nvlist(nvl, "rule"))
2776 error = pf_nvrule_to_krule(nvlist_get_nvlist(nvl, "rule"),
2781 if (nvlist_exists_string(nvl, "anchor"))
2782 anchor = nvlist_get_string(nvl, "anchor");
2783 if (nvlist_exists_string(nvl, "anchor_call"))
2784 anchor_call = nvlist_get_string(nvl, "anchor_call");
2786 if ((error = nvlist_error(nvl)))
2789 /* Frees rule on error */
2790 error = pf_ioctl_addrule(rule, ticket, pool_ticket, anchor,
2793 nvlist_destroy(nvl);
2794 free(nvlpacked, M_TEMP);
2797 DIOCADDRULENV_error:
2798 pf_krule_free(rule);
2799 nvlist_destroy(nvl);
2800 free(nvlpacked, M_TEMP);
2805 struct pfioc_rule *pr = (struct pfioc_rule *)addr;
2806 struct pf_krule *rule;
2808 rule = malloc(sizeof(*rule), M_PFRULE, M_WAITOK);
2809 error = pf_rule_to_krule(&pr->rule, rule);
2811 free(rule, M_PFRULE);
2815 pr->anchor[sizeof(pr->anchor) - 1] = 0;
2817 /* Frees rule on error */
2818 error = pf_ioctl_addrule(rule, pr->ticket, pr->pool_ticket,
2819 pr->anchor, pr->anchor_call, td);
2823 case DIOCGETRULES: {
2824 struct pfioc_rule *pr = (struct pfioc_rule *)addr;
2825 struct pf_kruleset *ruleset;
2826 struct pf_krule *tail;
2830 pr->anchor[sizeof(pr->anchor) - 1] = 0;
2831 ruleset = pf_find_kruleset(pr->anchor);
2832 if (ruleset == NULL) {
2837 rs_num = pf_get_ruleset_number(pr->rule.action);
2838 if (rs_num >= PF_RULESET_MAX) {
2843 tail = TAILQ_LAST(ruleset->rules[rs_num].active.ptr,
2846 pr->nr = tail->nr + 1;
2849 pr->ticket = ruleset->rules[rs_num].active.ticket;
2855 struct pfioc_rule *pr = (struct pfioc_rule *)addr;
2856 struct pf_kruleset *ruleset;
2857 struct pf_krule *rule;
2861 pr->anchor[sizeof(pr->anchor) - 1] = 0;
2862 ruleset = pf_find_kruleset(pr->anchor);
2863 if (ruleset == NULL) {
2868 rs_num = pf_get_ruleset_number(pr->rule.action);
2869 if (rs_num >= PF_RULESET_MAX) {
2874 if (pr->ticket != ruleset->rules[rs_num].active.ticket) {
2879 rule = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr);
2880 while ((rule != NULL) && (rule->nr != pr->nr))
2881 rule = TAILQ_NEXT(rule, entries);
2888 pf_krule_to_rule(rule, &pr->rule);
2890 if (pf_kanchor_copyout(ruleset, rule, pr)) {
2895 pf_addr_copyout(&pr->rule.src.addr);
2896 pf_addr_copyout(&pr->rule.dst.addr);
2898 if (pr->action == PF_GET_CLR_CNTR) {
2899 counter_u64_zero(rule->evaluations);
2900 for (int i = 0; i < 2; i++) {
2901 counter_u64_zero(rule->packets[i]);
2902 counter_u64_zero(rule->bytes[i]);
2904 counter_u64_zero(rule->states_tot);
2910 case DIOCGETRULENV: {
2911 struct pfioc_nv *nv = (struct pfioc_nv *)addr;
2912 nvlist_t *nvrule = NULL;
2913 nvlist_t *nvl = NULL;
2914 struct pf_kruleset *ruleset;
2915 struct pf_krule *rule;
2916 void *nvlpacked = NULL;
2918 bool clear_counter = false;
2920 #define ERROUT(x) do { error = (x); goto DIOCGETRULENV_error; } while (0)
2922 if (nv->len > pf_ioctl_maxcount)
2925 /* Copy the request in */
2926 nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK);
2927 if (nvlpacked == NULL)
2930 error = copyin(nv->data, nvlpacked, nv->len);
2934 nvl = nvlist_unpack(nvlpacked, nv->len, 0);
2938 if (! nvlist_exists_string(nvl, "anchor"))
2940 if (! nvlist_exists_number(nvl, "ruleset"))
2942 if (! nvlist_exists_number(nvl, "ticket"))
2944 if (! nvlist_exists_number(nvl, "nr"))
2947 if (nvlist_exists_bool(nvl, "clear_counter"))
2948 clear_counter = nvlist_get_bool(nvl, "clear_counter");
2950 if (clear_counter && !(flags & FWRITE))
2953 nr = nvlist_get_number(nvl, "nr");
2956 ruleset = pf_find_kruleset(nvlist_get_string(nvl, "anchor"));
2957 if (ruleset == NULL) {
2962 rs_num = pf_get_ruleset_number(nvlist_get_number(nvl, "ruleset"));
2963 if (rs_num >= PF_RULESET_MAX) {
2968 if (nvlist_get_number(nvl, "ticket") !=
2969 ruleset->rules[rs_num].active.ticket) {
2975 if ((error = nvlist_error(nvl))) {
2980 rule = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr);
2981 while ((rule != NULL) && (rule->nr != nr))
2982 rule = TAILQ_NEXT(rule, entries);
2989 nvrule = pf_krule_to_nvrule(rule);
2991 nvlist_destroy(nvl);
2992 nvl = nvlist_create(0);
2997 nvlist_add_number(nvl, "nr", nr);
2998 nvlist_add_nvlist(nvl, "rule", nvrule);
3000 if (pf_kanchor_nvcopyout(ruleset, rule, nvl)) {
3005 free(nvlpacked, M_TEMP);
3006 nvlpacked = nvlist_pack(nvl, &nv->len);
3007 if (nvlpacked == NULL) {
3012 if (nv->size == 0) {
3016 else if (nv->size < nv->len) {
3021 error = copyout(nvlpacked, nv->data, nv->len);
3023 if (clear_counter) {
3024 counter_u64_zero(rule->evaluations);
3025 for (int i = 0; i < 2; i++) {
3026 counter_u64_zero(rule->packets[i]);
3027 counter_u64_zero(rule->bytes[i]);
3029 counter_u64_zero(rule->states_tot);
3034 DIOCGETRULENV_error:
3035 free(nvlpacked, M_TEMP);
3036 nvlist_destroy(nvrule);
3037 nvlist_destroy(nvl);
3042 case DIOCCHANGERULE: {
3043 struct pfioc_rule *pcr = (struct pfioc_rule *)addr;
3044 struct pf_kruleset *ruleset;
3045 struct pf_krule *oldrule = NULL, *newrule = NULL;
3046 struct pfi_kkif *kif = NULL;
3047 struct pf_kpooladdr *pa;
3051 if (pcr->action < PF_CHANGE_ADD_HEAD ||
3052 pcr->action > PF_CHANGE_GET_TICKET) {
3056 if (pcr->rule.return_icmp >> 8 > ICMP_MAXTYPE) {
3061 if (pcr->action != PF_CHANGE_REMOVE) {
3062 newrule = malloc(sizeof(*newrule), M_PFRULE, M_WAITOK);
3063 error = pf_rule_to_krule(&pcr->rule, newrule);
3065 free(newrule, M_PFRULE);
3069 if (newrule->ifname[0])
3070 kif = pf_kkif_create(M_WAITOK);
3071 newrule->evaluations = counter_u64_alloc(M_WAITOK);
3072 for (int i = 0; i < 2; i++) {
3073 newrule->packets[i] =
3074 counter_u64_alloc(M_WAITOK);
3076 counter_u64_alloc(M_WAITOK);
3078 newrule->states_cur = counter_u64_alloc(M_WAITOK);
3079 newrule->states_tot = counter_u64_alloc(M_WAITOK);
3080 newrule->src_nodes = counter_u64_alloc(M_WAITOK);
3081 newrule->cuid = td->td_ucred->cr_ruid;
3082 newrule->cpid = td->td_proc ? td->td_proc->p_pid : 0;
3083 TAILQ_INIT(&newrule->rpool.list);
3085 #define ERROUT(x) { error = (x); goto DIOCCHANGERULE_error; }
3088 if (!(pcr->action == PF_CHANGE_REMOVE ||
3089 pcr->action == PF_CHANGE_GET_TICKET) &&
3090 pcr->pool_ticket != V_ticket_pabuf)
3093 ruleset = pf_find_kruleset(pcr->anchor);
3094 if (ruleset == NULL)
3097 rs_num = pf_get_ruleset_number(pcr->rule.action);
3098 if (rs_num >= PF_RULESET_MAX)
3101 if (pcr->action == PF_CHANGE_GET_TICKET) {
3102 pcr->ticket = ++ruleset->rules[rs_num].active.ticket;
3104 } else if (pcr->ticket !=
3105 ruleset->rules[rs_num].active.ticket)
3108 if (pcr->action != PF_CHANGE_REMOVE) {
3109 if (newrule->ifname[0]) {
3110 newrule->kif = pfi_kkif_attach(kif,
3113 pfi_kkif_ref(newrule->kif);
3115 newrule->kif = NULL;
3117 if (newrule->rtableid > 0 &&
3118 newrule->rtableid >= rt_numfibs)
3123 if (newrule->qname[0] != 0) {
3125 pf_qname2qid(newrule->qname)) == 0)
3127 else if (newrule->pqname[0] != 0) {
3128 if ((newrule->pqid =
3129 pf_qname2qid(newrule->pqname)) == 0)
3132 newrule->pqid = newrule->qid;
3135 if (newrule->tagname[0])
3137 pf_tagname2tag(newrule->tagname)) == 0)
3139 if (newrule->match_tagname[0])
3140 if ((newrule->match_tag = pf_tagname2tag(
3141 newrule->match_tagname)) == 0)
3143 if (newrule->rt && !newrule->direction)
3147 if (newrule->logif >= PFLOGIFS_MAX)
3149 if (pf_addr_setup(ruleset, &newrule->src.addr, newrule->af))
3151 if (pf_addr_setup(ruleset, &newrule->dst.addr, newrule->af))
3153 if (pf_kanchor_setup(newrule, ruleset, pcr->anchor_call))
3155 TAILQ_FOREACH(pa, &V_pf_pabuf, entries)
3156 if (pa->addr.type == PF_ADDR_TABLE) {
3158 pfr_attach_table(ruleset,
3159 pa->addr.v.tblname);
3160 if (pa->addr.p.tbl == NULL)
3164 newrule->overload_tbl = NULL;
3165 if (newrule->overload_tblname[0]) {
3166 if ((newrule->overload_tbl = pfr_attach_table(
3167 ruleset, newrule->overload_tblname)) ==
3171 newrule->overload_tbl->pfrkt_flags |=
3175 pf_mv_kpool(&V_pf_pabuf, &newrule->rpool.list);
3176 if (((((newrule->action == PF_NAT) ||
3177 (newrule->action == PF_RDR) ||
3178 (newrule->action == PF_BINAT) ||
3179 (newrule->rt > PF_NOPFROUTE)) &&
3180 !newrule->anchor)) &&
3181 (TAILQ_FIRST(&newrule->rpool.list) == NULL))
3185 pf_free_rule(newrule);
3190 newrule->rpool.cur = TAILQ_FIRST(&newrule->rpool.list);
3192 pf_empty_kpool(&V_pf_pabuf);
3194 if (pcr->action == PF_CHANGE_ADD_HEAD)
3195 oldrule = TAILQ_FIRST(
3196 ruleset->rules[rs_num].active.ptr);
3197 else if (pcr->action == PF_CHANGE_ADD_TAIL)
3198 oldrule = TAILQ_LAST(
3199 ruleset->rules[rs_num].active.ptr, pf_krulequeue);
3201 oldrule = TAILQ_FIRST(
3202 ruleset->rules[rs_num].active.ptr);
3203 while ((oldrule != NULL) && (oldrule->nr != pcr->nr))
3204 oldrule = TAILQ_NEXT(oldrule, entries);
3205 if (oldrule == NULL) {
3206 if (newrule != NULL)
3207 pf_free_rule(newrule);
3214 if (pcr->action == PF_CHANGE_REMOVE) {
3215 pf_unlink_rule(ruleset->rules[rs_num].active.ptr,
3217 ruleset->rules[rs_num].active.rcount--;
3219 if (oldrule == NULL)
3221 ruleset->rules[rs_num].active.ptr,
3223 else if (pcr->action == PF_CHANGE_ADD_HEAD ||
3224 pcr->action == PF_CHANGE_ADD_BEFORE)
3225 TAILQ_INSERT_BEFORE(oldrule, newrule, entries);
3228 ruleset->rules[rs_num].active.ptr,
3229 oldrule, newrule, entries);
3230 ruleset->rules[rs_num].active.rcount++;
3234 TAILQ_FOREACH(oldrule,
3235 ruleset->rules[rs_num].active.ptr, entries)
3238 ruleset->rules[rs_num].active.ticket++;
3240 pf_calc_skip_steps(ruleset->rules[rs_num].active.ptr);
3241 pf_remove_if_empty_kruleset(ruleset);
3247 DIOCCHANGERULE_error:
3249 pf_krule_free(newrule);
3254 case DIOCCLRSTATES: {
3256 struct pfioc_state_kill *psk = (struct pfioc_state_kill *)addr;
3257 u_int i, killed = 0;
3259 for (i = 0; i <= pf_hashmask; i++) {
3260 struct pf_idhash *ih = &V_pf_idhash[i];
3262 relock_DIOCCLRSTATES:
3263 PF_HASHROW_LOCK(ih);
3264 LIST_FOREACH(s, &ih->states, entry)
3265 if (!psk->psk_ifname[0] ||
3266 !strcmp(psk->psk_ifname,
3267 s->kif->pfik_name)) {
3269 * Don't send out individual
3272 s->state_flags |= PFSTATE_NOSYNC;
3273 pf_unlink_state(s, PF_ENTER_LOCKED);
3275 goto relock_DIOCCLRSTATES;
3277 PF_HASHROW_UNLOCK(ih);
3279 psk->psk_killed = killed;
3280 if (V_pfsync_clear_states_ptr != NULL)
3281 V_pfsync_clear_states_ptr(V_pf_status.hostid, psk->psk_ifname);
3285 case DIOCKILLSTATES: {
3287 struct pfioc_state_kill *psk = (struct pfioc_state_kill *)addr;
3288 u_int i, killed = 0;
3290 if (psk->psk_pfcmp.id) {
3291 if (psk->psk_pfcmp.creatorid == 0)
3292 psk->psk_pfcmp.creatorid = V_pf_status.hostid;
3293 if ((s = pf_find_state_byid(psk->psk_pfcmp.id,
3294 psk->psk_pfcmp.creatorid))) {
3295 pf_unlink_state(s, PF_ENTER_LOCKED);
3296 psk->psk_killed = 1;
3301 for (i = 0; i <= pf_hashmask; i++)
3302 killed += pf_killstates_row(psk, &V_pf_idhash[i]);
3304 psk->psk_killed = killed;
3308 case DIOCADDSTATE: {
3309 struct pfioc_state *ps = (struct pfioc_state *)addr;
3310 struct pfsync_state *sp = &ps->state;
3312 if (sp->timeout >= PFTM_MAX) {
3316 if (V_pfsync_state_import_ptr != NULL) {
3318 error = V_pfsync_state_import_ptr(sp, PFSYNC_SI_IOCTL);
3325 case DIOCGETSTATE: {
3326 struct pfioc_state *ps = (struct pfioc_state *)addr;
3329 s = pf_find_state_byid(ps->state.id, ps->state.creatorid);
3335 pfsync_state_export(&ps->state, s);
3340 case DIOCGETSTATES: {
3341 struct pfioc_states *ps = (struct pfioc_states *)addr;
3343 struct pfsync_state *pstore, *p;
3346 if (ps->ps_len <= 0) {
3347 nr = uma_zone_get_cur(V_pf_state_z);
3348 ps->ps_len = sizeof(struct pfsync_state) * nr;
3352 p = pstore = malloc(ps->ps_len, M_TEMP, M_WAITOK | M_ZERO);
3355 for (i = 0; i <= pf_hashmask; i++) {
3356 struct pf_idhash *ih = &V_pf_idhash[i];
3358 PF_HASHROW_LOCK(ih);
3359 LIST_FOREACH(s, &ih->states, entry) {
3360 if (s->timeout == PFTM_UNLINKED)
3363 if ((nr+1) * sizeof(*p) > ps->ps_len) {
3364 PF_HASHROW_UNLOCK(ih);
3365 goto DIOCGETSTATES_full;
3367 pfsync_state_export(p, s);
3371 PF_HASHROW_UNLOCK(ih);
3374 error = copyout(pstore, ps->ps_states,
3375 sizeof(struct pfsync_state) * nr);
3377 free(pstore, M_TEMP);
3380 ps->ps_len = sizeof(struct pfsync_state) * nr;
3381 free(pstore, M_TEMP);
3386 case DIOCGETSTATUS: {
3387 struct pf_status *s = (struct pf_status *)addr;
3390 s->running = V_pf_status.running;
3391 s->since = V_pf_status.since;
3392 s->debug = V_pf_status.debug;
3393 s->hostid = V_pf_status.hostid;
3394 s->states = V_pf_status.states;
3395 s->src_nodes = V_pf_status.src_nodes;
3397 for (int i = 0; i < PFRES_MAX; i++)
3399 counter_u64_fetch(V_pf_status.counters[i]);
3400 for (int i = 0; i < LCNT_MAX; i++)
3402 counter_u64_fetch(V_pf_status.lcounters[i]);
3403 for (int i = 0; i < FCNT_MAX; i++)
3405 counter_u64_fetch(V_pf_status.fcounters[i]);
3406 for (int i = 0; i < SCNT_MAX; i++)
3408 counter_u64_fetch(V_pf_status.scounters[i]);
3410 bcopy(V_pf_status.ifname, s->ifname, IFNAMSIZ);
3411 bcopy(V_pf_status.pf_chksum, s->pf_chksum,
3412 PF_MD5_DIGEST_LENGTH);
3414 pfi_update_status(s->ifname, s);
3419 case DIOCSETSTATUSIF: {
3420 struct pfioc_if *pi = (struct pfioc_if *)addr;
3422 if (pi->ifname[0] == 0) {
3423 bzero(V_pf_status.ifname, IFNAMSIZ);
3427 strlcpy(V_pf_status.ifname, pi->ifname, IFNAMSIZ);
3432 case DIOCCLRSTATUS: {
3434 for (int i = 0; i < PFRES_MAX; i++)
3435 counter_u64_zero(V_pf_status.counters[i]);
3436 for (int i = 0; i < FCNT_MAX; i++)
3437 counter_u64_zero(V_pf_status.fcounters[i]);
3438 for (int i = 0; i < SCNT_MAX; i++)
3439 counter_u64_zero(V_pf_status.scounters[i]);
3440 for (int i = 0; i < LCNT_MAX; i++)
3441 counter_u64_zero(V_pf_status.lcounters[i]);
3442 V_pf_status.since = time_second;
3443 if (*V_pf_status.ifname)
3444 pfi_update_status(V_pf_status.ifname, NULL);
3450 struct pfioc_natlook *pnl = (struct pfioc_natlook *)addr;
3451 struct pf_state_key *sk;
3452 struct pf_state *state;
3453 struct pf_state_key_cmp key;
3454 int m = 0, direction = pnl->direction;
3457 /* NATLOOK src and dst are reversed, so reverse sidx/didx */
3458 sidx = (direction == PF_IN) ? 1 : 0;
3459 didx = (direction == PF_IN) ? 0 : 1;
3462 PF_AZERO(&pnl->saddr, pnl->af) ||
3463 PF_AZERO(&pnl->daddr, pnl->af) ||
3464 ((pnl->proto == IPPROTO_TCP ||
3465 pnl->proto == IPPROTO_UDP) &&
3466 (!pnl->dport || !pnl->sport)))
3469 bzero(&key, sizeof(key));
3471 key.proto = pnl->proto;
3472 PF_ACPY(&key.addr[sidx], &pnl->saddr, pnl->af);
3473 key.port[sidx] = pnl->sport;
3474 PF_ACPY(&key.addr[didx], &pnl->daddr, pnl->af);
3475 key.port[didx] = pnl->dport;
3477 state = pf_find_state_all(&key, direction, &m);
3480 error = E2BIG; /* more than one state */
3481 else if (state != NULL) {
3482 /* XXXGL: not locked read */
3483 sk = state->key[sidx];
3484 PF_ACPY(&pnl->rsaddr, &sk->addr[sidx], sk->af);
3485 pnl->rsport = sk->port[sidx];
3486 PF_ACPY(&pnl->rdaddr, &sk->addr[didx], sk->af);
3487 pnl->rdport = sk->port[didx];
3494 case DIOCSETTIMEOUT: {
3495 struct pfioc_tm *pt = (struct pfioc_tm *)addr;
3498 if (pt->timeout < 0 || pt->timeout >= PFTM_MAX ||
3504 old = V_pf_default_rule.timeout[pt->timeout];
3505 if (pt->timeout == PFTM_INTERVAL && pt->seconds == 0)
3507 V_pf_default_rule.timeout[pt->timeout] = pt->seconds;
3508 if (pt->timeout == PFTM_INTERVAL && pt->seconds < old)
3509 wakeup(pf_purge_thread);
3515 case DIOCGETTIMEOUT: {
3516 struct pfioc_tm *pt = (struct pfioc_tm *)addr;
3518 if (pt->timeout < 0 || pt->timeout >= PFTM_MAX) {
3523 pt->seconds = V_pf_default_rule.timeout[pt->timeout];
3528 case DIOCGETLIMIT: {
3529 struct pfioc_limit *pl = (struct pfioc_limit *)addr;
3531 if (pl->index < 0 || pl->index >= PF_LIMIT_MAX) {
3536 pl->limit = V_pf_limits[pl->index].limit;
3541 case DIOCSETLIMIT: {
3542 struct pfioc_limit *pl = (struct pfioc_limit *)addr;
3546 if (pl->index < 0 || pl->index >= PF_LIMIT_MAX ||
3547 V_pf_limits[pl->index].zone == NULL) {
3552 uma_zone_set_max(V_pf_limits[pl->index].zone, pl->limit);
3553 old_limit = V_pf_limits[pl->index].limit;
3554 V_pf_limits[pl->index].limit = pl->limit;
3555 pl->limit = old_limit;
3560 case DIOCSETDEBUG: {
3561 u_int32_t *level = (u_int32_t *)addr;
3564 V_pf_status.debug = *level;
3569 case DIOCCLRRULECTRS: {
3570 /* obsoleted by DIOCGETRULE with action=PF_GET_CLR_CNTR */
3571 struct pf_kruleset *ruleset = &pf_main_ruleset;
3572 struct pf_krule *rule;
3576 ruleset->rules[PF_RULESET_FILTER].active.ptr, entries) {
3577 counter_u64_zero(rule->evaluations);
3578 for (int i = 0; i < 2; i++) {
3579 counter_u64_zero(rule->packets[i]);
3580 counter_u64_zero(rule->bytes[i]);
3587 case DIOCGIFSPEEDV0:
3588 case DIOCGIFSPEEDV1: {
3589 struct pf_ifspeed_v1 *psp = (struct pf_ifspeed_v1 *)addr;
3590 struct pf_ifspeed_v1 ps;
3593 if (psp->ifname[0] != 0) {
3594 /* Can we completely trust user-land? */
3595 strlcpy(ps.ifname, psp->ifname, IFNAMSIZ);
3596 ifp = ifunit(ps.ifname);
3599 (u_int32_t)uqmin(ifp->if_baudrate, UINT_MAX);
3600 if (cmd == DIOCGIFSPEEDV1)
3601 psp->baudrate = ifp->if_baudrate;
3610 case DIOCSTARTALTQ: {
3611 struct pf_altq *altq;
3614 /* enable all altq interfaces on active list */
3615 TAILQ_FOREACH(altq, V_pf_altq_ifs_active, entries) {
3616 if ((altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
3617 error = pf_enable_altq(altq);
3623 V_pf_altq_running = 1;
3625 DPFPRINTF(PF_DEBUG_MISC, ("altq: started\n"));
3629 case DIOCSTOPALTQ: {
3630 struct pf_altq *altq;
3633 /* disable all altq interfaces on active list */
3634 TAILQ_FOREACH(altq, V_pf_altq_ifs_active, entries) {
3635 if ((altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
3636 error = pf_disable_altq(altq);
3642 V_pf_altq_running = 0;
3644 DPFPRINTF(PF_DEBUG_MISC, ("altq: stopped\n"));
3649 case DIOCADDALTQV1: {
3650 struct pfioc_altq_v1 *pa = (struct pfioc_altq_v1 *)addr;
3651 struct pf_altq *altq, *a;
3654 altq = malloc(sizeof(*altq), M_PFALTQ, M_WAITOK | M_ZERO);
3655 error = pf_import_kaltq(pa, altq, IOCPARM_LEN(cmd));
3658 altq->local_flags = 0;
3661 if (pa->ticket != V_ticket_altqs_inactive) {
3663 free(altq, M_PFALTQ);
3669 * if this is for a queue, find the discipline and
3670 * copy the necessary fields
3672 if (altq->qname[0] != 0) {
3673 if ((altq->qid = pf_qname2qid(altq->qname)) == 0) {
3676 free(altq, M_PFALTQ);
3679 altq->altq_disc = NULL;
3680 TAILQ_FOREACH(a, V_pf_altq_ifs_inactive, entries) {
3681 if (strncmp(a->ifname, altq->ifname,
3683 altq->altq_disc = a->altq_disc;
3689 if ((ifp = ifunit(altq->ifname)) == NULL)
3690 altq->local_flags |= PFALTQ_FLAG_IF_REMOVED;
3692 error = altq_add(ifp, altq);
3696 free(altq, M_PFALTQ);
3700 if (altq->qname[0] != 0)
3701 TAILQ_INSERT_TAIL(V_pf_altqs_inactive, altq, entries);
3703 TAILQ_INSERT_TAIL(V_pf_altq_ifs_inactive, altq, entries);
3704 /* version error check done on import above */
3705 pf_export_kaltq(altq, pa, IOCPARM_LEN(cmd));
3710 case DIOCGETALTQSV0:
3711 case DIOCGETALTQSV1: {
3712 struct pfioc_altq_v1 *pa = (struct pfioc_altq_v1 *)addr;
3713 struct pf_altq *altq;
3717 TAILQ_FOREACH(altq, V_pf_altq_ifs_active, entries)
3719 TAILQ_FOREACH(altq, V_pf_altqs_active, entries)
3721 pa->ticket = V_ticket_altqs_active;
3727 case DIOCGETALTQV1: {
3728 struct pfioc_altq_v1 *pa = (struct pfioc_altq_v1 *)addr;
3729 struct pf_altq *altq;
3732 if (pa->ticket != V_ticket_altqs_active) {
3737 altq = pf_altq_get_nth_active(pa->nr);
3743 pf_export_kaltq(altq, pa, IOCPARM_LEN(cmd));
3748 case DIOCCHANGEALTQV0:
3749 case DIOCCHANGEALTQV1:
3750 /* CHANGEALTQ not supported yet! */
3754 case DIOCGETQSTATSV0:
3755 case DIOCGETQSTATSV1: {
3756 struct pfioc_qstats_v1 *pq = (struct pfioc_qstats_v1 *)addr;
3757 struct pf_altq *altq;
3762 if (pq->ticket != V_ticket_altqs_active) {
3767 nbytes = pq->nbytes;
3768 altq = pf_altq_get_nth_active(pq->nr);
3775 if ((altq->local_flags & PFALTQ_FLAG_IF_REMOVED) != 0) {
3781 if (cmd == DIOCGETQSTATSV0)
3782 version = 0; /* DIOCGETQSTATSV0 means stats struct v0 */
3784 version = pq->version;
3785 error = altq_getqstats(altq, pq->buf, &nbytes, version);
3787 pq->scheduler = altq->scheduler;
3788 pq->nbytes = nbytes;
3794 case DIOCBEGINADDRS: {
3795 struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr;
3798 pf_empty_kpool(&V_pf_pabuf);
3799 pp->ticket = ++V_ticket_pabuf;
3805 struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr;
3806 struct pf_kpooladdr *pa;
3807 struct pfi_kkif *kif = NULL;
3810 if (pp->af == AF_INET) {
3811 error = EAFNOSUPPORT;
3816 if (pp->af == AF_INET6) {
3817 error = EAFNOSUPPORT;
3821 if (pp->addr.addr.type != PF_ADDR_ADDRMASK &&
3822 pp->addr.addr.type != PF_ADDR_DYNIFTL &&
3823 pp->addr.addr.type != PF_ADDR_TABLE) {
3827 if (pp->addr.addr.p.dyn != NULL) {
3831 pa = malloc(sizeof(*pa), M_PFRULE, M_WAITOK);
3832 pf_pooladdr_to_kpooladdr(&pp->addr, pa);
3834 kif = pf_kkif_create(M_WAITOK);
3836 if (pp->ticket != V_ticket_pabuf) {
3844 if (pa->ifname[0]) {
3845 pa->kif = pfi_kkif_attach(kif, pa->ifname);
3847 pfi_kkif_ref(pa->kif);
3850 if (pa->addr.type == PF_ADDR_DYNIFTL && ((error =
3851 pfi_dynaddr_setup(&pa->addr, pp->af)) != 0)) {
3853 pfi_kkif_unref(pa->kif);
3858 TAILQ_INSERT_TAIL(&V_pf_pabuf, pa, entries);
3863 case DIOCGETADDRS: {
3864 struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr;
3865 struct pf_kpool *pool;
3866 struct pf_kpooladdr *pa;
3870 pool = pf_get_kpool(pp->anchor, pp->ticket, pp->r_action,
3871 pp->r_num, 0, 1, 0);
3877 TAILQ_FOREACH(pa, &pool->list, entries)
3884 struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr;
3885 struct pf_kpool *pool;
3886 struct pf_kpooladdr *pa;
3890 pool = pf_get_kpool(pp->anchor, pp->ticket, pp->r_action,
3891 pp->r_num, 0, 1, 1);
3897 pa = TAILQ_FIRST(&pool->list);
3898 while ((pa != NULL) && (nr < pp->nr)) {
3899 pa = TAILQ_NEXT(pa, entries);
3907 pf_kpooladdr_to_pooladdr(pa, &pp->addr);
3908 pf_addr_copyout(&pp->addr.addr);
3913 case DIOCCHANGEADDR: {
3914 struct pfioc_pooladdr *pca = (struct pfioc_pooladdr *)addr;
3915 struct pf_kpool *pool;
3916 struct pf_kpooladdr *oldpa = NULL, *newpa = NULL;
3917 struct pf_kruleset *ruleset;
3918 struct pfi_kkif *kif = NULL;
3920 if (pca->action < PF_CHANGE_ADD_HEAD ||
3921 pca->action > PF_CHANGE_REMOVE) {
3925 if (pca->addr.addr.type != PF_ADDR_ADDRMASK &&
3926 pca->addr.addr.type != PF_ADDR_DYNIFTL &&
3927 pca->addr.addr.type != PF_ADDR_TABLE) {
3931 if (pca->addr.addr.p.dyn != NULL) {
3936 if (pca->action != PF_CHANGE_REMOVE) {
3938 if (pca->af == AF_INET) {
3939 error = EAFNOSUPPORT;
3944 if (pca->af == AF_INET6) {
3945 error = EAFNOSUPPORT;
3949 newpa = malloc(sizeof(*newpa), M_PFRULE, M_WAITOK);
3950 bcopy(&pca->addr, newpa, sizeof(struct pf_pooladdr));
3951 if (newpa->ifname[0])
3952 kif = pf_kkif_create(M_WAITOK);
3955 #define ERROUT(x) { error = (x); goto DIOCCHANGEADDR_error; }
3957 ruleset = pf_find_kruleset(pca->anchor);
3958 if (ruleset == NULL)
3961 pool = pf_get_kpool(pca->anchor, pca->ticket, pca->r_action,
3962 pca->r_num, pca->r_last, 1, 1);
3966 if (pca->action != PF_CHANGE_REMOVE) {
3967 if (newpa->ifname[0]) {
3968 newpa->kif = pfi_kkif_attach(kif, newpa->ifname);
3969 pfi_kkif_ref(newpa->kif);
3973 switch (newpa->addr.type) {
3974 case PF_ADDR_DYNIFTL:
3975 error = pfi_dynaddr_setup(&newpa->addr,
3979 newpa->addr.p.tbl = pfr_attach_table(ruleset,
3980 newpa->addr.v.tblname);
3981 if (newpa->addr.p.tbl == NULL)
3986 goto DIOCCHANGEADDR_error;
3989 switch (pca->action) {
3990 case PF_CHANGE_ADD_HEAD:
3991 oldpa = TAILQ_FIRST(&pool->list);
3993 case PF_CHANGE_ADD_TAIL:
3994 oldpa = TAILQ_LAST(&pool->list, pf_kpalist);
3997 oldpa = TAILQ_FIRST(&pool->list);
3998 for (int i = 0; oldpa && i < pca->nr; i++)
3999 oldpa = TAILQ_NEXT(oldpa, entries);
4005 if (pca->action == PF_CHANGE_REMOVE) {
4006 TAILQ_REMOVE(&pool->list, oldpa, entries);
4007 switch (oldpa->addr.type) {
4008 case PF_ADDR_DYNIFTL:
4009 pfi_dynaddr_remove(oldpa->addr.p.dyn);
4012 pfr_detach_table(oldpa->addr.p.tbl);
4016 pfi_kkif_unref(oldpa->kif);
4017 free(oldpa, M_PFRULE);
4020 TAILQ_INSERT_TAIL(&pool->list, newpa, entries);
4021 else if (pca->action == PF_CHANGE_ADD_HEAD ||
4022 pca->action == PF_CHANGE_ADD_BEFORE)
4023 TAILQ_INSERT_BEFORE(oldpa, newpa, entries);
4025 TAILQ_INSERT_AFTER(&pool->list, oldpa,
4029 pool->cur = TAILQ_FIRST(&pool->list);
4030 PF_ACPY(&pool->counter, &pool->cur->addr.v.a.addr, pca->af);
4035 DIOCCHANGEADDR_error:
4036 if (newpa != NULL) {
4038 pfi_kkif_unref(newpa->kif);
4039 free(newpa, M_PFRULE);
4046 case DIOCGETRULESETS: {
4047 struct pfioc_ruleset *pr = (struct pfioc_ruleset *)addr;
4048 struct pf_kruleset *ruleset;
4049 struct pf_kanchor *anchor;
4052 pr->path[sizeof(pr->path) - 1] = 0;
4053 if ((ruleset = pf_find_kruleset(pr->path)) == NULL) {
4059 if (ruleset->anchor == NULL) {
4060 /* XXX kludge for pf_main_ruleset */
4061 RB_FOREACH(anchor, pf_kanchor_global, &V_pf_anchors)
4062 if (anchor->parent == NULL)
4065 RB_FOREACH(anchor, pf_kanchor_node,
4066 &ruleset->anchor->children)
4073 case DIOCGETRULESET: {
4074 struct pfioc_ruleset *pr = (struct pfioc_ruleset *)addr;
4075 struct pf_kruleset *ruleset;
4076 struct pf_kanchor *anchor;
4080 pr->path[sizeof(pr->path) - 1] = 0;
4081 if ((ruleset = pf_find_kruleset(pr->path)) == NULL) {
4087 if (ruleset->anchor == NULL) {
4088 /* XXX kludge for pf_main_ruleset */
4089 RB_FOREACH(anchor, pf_kanchor_global, &V_pf_anchors)
4090 if (anchor->parent == NULL && nr++ == pr->nr) {
4091 strlcpy(pr->name, anchor->name,
4096 RB_FOREACH(anchor, pf_kanchor_node,
4097 &ruleset->anchor->children)
4098 if (nr++ == pr->nr) {
4099 strlcpy(pr->name, anchor->name,
4110 case DIOCRCLRTABLES: {
4111 struct pfioc_table *io = (struct pfioc_table *)addr;
4113 if (io->pfrio_esize != 0) {
4118 error = pfr_clr_tables(&io->pfrio_table, &io->pfrio_ndel,
4119 io->pfrio_flags | PFR_FLAG_USERIOCTL);
4124 case DIOCRADDTABLES: {
4125 struct pfioc_table *io = (struct pfioc_table *)addr;
4126 struct pfr_table *pfrts;
4129 if (io->pfrio_esize != sizeof(struct pfr_table)) {
4134 if (io->pfrio_size < 0 || io->pfrio_size > pf_ioctl_maxcount ||
4135 WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_table))) {
4140 totlen = io->pfrio_size * sizeof(struct pfr_table);
4141 pfrts = mallocarray(io->pfrio_size, sizeof(struct pfr_table),
4143 error = copyin(io->pfrio_buffer, pfrts, totlen);
4145 free(pfrts, M_TEMP);
4149 error = pfr_add_tables(pfrts, io->pfrio_size,
4150 &io->pfrio_nadd, io->pfrio_flags | PFR_FLAG_USERIOCTL);
4152 free(pfrts, M_TEMP);
4156 case DIOCRDELTABLES: {
4157 struct pfioc_table *io = (struct pfioc_table *)addr;
4158 struct pfr_table *pfrts;
4161 if (io->pfrio_esize != sizeof(struct pfr_table)) {
4166 if (io->pfrio_size < 0 || io->pfrio_size > pf_ioctl_maxcount ||
4167 WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_table))) {
4172 totlen = io->pfrio_size * sizeof(struct pfr_table);
4173 pfrts = mallocarray(io->pfrio_size, sizeof(struct pfr_table),
4175 error = copyin(io->pfrio_buffer, pfrts, totlen);
4177 free(pfrts, M_TEMP);
4181 error = pfr_del_tables(pfrts, io->pfrio_size,
4182 &io->pfrio_ndel, io->pfrio_flags | PFR_FLAG_USERIOCTL);
4184 free(pfrts, M_TEMP);
4188 case DIOCRGETTABLES: {
4189 struct pfioc_table *io = (struct pfioc_table *)addr;
4190 struct pfr_table *pfrts;
4194 if (io->pfrio_esize != sizeof(struct pfr_table)) {
4199 n = pfr_table_count(&io->pfrio_table, io->pfrio_flags);
4205 io->pfrio_size = min(io->pfrio_size, n);
4207 totlen = io->pfrio_size * sizeof(struct pfr_table);
4209 pfrts = mallocarray(io->pfrio_size, sizeof(struct pfr_table),
4211 if (pfrts == NULL) {
4216 error = pfr_get_tables(&io->pfrio_table, pfrts,
4217 &io->pfrio_size, io->pfrio_flags | PFR_FLAG_USERIOCTL);
4220 error = copyout(pfrts, io->pfrio_buffer, totlen);
4221 free(pfrts, M_TEMP);
4225 case DIOCRGETTSTATS: {
4226 struct pfioc_table *io = (struct pfioc_table *)addr;
4227 struct pfr_tstats *pfrtstats;
4231 if (io->pfrio_esize != sizeof(struct pfr_tstats)) {
4236 n = pfr_table_count(&io->pfrio_table, io->pfrio_flags);
4242 io->pfrio_size = min(io->pfrio_size, n);
4244 totlen = io->pfrio_size * sizeof(struct pfr_tstats);
4245 pfrtstats = mallocarray(io->pfrio_size,
4246 sizeof(struct pfr_tstats), M_TEMP, M_NOWAIT);
4247 if (pfrtstats == NULL) {
4252 error = pfr_get_tstats(&io->pfrio_table, pfrtstats,
4253 &io->pfrio_size, io->pfrio_flags | PFR_FLAG_USERIOCTL);
4256 error = copyout(pfrtstats, io->pfrio_buffer, totlen);
4257 free(pfrtstats, M_TEMP);
4261 case DIOCRCLRTSTATS: {
4262 struct pfioc_table *io = (struct pfioc_table *)addr;
4263 struct pfr_table *pfrts;
4266 if (io->pfrio_esize != sizeof(struct pfr_table)) {
4271 if (io->pfrio_size < 0 || io->pfrio_size > pf_ioctl_maxcount ||
4272 WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_table))) {
4273 /* We used to count tables and use the minimum required
4274 * size, so we didn't fail on overly large requests.
4276 io->pfrio_size = pf_ioctl_maxcount;
4280 totlen = io->pfrio_size * sizeof(struct pfr_table);
4281 pfrts = mallocarray(io->pfrio_size, sizeof(struct pfr_table),
4283 if (pfrts == NULL) {
4287 error = copyin(io->pfrio_buffer, pfrts, totlen);
4289 free(pfrts, M_TEMP);
4294 error = pfr_clr_tstats(pfrts, io->pfrio_size,
4295 &io->pfrio_nzero, io->pfrio_flags | PFR_FLAG_USERIOCTL);
4297 free(pfrts, M_TEMP);
4301 case DIOCRSETTFLAGS: {
4302 struct pfioc_table *io = (struct pfioc_table *)addr;
4303 struct pfr_table *pfrts;
4307 if (io->pfrio_esize != sizeof(struct pfr_table)) {
4313 n = pfr_table_count(&io->pfrio_table, io->pfrio_flags);
4320 io->pfrio_size = min(io->pfrio_size, n);
4323 totlen = io->pfrio_size * sizeof(struct pfr_table);
4324 pfrts = mallocarray(io->pfrio_size, sizeof(struct pfr_table),
4326 error = copyin(io->pfrio_buffer, pfrts, totlen);
4328 free(pfrts, M_TEMP);
4332 error = pfr_set_tflags(pfrts, io->pfrio_size,
4333 io->pfrio_setflag, io->pfrio_clrflag, &io->pfrio_nchange,
4334 &io->pfrio_ndel, io->pfrio_flags | PFR_FLAG_USERIOCTL);
4336 free(pfrts, M_TEMP);
4340 case DIOCRCLRADDRS: {
4341 struct pfioc_table *io = (struct pfioc_table *)addr;
4343 if (io->pfrio_esize != 0) {
4348 error = pfr_clr_addrs(&io->pfrio_table, &io->pfrio_ndel,
4349 io->pfrio_flags | PFR_FLAG_USERIOCTL);
4354 case DIOCRADDADDRS: {
4355 struct pfioc_table *io = (struct pfioc_table *)addr;
4356 struct pfr_addr *pfras;
4359 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
4363 if (io->pfrio_size < 0 ||
4364 io->pfrio_size > pf_ioctl_maxcount ||
4365 WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_addr))) {
4369 totlen = io->pfrio_size * sizeof(struct pfr_addr);
4370 pfras = mallocarray(io->pfrio_size, sizeof(struct pfr_addr),
4376 error = copyin(io->pfrio_buffer, pfras, totlen);
4378 free(pfras, M_TEMP);
4382 error = pfr_add_addrs(&io->pfrio_table, pfras,
4383 io->pfrio_size, &io->pfrio_nadd, io->pfrio_flags |
4384 PFR_FLAG_USERIOCTL);
4386 if (error == 0 && io->pfrio_flags & PFR_FLAG_FEEDBACK)
4387 error = copyout(pfras, io->pfrio_buffer, totlen);
4388 free(pfras, M_TEMP);
4392 case DIOCRDELADDRS: {
4393 struct pfioc_table *io = (struct pfioc_table *)addr;
4394 struct pfr_addr *pfras;
4397 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
4401 if (io->pfrio_size < 0 ||
4402 io->pfrio_size > pf_ioctl_maxcount ||
4403 WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_addr))) {
4407 totlen = io->pfrio_size * sizeof(struct pfr_addr);
4408 pfras = mallocarray(io->pfrio_size, sizeof(struct pfr_addr),
4414 error = copyin(io->pfrio_buffer, pfras, totlen);
4416 free(pfras, M_TEMP);
4420 error = pfr_del_addrs(&io->pfrio_table, pfras,
4421 io->pfrio_size, &io->pfrio_ndel, io->pfrio_flags |
4422 PFR_FLAG_USERIOCTL);
4424 if (error == 0 && io->pfrio_flags & PFR_FLAG_FEEDBACK)
4425 error = copyout(pfras, io->pfrio_buffer, totlen);
4426 free(pfras, M_TEMP);
4430 case DIOCRSETADDRS: {
4431 struct pfioc_table *io = (struct pfioc_table *)addr;
4432 struct pfr_addr *pfras;
4433 size_t totlen, count;
4435 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
4439 if (io->pfrio_size < 0 || io->pfrio_size2 < 0) {
4443 count = max(io->pfrio_size, io->pfrio_size2);
4444 if (count > pf_ioctl_maxcount ||
4445 WOULD_OVERFLOW(count, sizeof(struct pfr_addr))) {
4449 totlen = count * sizeof(struct pfr_addr);
4450 pfras = mallocarray(count, sizeof(struct pfr_addr), M_TEMP,
4456 error = copyin(io->pfrio_buffer, pfras, totlen);
4458 free(pfras, M_TEMP);
4462 error = pfr_set_addrs(&io->pfrio_table, pfras,
4463 io->pfrio_size, &io->pfrio_size2, &io->pfrio_nadd,
4464 &io->pfrio_ndel, &io->pfrio_nchange, io->pfrio_flags |
4465 PFR_FLAG_USERIOCTL, 0);
4467 if (error == 0 && io->pfrio_flags & PFR_FLAG_FEEDBACK)
4468 error = copyout(pfras, io->pfrio_buffer, totlen);
4469 free(pfras, M_TEMP);
4473 case DIOCRGETADDRS: {
4474 struct pfioc_table *io = (struct pfioc_table *)addr;
4475 struct pfr_addr *pfras;
4478 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
4482 if (io->pfrio_size < 0 ||
4483 io->pfrio_size > pf_ioctl_maxcount ||
4484 WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_addr))) {
4488 totlen = io->pfrio_size * sizeof(struct pfr_addr);
4489 pfras = mallocarray(io->pfrio_size, sizeof(struct pfr_addr),
4496 error = pfr_get_addrs(&io->pfrio_table, pfras,
4497 &io->pfrio_size, io->pfrio_flags | PFR_FLAG_USERIOCTL);
4500 error = copyout(pfras, io->pfrio_buffer, totlen);
4501 free(pfras, M_TEMP);
4505 case DIOCRGETASTATS: {
4506 struct pfioc_table *io = (struct pfioc_table *)addr;
4507 struct pfr_astats *pfrastats;
4510 if (io->pfrio_esize != sizeof(struct pfr_astats)) {
4514 if (io->pfrio_size < 0 ||
4515 io->pfrio_size > pf_ioctl_maxcount ||
4516 WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_astats))) {
4520 totlen = io->pfrio_size * sizeof(struct pfr_astats);
4521 pfrastats = mallocarray(io->pfrio_size,
4522 sizeof(struct pfr_astats), M_TEMP, M_NOWAIT);
4528 error = pfr_get_astats(&io->pfrio_table, pfrastats,
4529 &io->pfrio_size, io->pfrio_flags | PFR_FLAG_USERIOCTL);
4532 error = copyout(pfrastats, io->pfrio_buffer, totlen);
4533 free(pfrastats, M_TEMP);
4537 case DIOCRCLRASTATS: {
4538 struct pfioc_table *io = (struct pfioc_table *)addr;
4539 struct pfr_addr *pfras;
4542 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
4546 if (io->pfrio_size < 0 ||
4547 io->pfrio_size > pf_ioctl_maxcount ||
4548 WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_addr))) {
4552 totlen = io->pfrio_size * sizeof(struct pfr_addr);
4553 pfras = mallocarray(io->pfrio_size, sizeof(struct pfr_addr),
4559 error = copyin(io->pfrio_buffer, pfras, totlen);
4561 free(pfras, M_TEMP);
4565 error = pfr_clr_astats(&io->pfrio_table, pfras,
4566 io->pfrio_size, &io->pfrio_nzero, io->pfrio_flags |
4567 PFR_FLAG_USERIOCTL);
4569 if (error == 0 && io->pfrio_flags & PFR_FLAG_FEEDBACK)
4570 error = copyout(pfras, io->pfrio_buffer, totlen);
4571 free(pfras, M_TEMP);
4575 case DIOCRTSTADDRS: {
4576 struct pfioc_table *io = (struct pfioc_table *)addr;
4577 struct pfr_addr *pfras;
4580 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
4584 if (io->pfrio_size < 0 ||
4585 io->pfrio_size > pf_ioctl_maxcount ||
4586 WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_addr))) {
4590 totlen = io->pfrio_size * sizeof(struct pfr_addr);
4591 pfras = mallocarray(io->pfrio_size, sizeof(struct pfr_addr),
4597 error = copyin(io->pfrio_buffer, pfras, totlen);
4599 free(pfras, M_TEMP);
4603 error = pfr_tst_addrs(&io->pfrio_table, pfras,
4604 io->pfrio_size, &io->pfrio_nmatch, io->pfrio_flags |
4605 PFR_FLAG_USERIOCTL);
4608 error = copyout(pfras, io->pfrio_buffer, totlen);
4609 free(pfras, M_TEMP);
4613 case DIOCRINADEFINE: {
4614 struct pfioc_table *io = (struct pfioc_table *)addr;
4615 struct pfr_addr *pfras;
4618 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
4622 if (io->pfrio_size < 0 ||
4623 io->pfrio_size > pf_ioctl_maxcount ||
4624 WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_addr))) {
4628 totlen = io->pfrio_size * sizeof(struct pfr_addr);
4629 pfras = mallocarray(io->pfrio_size, sizeof(struct pfr_addr),
4635 error = copyin(io->pfrio_buffer, pfras, totlen);
4637 free(pfras, M_TEMP);
4641 error = pfr_ina_define(&io->pfrio_table, pfras,
4642 io->pfrio_size, &io->pfrio_nadd, &io->pfrio_naddr,
4643 io->pfrio_ticket, io->pfrio_flags | PFR_FLAG_USERIOCTL);
4645 free(pfras, M_TEMP);
4650 struct pf_osfp_ioctl *io = (struct pf_osfp_ioctl *)addr;
4652 error = pf_osfp_add(io);
4658 struct pf_osfp_ioctl *io = (struct pf_osfp_ioctl *)addr;
4660 error = pf_osfp_get(io);
4666 struct pfioc_trans *io = (struct pfioc_trans *)addr;
4667 struct pfioc_trans_e *ioes, *ioe;
4671 if (io->esize != sizeof(*ioe)) {
4676 io->size > pf_ioctl_maxcount ||
4677 WOULD_OVERFLOW(io->size, sizeof(struct pfioc_trans_e))) {
4681 totlen = sizeof(struct pfioc_trans_e) * io->size;
4682 ioes = mallocarray(io->size, sizeof(struct pfioc_trans_e),
4688 error = copyin(io->array, ioes, totlen);
4694 for (i = 0, ioe = ioes; i < io->size; i++, ioe++) {
4695 switch (ioe->rs_num) {
4697 case PF_RULESET_ALTQ:
4698 if (ioe->anchor[0]) {
4704 if ((error = pf_begin_altq(&ioe->ticket))) {
4711 case PF_RULESET_TABLE:
4713 struct pfr_table table;
4715 bzero(&table, sizeof(table));
4716 strlcpy(table.pfrt_anchor, ioe->anchor,
4717 sizeof(table.pfrt_anchor));
4718 if ((error = pfr_ina_begin(&table,
4719 &ioe->ticket, NULL, 0))) {
4727 if ((error = pf_begin_rules(&ioe->ticket,
4728 ioe->rs_num, ioe->anchor))) {
4737 error = copyout(ioes, io->array, totlen);
4742 case DIOCXROLLBACK: {
4743 struct pfioc_trans *io = (struct pfioc_trans *)addr;
4744 struct pfioc_trans_e *ioe, *ioes;
4748 if (io->esize != sizeof(*ioe)) {
4753 io->size > pf_ioctl_maxcount ||
4754 WOULD_OVERFLOW(io->size, sizeof(struct pfioc_trans_e))) {
4758 totlen = sizeof(struct pfioc_trans_e) * io->size;
4759 ioes = mallocarray(io->size, sizeof(struct pfioc_trans_e),
4765 error = copyin(io->array, ioes, totlen);
4771 for (i = 0, ioe = ioes; i < io->size; i++, ioe++) {
4772 switch (ioe->rs_num) {
4774 case PF_RULESET_ALTQ:
4775 if (ioe->anchor[0]) {
4781 if ((error = pf_rollback_altq(ioe->ticket))) {
4784 goto fail; /* really bad */
4788 case PF_RULESET_TABLE:
4790 struct pfr_table table;
4792 bzero(&table, sizeof(table));
4793 strlcpy(table.pfrt_anchor, ioe->anchor,
4794 sizeof(table.pfrt_anchor));
4795 if ((error = pfr_ina_rollback(&table,
4796 ioe->ticket, NULL, 0))) {
4799 goto fail; /* really bad */
4804 if ((error = pf_rollback_rules(ioe->ticket,
4805 ioe->rs_num, ioe->anchor))) {
4808 goto fail; /* really bad */
4819 struct pfioc_trans *io = (struct pfioc_trans *)addr;
4820 struct pfioc_trans_e *ioe, *ioes;
4821 struct pf_kruleset *rs;
4825 if (io->esize != sizeof(*ioe)) {
4831 io->size > pf_ioctl_maxcount ||
4832 WOULD_OVERFLOW(io->size, sizeof(struct pfioc_trans_e))) {
4837 totlen = sizeof(struct pfioc_trans_e) * io->size;
4838 ioes = mallocarray(io->size, sizeof(struct pfioc_trans_e),
4844 error = copyin(io->array, ioes, totlen);
4850 /* First makes sure everything will succeed. */
4851 for (i = 0, ioe = ioes; i < io->size; i++, ioe++) {
4852 switch (ioe->rs_num) {
4854 case PF_RULESET_ALTQ:
4855 if (ioe->anchor[0]) {
4861 if (!V_altqs_inactive_open || ioe->ticket !=
4862 V_ticket_altqs_inactive) {
4870 case PF_RULESET_TABLE:
4871 rs = pf_find_kruleset(ioe->anchor);
4872 if (rs == NULL || !rs->topen || ioe->ticket !=
4881 if (ioe->rs_num < 0 || ioe->rs_num >=
4888 rs = pf_find_kruleset(ioe->anchor);
4890 !rs->rules[ioe->rs_num].inactive.open ||
4891 rs->rules[ioe->rs_num].inactive.ticket !=
4901 /* Now do the commit - no errors should happen here. */
4902 for (i = 0, ioe = ioes; i < io->size; i++, ioe++) {
4903 switch (ioe->rs_num) {
4905 case PF_RULESET_ALTQ:
4906 if ((error = pf_commit_altq(ioe->ticket))) {
4909 goto fail; /* really bad */
4913 case PF_RULESET_TABLE:
4915 struct pfr_table table;
4917 bzero(&table, sizeof(table));
4918 strlcpy(table.pfrt_anchor, ioe->anchor,
4919 sizeof(table.pfrt_anchor));
4920 if ((error = pfr_ina_commit(&table,
4921 ioe->ticket, NULL, NULL, 0))) {
4924 goto fail; /* really bad */
4929 if ((error = pf_commit_rules(ioe->ticket,
4930 ioe->rs_num, ioe->anchor))) {
4933 goto fail; /* really bad */
4943 case DIOCGETSRCNODES: {
4944 struct pfioc_src_nodes *psn = (struct pfioc_src_nodes *)addr;
4945 struct pf_srchash *sh;
4946 struct pf_ksrc_node *n;
4947 struct pf_src_node *p, *pstore;
4950 for (i = 0, sh = V_pf_srchash; i <= pf_srchashmask;
4952 PF_HASHROW_LOCK(sh);
4953 LIST_FOREACH(n, &sh->nodes, entry)
4955 PF_HASHROW_UNLOCK(sh);
4958 psn->psn_len = min(psn->psn_len,
4959 sizeof(struct pf_src_node) * nr);
4961 if (psn->psn_len == 0) {
4962 psn->psn_len = sizeof(struct pf_src_node) * nr;
4968 p = pstore = malloc(psn->psn_len, M_TEMP, M_WAITOK | M_ZERO);
4969 for (i = 0, sh = V_pf_srchash; i <= pf_srchashmask;
4971 PF_HASHROW_LOCK(sh);
4972 LIST_FOREACH(n, &sh->nodes, entry) {
4974 if ((nr + 1) * sizeof(*p) > (unsigned)psn->psn_len)
4977 pf_src_node_copy(n, p);
4982 PF_HASHROW_UNLOCK(sh);
4984 error = copyout(pstore, psn->psn_src_nodes,
4985 sizeof(struct pf_src_node) * nr);
4987 free(pstore, M_TEMP);
4990 psn->psn_len = sizeof(struct pf_src_node) * nr;
4991 free(pstore, M_TEMP);
4995 case DIOCCLRSRCNODES: {
4996 pf_clear_srcnodes(NULL);
4997 pf_purge_expired_src_nodes();
5001 case DIOCKILLSRCNODES:
5002 pf_kill_srcnodes((struct pfioc_src_node_kill *)addr);
5005 case DIOCKEEPCOUNTERS:
5006 error = pf_keepcounters((struct pfioc_nv *)addr);
5009 case DIOCSETHOSTID: {
5010 u_int32_t *hostid = (u_int32_t *)addr;
5014 V_pf_status.hostid = arc4random();
5016 V_pf_status.hostid = *hostid;
5027 case DIOCIGETIFACES: {
5028 struct pfioc_iface *io = (struct pfioc_iface *)addr;
5029 struct pfi_kif *ifstore;
5032 if (io->pfiio_esize != sizeof(struct pfi_kif)) {
5037 if (io->pfiio_size < 0 ||
5038 io->pfiio_size > pf_ioctl_maxcount ||
5039 WOULD_OVERFLOW(io->pfiio_size, sizeof(struct pfi_kif))) {
5044 bufsiz = io->pfiio_size * sizeof(struct pfi_kif);
5045 ifstore = mallocarray(io->pfiio_size, sizeof(struct pfi_kif),
5047 if (ifstore == NULL) {
5053 pfi_get_ifaces(io->pfiio_name, ifstore, &io->pfiio_size);
5055 error = copyout(ifstore, io->pfiio_buffer, bufsiz);
5056 free(ifstore, M_TEMP);
5060 case DIOCSETIFFLAG: {
5061 struct pfioc_iface *io = (struct pfioc_iface *)addr;
5064 error = pfi_set_flags(io->pfiio_name, io->pfiio_flags);
5069 case DIOCCLRIFFLAG: {
5070 struct pfioc_iface *io = (struct pfioc_iface *)addr;
5073 error = pfi_clear_flags(io->pfiio_name, io->pfiio_flags);
5083 if (sx_xlocked(&pf_ioctl_lock))
5084 sx_xunlock(&pf_ioctl_lock);
5091 pfsync_state_export(struct pfsync_state *sp, struct pf_state *st)
5093 bzero(sp, sizeof(struct pfsync_state));
5095 /* copy from state key */
5096 sp->key[PF_SK_WIRE].addr[0] = st->key[PF_SK_WIRE]->addr[0];
5097 sp->key[PF_SK_WIRE].addr[1] = st->key[PF_SK_WIRE]->addr[1];
5098 sp->key[PF_SK_WIRE].port[0] = st->key[PF_SK_WIRE]->port[0];
5099 sp->key[PF_SK_WIRE].port[1] = st->key[PF_SK_WIRE]->port[1];
5100 sp->key[PF_SK_STACK].addr[0] = st->key[PF_SK_STACK]->addr[0];
5101 sp->key[PF_SK_STACK].addr[1] = st->key[PF_SK_STACK]->addr[1];
5102 sp->key[PF_SK_STACK].port[0] = st->key[PF_SK_STACK]->port[0];
5103 sp->key[PF_SK_STACK].port[1] = st->key[PF_SK_STACK]->port[1];
5104 sp->proto = st->key[PF_SK_WIRE]->proto;
5105 sp->af = st->key[PF_SK_WIRE]->af;
5107 /* copy from state */
5108 strlcpy(sp->ifname, st->kif->pfik_name, sizeof(sp->ifname));
5109 bcopy(&st->rt_addr, &sp->rt_addr, sizeof(sp->rt_addr));
5110 sp->creation = htonl(time_uptime - st->creation);
5111 sp->expire = pf_state_expires(st);
5112 if (sp->expire <= time_uptime)
5113 sp->expire = htonl(0);
5115 sp->expire = htonl(sp->expire - time_uptime);
5117 sp->direction = st->direction;
5119 sp->timeout = st->timeout;
5120 sp->state_flags = st->state_flags;
5122 sp->sync_flags |= PFSYNC_FLAG_SRCNODE;
5123 if (st->nat_src_node)
5124 sp->sync_flags |= PFSYNC_FLAG_NATSRCNODE;
5127 sp->creatorid = st->creatorid;
5128 pf_state_peer_hton(&st->src, &sp->src);
5129 pf_state_peer_hton(&st->dst, &sp->dst);
5131 if (st->rule.ptr == NULL)
5132 sp->rule = htonl(-1);
5134 sp->rule = htonl(st->rule.ptr->nr);
5135 if (st->anchor.ptr == NULL)
5136 sp->anchor = htonl(-1);
5138 sp->anchor = htonl(st->anchor.ptr->nr);
5139 if (st->nat_rule.ptr == NULL)
5140 sp->nat_rule = htonl(-1);
5142 sp->nat_rule = htonl(st->nat_rule.ptr->nr);
5144 pf_state_counter_hton(counter_u64_fetch(st->packets[0]),
5146 pf_state_counter_hton(counter_u64_fetch(st->packets[1]),
5148 pf_state_counter_hton(counter_u64_fetch(st->bytes[0]), sp->bytes[0]);
5149 pf_state_counter_hton(counter_u64_fetch(st->bytes[1]), sp->bytes[1]);
5154 pf_tbladdr_copyout(struct pf_addr_wrap *aw)
5156 struct pfr_ktable *kt;
5158 KASSERT(aw->type == PF_ADDR_TABLE, ("%s: type %u", __func__, aw->type));
5161 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root != NULL)
5162 kt = kt->pfrkt_root;
5164 aw->p.tblcnt = (kt->pfrkt_flags & PFR_TFLAG_ACTIVE) ?
5169 * XXX - Check for version missmatch!!!
5172 pf_clear_states(void)
5177 for (i = 0; i <= pf_hashmask; i++) {
5178 struct pf_idhash *ih = &V_pf_idhash[i];
5180 PF_HASHROW_LOCK(ih);
5181 LIST_FOREACH(s, &ih->states, entry) {
5182 s->timeout = PFTM_PURGE;
5183 /* Don't send out individual delete messages. */
5184 s->state_flags |= PFSTATE_NOSYNC;
5185 pf_unlink_state(s, PF_ENTER_LOCKED);
5188 PF_HASHROW_UNLOCK(ih);
5193 pf_clear_tables(void)
5195 struct pfioc_table io;
5198 bzero(&io, sizeof(io));
5200 error = pfr_clr_tables(&io.pfrio_table, &io.pfrio_ndel,
5207 pf_clear_srcnodes(struct pf_ksrc_node *n)
5212 for (i = 0; i <= pf_hashmask; i++) {
5213 struct pf_idhash *ih = &V_pf_idhash[i];
5215 PF_HASHROW_LOCK(ih);
5216 LIST_FOREACH(s, &ih->states, entry) {
5217 if (n == NULL || n == s->src_node)
5219 if (n == NULL || n == s->nat_src_node)
5220 s->nat_src_node = NULL;
5222 PF_HASHROW_UNLOCK(ih);
5226 struct pf_srchash *sh;
5228 for (i = 0, sh = V_pf_srchash; i <= pf_srchashmask;
5230 PF_HASHROW_LOCK(sh);
5231 LIST_FOREACH(n, &sh->nodes, entry) {
5235 PF_HASHROW_UNLOCK(sh);
5238 /* XXX: hash slot should already be locked here. */
5245 pf_kill_srcnodes(struct pfioc_src_node_kill *psnk)
5247 struct pf_ksrc_node_list kill;
5250 for (int i = 0; i <= pf_srchashmask; i++) {
5251 struct pf_srchash *sh = &V_pf_srchash[i];
5252 struct pf_ksrc_node *sn, *tmp;
5254 PF_HASHROW_LOCK(sh);
5255 LIST_FOREACH_SAFE(sn, &sh->nodes, entry, tmp)
5256 if (PF_MATCHA(psnk->psnk_src.neg,
5257 &psnk->psnk_src.addr.v.a.addr,
5258 &psnk->psnk_src.addr.v.a.mask,
5259 &sn->addr, sn->af) &&
5260 PF_MATCHA(psnk->psnk_dst.neg,
5261 &psnk->psnk_dst.addr.v.a.addr,
5262 &psnk->psnk_dst.addr.v.a.mask,
5263 &sn->raddr, sn->af)) {
5264 pf_unlink_src_node(sn);
5265 LIST_INSERT_HEAD(&kill, sn, entry);
5268 PF_HASHROW_UNLOCK(sh);
5271 for (int i = 0; i <= pf_hashmask; i++) {
5272 struct pf_idhash *ih = &V_pf_idhash[i];
5275 PF_HASHROW_LOCK(ih);
5276 LIST_FOREACH(s, &ih->states, entry) {
5277 if (s->src_node && s->src_node->expire == 1)
5279 if (s->nat_src_node && s->nat_src_node->expire == 1)
5280 s->nat_src_node = NULL;
5282 PF_HASHROW_UNLOCK(ih);
5285 psnk->psnk_killed = pf_free_src_nodes(&kill);
5289 pf_keepcounters(struct pfioc_nv *nv)
5291 nvlist_t *nvl = NULL;
5292 void *nvlpacked = NULL;
5295 #define ERROUT(x) do { error = (x); goto on_error; } while (0)
5297 if (nv->len > pf_ioctl_maxcount)
5300 nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK);
5301 if (nvlpacked == NULL)
5304 error = copyin(nv->data, nvlpacked, nv->len);
5308 nvl = nvlist_unpack(nvlpacked, nv->len, 0);
5312 if (! nvlist_exists_bool(nvl, "keep_counters"))
5315 V_pf_status.keep_counters = nvlist_get_bool(nvl, "keep_counters");
5318 nvlist_destroy(nvl);
5319 free(nvlpacked, M_TEMP);
5324 * XXX - Check for version missmatch!!!
5328 * Duplicate pfctl -Fa operation to get rid of as much as we can.
5338 if ((error = pf_begin_rules(&t[0], PF_RULESET_SCRUB, &nn))
5340 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: SCRUB\n"));
5343 if ((error = pf_begin_rules(&t[1], PF_RULESET_FILTER, &nn))
5345 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: FILTER\n"));
5346 break; /* XXX: rollback? */
5348 if ((error = pf_begin_rules(&t[2], PF_RULESET_NAT, &nn))
5350 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: NAT\n"));
5351 break; /* XXX: rollback? */
5353 if ((error = pf_begin_rules(&t[3], PF_RULESET_BINAT, &nn))
5355 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: BINAT\n"));
5356 break; /* XXX: rollback? */
5358 if ((error = pf_begin_rules(&t[4], PF_RULESET_RDR, &nn))
5360 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: RDR\n"));
5361 break; /* XXX: rollback? */
5364 /* XXX: these should always succeed here */
5365 pf_commit_rules(t[0], PF_RULESET_SCRUB, &nn);
5366 pf_commit_rules(t[1], PF_RULESET_FILTER, &nn);
5367 pf_commit_rules(t[2], PF_RULESET_NAT, &nn);
5368 pf_commit_rules(t[3], PF_RULESET_BINAT, &nn);
5369 pf_commit_rules(t[4], PF_RULESET_RDR, &nn);
5371 if ((error = pf_clear_tables()) != 0)
5375 if ((error = pf_begin_altq(&t[0])) != 0) {
5376 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: ALTQ\n"));
5379 pf_commit_altq(t[0]);
5384 pf_clear_srcnodes(NULL);
5386 /* status does not use malloced mem so no need to cleanup */
5387 /* fingerprints and interfaces have their own cleanup code */
5393 static pfil_return_t
5394 pf_check_return(int chk, struct mbuf **m)
5400 return (PFIL_CONSUMED);
5409 return (PFIL_DROPPED);
5414 static pfil_return_t
5415 pf_check_in(struct mbuf **m, struct ifnet *ifp, int flags,
5416 void *ruleset __unused, struct inpcb *inp)
5420 chk = pf_test(PF_IN, flags, ifp, m, inp);
5422 return (pf_check_return(chk, m));
5425 static pfil_return_t
5426 pf_check_out(struct mbuf **m, struct ifnet *ifp, int flags,
5427 void *ruleset __unused, struct inpcb *inp)
5431 chk = pf_test(PF_OUT, flags, ifp, m, inp);
5433 return (pf_check_return(chk, m));
5438 static pfil_return_t
5439 pf_check6_in(struct mbuf **m, struct ifnet *ifp, int flags,
5440 void *ruleset __unused, struct inpcb *inp)
5445 * In case of loopback traffic IPv6 uses the real interface in
5446 * order to support scoped addresses. In order to support stateful
5447 * filtering we have change this to lo0 as it is the case in IPv4.
5449 CURVNET_SET(ifp->if_vnet);
5450 chk = pf_test6(PF_IN, flags, (*m)->m_flags & M_LOOP ? V_loif : ifp, m, inp);
5453 return (pf_check_return(chk, m));
5456 static pfil_return_t
5457 pf_check6_out(struct mbuf **m, struct ifnet *ifp, int flags,
5458 void *ruleset __unused, struct inpcb *inp)
5462 CURVNET_SET(ifp->if_vnet);
5463 chk = pf_test6(PF_OUT, flags, ifp, m, inp);
5466 return (pf_check_return(chk, m));
5471 VNET_DEFINE_STATIC(pfil_hook_t, pf_ip4_in_hook);
5472 VNET_DEFINE_STATIC(pfil_hook_t, pf_ip4_out_hook);
5473 #define V_pf_ip4_in_hook VNET(pf_ip4_in_hook)
5474 #define V_pf_ip4_out_hook VNET(pf_ip4_out_hook)
5477 VNET_DEFINE_STATIC(pfil_hook_t, pf_ip6_in_hook);
5478 VNET_DEFINE_STATIC(pfil_hook_t, pf_ip6_out_hook);
5479 #define V_pf_ip6_in_hook VNET(pf_ip6_in_hook)
5480 #define V_pf_ip6_out_hook VNET(pf_ip6_out_hook)
5486 struct pfil_hook_args pha;
5487 struct pfil_link_args pla;
5490 if (V_pf_pfil_hooked)
5493 pha.pa_version = PFIL_VERSION;
5494 pha.pa_modname = "pf";
5495 pha.pa_ruleset = NULL;
5497 pla.pa_version = PFIL_VERSION;
5500 pha.pa_type = PFIL_TYPE_IP4;
5501 pha.pa_func = pf_check_in;
5502 pha.pa_flags = PFIL_IN;
5503 pha.pa_rulname = "default-in";
5504 V_pf_ip4_in_hook = pfil_add_hook(&pha);
5505 pla.pa_flags = PFIL_IN | PFIL_HEADPTR | PFIL_HOOKPTR;
5506 pla.pa_head = V_inet_pfil_head;
5507 pla.pa_hook = V_pf_ip4_in_hook;
5508 ret = pfil_link(&pla);
5510 pha.pa_func = pf_check_out;
5511 pha.pa_flags = PFIL_OUT;
5512 pha.pa_rulname = "default-out";
5513 V_pf_ip4_out_hook = pfil_add_hook(&pha);
5514 pla.pa_flags = PFIL_OUT | PFIL_HEADPTR | PFIL_HOOKPTR;
5515 pla.pa_head = V_inet_pfil_head;
5516 pla.pa_hook = V_pf_ip4_out_hook;
5517 ret = pfil_link(&pla);
5521 pha.pa_type = PFIL_TYPE_IP6;
5522 pha.pa_func = pf_check6_in;
5523 pha.pa_flags = PFIL_IN;
5524 pha.pa_rulname = "default-in6";
5525 V_pf_ip6_in_hook = pfil_add_hook(&pha);
5526 pla.pa_flags = PFIL_IN | PFIL_HEADPTR | PFIL_HOOKPTR;
5527 pla.pa_head = V_inet6_pfil_head;
5528 pla.pa_hook = V_pf_ip6_in_hook;
5529 ret = pfil_link(&pla);
5531 pha.pa_func = pf_check6_out;
5532 pha.pa_rulname = "default-out6";
5533 pha.pa_flags = PFIL_OUT;
5534 V_pf_ip6_out_hook = pfil_add_hook(&pha);
5535 pla.pa_flags = PFIL_OUT | PFIL_HEADPTR | PFIL_HOOKPTR;
5536 pla.pa_head = V_inet6_pfil_head;
5537 pla.pa_hook = V_pf_ip6_out_hook;
5538 ret = pfil_link(&pla);
5542 V_pf_pfil_hooked = 1;
5549 if (V_pf_pfil_hooked == 0)
5553 pfil_remove_hook(V_pf_ip4_in_hook);
5554 pfil_remove_hook(V_pf_ip4_out_hook);
5557 pfil_remove_hook(V_pf_ip6_in_hook);
5558 pfil_remove_hook(V_pf_ip6_out_hook);
5561 V_pf_pfil_hooked = 0;
5567 V_pf_tag_z = uma_zcreate("pf tags", sizeof(struct pf_tagname),
5568 NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, 0);
5570 pf_init_tagset(&V_pf_tags, &pf_rule_tag_hashsize,
5571 PF_RULE_TAG_HASH_SIZE_DEFAULT);
5573 pf_init_tagset(&V_pf_qids, &pf_queue_tag_hashsize,
5574 PF_QUEUE_TAG_HASH_SIZE_DEFAULT);
5578 V_pf_vnet_active = 1;
5586 rm_init(&pf_rules_lock, "pf rulesets");
5587 sx_init(&pf_ioctl_lock, "pf ioctl");
5588 sx_init(&pf_end_lock, "pf end thread");
5590 pf_mtag_initialize();
5592 pf_dev = make_dev(&pf_cdevsw, 0, UID_ROOT, GID_WHEEL, 0600, PF_NAME);
5597 error = kproc_create(pf_purge_thread, NULL, &pf_purge_proc, 0, 0, "pf purge");
5607 pf_unload_vnet(void)
5611 V_pf_vnet_active = 0;
5612 V_pf_status.running = 0;
5619 ret = swi_remove(V_pf_swi_cookie);
5621 ret = intr_event_destroy(V_pf_swi_ie);
5624 pf_unload_vnet_purge();
5626 pf_normalize_cleanup();
5633 if (IS_DEFAULT_VNET(curvnet))
5636 pf_cleanup_tagset(&V_pf_tags);
5638 pf_cleanup_tagset(&V_pf_qids);
5640 uma_zdestroy(V_pf_tag_z);
5642 /* Free counters last as we updated them during shutdown. */
5643 counter_u64_free(V_pf_default_rule.evaluations);
5644 for (int i = 0; i < 2; i++) {
5645 counter_u64_free(V_pf_default_rule.packets[i]);
5646 counter_u64_free(V_pf_default_rule.bytes[i]);
5648 counter_u64_free(V_pf_default_rule.states_cur);
5649 counter_u64_free(V_pf_default_rule.states_tot);
5650 counter_u64_free(V_pf_default_rule.src_nodes);
5652 for (int i = 0; i < PFRES_MAX; i++)
5653 counter_u64_free(V_pf_status.counters[i]);
5654 for (int i = 0; i < LCNT_MAX; i++)
5655 counter_u64_free(V_pf_status.lcounters[i]);
5656 for (int i = 0; i < FCNT_MAX; i++)
5657 counter_u64_free(V_pf_status.fcounters[i]);
5658 for (int i = 0; i < SCNT_MAX; i++)
5659 counter_u64_free(V_pf_status.scounters[i]);
5666 sx_xlock(&pf_end_lock);
5668 while (pf_end_threads < 2) {
5669 wakeup_one(pf_purge_thread);
5670 sx_sleep(pf_purge_proc, &pf_end_lock, 0, "pftmo", 0);
5672 sx_xunlock(&pf_end_lock);
5675 destroy_dev(pf_dev);
5679 rm_destroy(&pf_rules_lock);
5680 sx_destroy(&pf_ioctl_lock);
5681 sx_destroy(&pf_end_lock);
5685 vnet_pf_init(void *unused __unused)
5690 VNET_SYSINIT(vnet_pf_init, SI_SUB_PROTO_FIREWALL, SI_ORDER_THIRD,
5691 vnet_pf_init, NULL);
5694 vnet_pf_uninit(const void *unused __unused)
5699 SYSUNINIT(pf_unload, SI_SUB_PROTO_FIREWALL, SI_ORDER_SECOND, pf_unload, NULL);
5700 VNET_SYSUNINIT(vnet_pf_uninit, SI_SUB_PROTO_FIREWALL, SI_ORDER_THIRD,
5701 vnet_pf_uninit, NULL);
5704 pf_modevent(module_t mod, int type, void *data)
5713 /* Handled in SYSUNINIT(pf_unload) to ensure it's done after
5714 * the vnet_pf_uninit()s */
5724 static moduledata_t pf_mod = {
5730 DECLARE_MODULE(pf, pf_mod, SI_SUB_PROTO_FIREWALL, SI_ORDER_SECOND);
5731 MODULE_VERSION(pf, PF_MODVER);
projects / FreeBSD / FreeBSD.git / blob