2 * Copyright (c) 2002 Cedric Berger
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * - Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * - Redistributions in binary form must reproduce the above
12 * copyright notice, this list of conditions and the following
13 * disclaimer in the documentation and/or other materials provided
14 * with the distribution.
16 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
17 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
18 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
19 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
20 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
22 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
23 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
24 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
26 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 * POSSIBILITY OF SUCH DAMAGE.
29 * $OpenBSD: pf_table.c,v 1.79 2008/10/08 06:24:50 mcbride Exp $
32 #include <sys/cdefs.h>
33 __FBSDID("$FreeBSD$");
36 #include "opt_inet6.h"
38 #include <sys/param.h>
39 #include <sys/kernel.h>
41 #include <sys/malloc.h>
43 #include <sys/mutex.h>
44 #include <sys/refcount.h>
45 #include <sys/rwlock.h>
46 #include <sys/socket.h>
51 #include <net/pfvar.h>
53 #define ACCEPT_FLAGS(flags, oklist) \
55 if ((flags & ~(oklist)) & \
60 #define FILLIN_SIN(sin, addr) \
62 (sin).sin_len = sizeof(sin); \
63 (sin).sin_family = AF_INET; \
64 (sin).sin_addr = (addr); \
67 #define FILLIN_SIN6(sin6, addr) \
69 (sin6).sin6_len = sizeof(sin6); \
70 (sin6).sin6_family = AF_INET6; \
71 (sin6).sin6_addr = (addr); \
74 #define SWAP(type, a1, a2) \
81 #define SUNION2PF(su, af) (((af)==AF_INET) ? \
82 (struct pf_addr *)&(su)->sin.sin_addr : \
83 (struct pf_addr *)&(su)->sin6.sin6_addr)
85 #define AF_BITS(af) (((af)==AF_INET)?32:128)
86 #define ADDR_NETWORK(ad) ((ad)->pfra_net < AF_BITS((ad)->pfra_af))
87 #define KENTRY_NETWORK(ke) ((ke)->pfrke_net < AF_BITS((ke)->pfrke_af))
88 #define KENTRY_RNF_ROOT(ke) \
89 ((((struct radix_node *)(ke))->rn_flags & RNF_ROOT) != 0)
91 #define NO_ADDRESSES (-1)
92 #define ENQUEUE_UNMARKED_ONLY (1)
93 #define INVERT_NEG_FLAG (1)
106 struct pfr_addr *pfrw1_addr;
107 struct pfr_astats *pfrw1_astats;
108 struct pfr_kentryworkq *pfrw1_workq;
109 struct pfr_kentry *pfrw1_kentry;
110 struct pfi_dynaddr *pfrw1_dyn;
114 #define pfrw_addr pfrw_1.pfrw1_addr
115 #define pfrw_astats pfrw_1.pfrw1_astats
116 #define pfrw_workq pfrw_1.pfrw1_workq
117 #define pfrw_kentry pfrw_1.pfrw1_kentry
118 #define pfrw_dyn pfrw_1.pfrw1_dyn
119 #define pfrw_cnt pfrw_free
121 #define senderr(e) do { rv = (e); goto _bad; } while (0)
123 static MALLOC_DEFINE(M_PFTABLE, "pf_table", "pf(4) tables structures");
124 static VNET_DEFINE(uma_zone_t, pfr_kentry_z);
125 #define V_pfr_kentry_z VNET(pfr_kentry_z)
126 static VNET_DEFINE(uma_zone_t, pfr_kcounters_z);
127 #define V_pfr_kcounters_z VNET(pfr_kcounters_z)
129 static struct pf_addr pfr_ffaddr = {
130 .addr32 = { 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff }
133 static void pfr_copyout_addr(struct pfr_addr *,
134 struct pfr_kentry *ke);
135 static int pfr_validate_addr(struct pfr_addr *);
136 static void pfr_enqueue_addrs(struct pfr_ktable *,
137 struct pfr_kentryworkq *, int *, int);
138 static void pfr_mark_addrs(struct pfr_ktable *);
139 static struct pfr_kentry
140 *pfr_lookup_addr(struct pfr_ktable *,
141 struct pfr_addr *, int);
142 static struct pfr_kentry *pfr_create_kentry(struct pfr_addr *);
143 static void pfr_destroy_kentries(struct pfr_kentryworkq *);
144 static void pfr_destroy_kentry(struct pfr_kentry *);
145 static void pfr_insert_kentries(struct pfr_ktable *,
146 struct pfr_kentryworkq *, long);
147 static void pfr_remove_kentries(struct pfr_ktable *,
148 struct pfr_kentryworkq *);
149 static void pfr_clstats_kentries(struct pfr_kentryworkq *, long,
151 static void pfr_reset_feedback(struct pfr_addr *, int);
152 static void pfr_prepare_network(union sockaddr_union *, int, int);
153 static int pfr_route_kentry(struct pfr_ktable *,
154 struct pfr_kentry *);
155 static int pfr_unroute_kentry(struct pfr_ktable *,
156 struct pfr_kentry *);
157 static int pfr_walktree(struct radix_node *, void *);
158 static int pfr_validate_table(struct pfr_table *, int, int);
159 static int pfr_fix_anchor(char *);
160 static void pfr_commit_ktable(struct pfr_ktable *, long);
161 static void pfr_insert_ktables(struct pfr_ktableworkq *);
162 static void pfr_insert_ktable(struct pfr_ktable *);
163 static void pfr_setflags_ktables(struct pfr_ktableworkq *);
164 static void pfr_setflags_ktable(struct pfr_ktable *, int);
165 static void pfr_clstats_ktables(struct pfr_ktableworkq *, long,
167 static void pfr_clstats_ktable(struct pfr_ktable *, long, int);
168 static struct pfr_ktable
169 *pfr_create_ktable(struct pfr_table *, long, int);
170 static void pfr_destroy_ktables(struct pfr_ktableworkq *, int);
171 static void pfr_destroy_ktable(struct pfr_ktable *, int);
172 static int pfr_ktable_compare(struct pfr_ktable *,
173 struct pfr_ktable *);
174 static struct pfr_ktable
175 *pfr_lookup_table(struct pfr_table *);
176 static void pfr_clean_node_mask(struct pfr_ktable *,
177 struct pfr_kentryworkq *);
178 static int pfr_table_count(struct pfr_table *, int);
179 static int pfr_skip_table(struct pfr_table *,
180 struct pfr_ktable *, int);
181 static struct pfr_kentry
182 *pfr_kentry_byidx(struct pfr_ktable *, int, int);
184 static RB_PROTOTYPE(pfr_ktablehead, pfr_ktable, pfrkt_tree, pfr_ktable_compare);
185 static RB_GENERATE(pfr_ktablehead, pfr_ktable, pfrkt_tree, pfr_ktable_compare);
187 struct pfr_ktablehead pfr_ktables;
188 struct pfr_table pfr_nulltable;
195 V_pfr_kentry_z = uma_zcreate("pf table entries",
196 sizeof(struct pfr_kentry), NULL, NULL, NULL, NULL, UMA_ALIGN_PTR,
198 V_pfr_kcounters_z = uma_zcreate("pf table counters",
199 sizeof(struct pfr_kcounters), NULL, NULL, NULL, NULL,
201 V_pf_limits[PF_LIMIT_TABLE_ENTRIES].zone = V_pfr_kentry_z;
202 V_pf_limits[PF_LIMIT_TABLE_ENTRIES].limit = PFR_KENTRY_HIWAT;
209 uma_zdestroy(V_pfr_kentry_z);
210 uma_zdestroy(V_pfr_kcounters_z);
214 pfr_clr_addrs(struct pfr_table *tbl, int *ndel, int flags)
216 struct pfr_ktable *kt;
217 struct pfr_kentryworkq workq;
221 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY);
222 if (pfr_validate_table(tbl, 0, flags & PFR_FLAG_USERIOCTL))
224 kt = pfr_lookup_table(tbl);
225 if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
227 if (kt->pfrkt_flags & PFR_TFLAG_CONST)
229 pfr_enqueue_addrs(kt, &workq, ndel, 0);
231 if (!(flags & PFR_FLAG_DUMMY)) {
232 pfr_remove_kentries(kt, &workq);
233 KASSERT(kt->pfrkt_cnt == 0, ("%s: non-null pfrkt_cnt", __func__));
239 pfr_add_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int size,
240 int *nadd, int flags)
242 struct pfr_ktable *kt, *tmpkt;
243 struct pfr_kentryworkq workq;
244 struct pfr_kentry *p, *q;
247 long tzero = time_second;
251 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY | PFR_FLAG_FEEDBACK);
252 if (pfr_validate_table(tbl, 0, flags & PFR_FLAG_USERIOCTL))
254 kt = pfr_lookup_table(tbl);
255 if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
257 if (kt->pfrkt_flags & PFR_TFLAG_CONST)
259 tmpkt = pfr_create_ktable(&pfr_nulltable, 0, 0);
263 for (i = 0, ad = addr; i < size; i++, ad++) {
264 if (pfr_validate_addr(ad))
266 p = pfr_lookup_addr(kt, ad, 1);
267 q = pfr_lookup_addr(tmpkt, ad, 1);
268 if (flags & PFR_FLAG_FEEDBACK) {
270 ad->pfra_fback = PFR_FB_DUPLICATE;
272 ad->pfra_fback = PFR_FB_ADDED;
273 else if (p->pfrke_not != ad->pfra_not)
274 ad->pfra_fback = PFR_FB_CONFLICT;
276 ad->pfra_fback = PFR_FB_NONE;
278 if (p == NULL && q == NULL) {
279 p = pfr_create_kentry(ad);
282 if (pfr_route_kentry(tmpkt, p)) {
283 pfr_destroy_kentry(p);
284 ad->pfra_fback = PFR_FB_NONE;
286 SLIST_INSERT_HEAD(&workq, p, pfrke_workq);
291 pfr_clean_node_mask(tmpkt, &workq);
292 if (!(flags & PFR_FLAG_DUMMY))
293 pfr_insert_kentries(kt, &workq, tzero);
295 pfr_destroy_kentries(&workq);
298 pfr_destroy_ktable(tmpkt, 0);
301 pfr_clean_node_mask(tmpkt, &workq);
302 pfr_destroy_kentries(&workq);
303 if (flags & PFR_FLAG_FEEDBACK)
304 pfr_reset_feedback(addr, size);
305 pfr_destroy_ktable(tmpkt, 0);
310 pfr_del_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int size,
311 int *ndel, int flags)
313 struct pfr_ktable *kt;
314 struct pfr_kentryworkq workq;
315 struct pfr_kentry *p;
317 int i, rv, xdel = 0, log = 1;
321 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY | PFR_FLAG_FEEDBACK);
322 if (pfr_validate_table(tbl, 0, flags & PFR_FLAG_USERIOCTL))
324 kt = pfr_lookup_table(tbl);
325 if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
327 if (kt->pfrkt_flags & PFR_TFLAG_CONST)
330 * there are two algorithms to choose from here.
332 * n: number of addresses to delete
333 * N: number of addresses in the table
335 * one is O(N) and is better for large 'n'
336 * one is O(n*LOG(N)) and is better for small 'n'
338 * following code try to decide which one is best.
340 for (i = kt->pfrkt_cnt; i > 0; i >>= 1)
342 if (size > kt->pfrkt_cnt/log) {
343 /* full table scan */
346 /* iterate over addresses to delete */
347 for (i = 0, ad = addr; i < size; i++, ad++) {
348 if (pfr_validate_addr(ad))
350 p = pfr_lookup_addr(kt, ad, 1);
356 for (i = 0, ad = addr; i < size; i++, ad++) {
357 if (pfr_validate_addr(ad))
359 p = pfr_lookup_addr(kt, ad, 1);
360 if (flags & PFR_FLAG_FEEDBACK) {
362 ad->pfra_fback = PFR_FB_NONE;
363 else if (p->pfrke_not != ad->pfra_not)
364 ad->pfra_fback = PFR_FB_CONFLICT;
365 else if (p->pfrke_mark)
366 ad->pfra_fback = PFR_FB_DUPLICATE;
368 ad->pfra_fback = PFR_FB_DELETED;
370 if (p != NULL && p->pfrke_not == ad->pfra_not &&
373 SLIST_INSERT_HEAD(&workq, p, pfrke_workq);
377 if (!(flags & PFR_FLAG_DUMMY))
378 pfr_remove_kentries(kt, &workq);
383 if (flags & PFR_FLAG_FEEDBACK)
384 pfr_reset_feedback(addr, size);
389 pfr_set_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int size,
390 int *size2, int *nadd, int *ndel, int *nchange, int flags,
391 u_int32_t ignore_pfrt_flags)
393 struct pfr_ktable *kt, *tmpkt;
394 struct pfr_kentryworkq addq, delq, changeq;
395 struct pfr_kentry *p, *q;
397 int i, rv, xadd = 0, xdel = 0, xchange = 0;
398 long tzero = time_second;
402 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY | PFR_FLAG_FEEDBACK);
403 if (pfr_validate_table(tbl, ignore_pfrt_flags, flags &
406 kt = pfr_lookup_table(tbl);
407 if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
409 if (kt->pfrkt_flags & PFR_TFLAG_CONST)
411 tmpkt = pfr_create_ktable(&pfr_nulltable, 0, 0);
417 SLIST_INIT(&changeq);
418 for (i = 0; i < size; i++) {
420 * XXXGL: undertand pf_if usage of this function
421 * and make ad a moving pointer
423 bcopy(addr + i, &ad, sizeof(ad));
424 if (pfr_validate_addr(&ad))
426 ad.pfra_fback = PFR_FB_NONE;
427 p = pfr_lookup_addr(kt, &ad, 1);
430 ad.pfra_fback = PFR_FB_DUPLICATE;
434 if (p->pfrke_not != ad.pfra_not) {
435 SLIST_INSERT_HEAD(&changeq, p, pfrke_workq);
436 ad.pfra_fback = PFR_FB_CHANGED;
440 q = pfr_lookup_addr(tmpkt, &ad, 1);
442 ad.pfra_fback = PFR_FB_DUPLICATE;
445 p = pfr_create_kentry(&ad);
448 if (pfr_route_kentry(tmpkt, p)) {
449 pfr_destroy_kentry(p);
450 ad.pfra_fback = PFR_FB_NONE;
452 SLIST_INSERT_HEAD(&addq, p, pfrke_workq);
453 ad.pfra_fback = PFR_FB_ADDED;
458 if (flags & PFR_FLAG_FEEDBACK)
459 bcopy(&ad, addr + i, sizeof(ad));
461 pfr_enqueue_addrs(kt, &delq, &xdel, ENQUEUE_UNMARKED_ONLY);
462 if ((flags & PFR_FLAG_FEEDBACK) && *size2) {
463 if (*size2 < size+xdel) {
468 SLIST_FOREACH(p, &delq, pfrke_workq) {
469 pfr_copyout_addr(&ad, p);
470 ad.pfra_fback = PFR_FB_DELETED;
471 bcopy(&ad, addr + size + i, sizeof(ad));
475 pfr_clean_node_mask(tmpkt, &addq);
476 if (!(flags & PFR_FLAG_DUMMY)) {
477 pfr_insert_kentries(kt, &addq, tzero);
478 pfr_remove_kentries(kt, &delq);
479 pfr_clstats_kentries(&changeq, tzero, INVERT_NEG_FLAG);
481 pfr_destroy_kentries(&addq);
488 if ((flags & PFR_FLAG_FEEDBACK) && size2)
490 pfr_destroy_ktable(tmpkt, 0);
493 pfr_clean_node_mask(tmpkt, &addq);
494 pfr_destroy_kentries(&addq);
495 if (flags & PFR_FLAG_FEEDBACK)
496 pfr_reset_feedback(addr, size);
497 pfr_destroy_ktable(tmpkt, 0);
502 pfr_tst_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int size,
503 int *nmatch, int flags)
505 struct pfr_ktable *kt;
506 struct pfr_kentry *p;
512 ACCEPT_FLAGS(flags, PFR_FLAG_REPLACE);
513 if (pfr_validate_table(tbl, 0, 0))
515 kt = pfr_lookup_table(tbl);
516 if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
519 for (i = 0, ad = addr; i < size; i++, ad++) {
520 if (pfr_validate_addr(ad))
522 if (ADDR_NETWORK(ad))
524 p = pfr_lookup_addr(kt, ad, 0);
525 if (flags & PFR_FLAG_REPLACE)
526 pfr_copyout_addr(ad, p);
527 ad->pfra_fback = (p == NULL) ? PFR_FB_NONE :
528 (p->pfrke_not ? PFR_FB_NOTMATCH : PFR_FB_MATCH);
529 if (p != NULL && !p->pfrke_not)
538 pfr_get_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int *size,
541 struct pfr_ktable *kt;
542 struct pfr_walktree w;
547 ACCEPT_FLAGS(flags, 0);
548 if (pfr_validate_table(tbl, 0, 0))
550 kt = pfr_lookup_table(tbl);
551 if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
553 if (kt->pfrkt_cnt > *size) {
554 *size = kt->pfrkt_cnt;
558 bzero(&w, sizeof(w));
559 w.pfrw_op = PFRW_GET_ADDRS;
561 w.pfrw_free = kt->pfrkt_cnt;
562 rv = kt->pfrkt_ip4->rnh_walktree(&kt->pfrkt_ip4->rh, pfr_walktree, &w);
564 rv = kt->pfrkt_ip6->rnh_walktree(&kt->pfrkt_ip6->rh,
569 KASSERT(w.pfrw_free == 0, ("%s: corruption detected (%d)", __func__,
572 *size = kt->pfrkt_cnt;
577 pfr_get_astats(struct pfr_table *tbl, struct pfr_astats *addr, int *size,
580 struct pfr_ktable *kt;
581 struct pfr_walktree w;
582 struct pfr_kentryworkq workq;
584 long tzero = time_second;
588 /* XXX PFR_FLAG_CLSTATS disabled */
589 ACCEPT_FLAGS(flags, 0);
590 if (pfr_validate_table(tbl, 0, 0))
592 kt = pfr_lookup_table(tbl);
593 if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
595 if (kt->pfrkt_cnt > *size) {
596 *size = kt->pfrkt_cnt;
600 bzero(&w, sizeof(w));
601 w.pfrw_op = PFRW_GET_ASTATS;
602 w.pfrw_astats = addr;
603 w.pfrw_free = kt->pfrkt_cnt;
604 rv = kt->pfrkt_ip4->rnh_walktree(&kt->pfrkt_ip4->rh, pfr_walktree, &w);
606 rv = kt->pfrkt_ip6->rnh_walktree(&kt->pfrkt_ip6->rh,
608 if (!rv && (flags & PFR_FLAG_CLSTATS)) {
609 pfr_enqueue_addrs(kt, &workq, NULL, 0);
610 pfr_clstats_kentries(&workq, tzero, 0);
616 printf("pfr_get_astats: corruption detected (%d).\n",
620 *size = kt->pfrkt_cnt;
625 pfr_clr_astats(struct pfr_table *tbl, struct pfr_addr *addr, int size,
626 int *nzero, int flags)
628 struct pfr_ktable *kt;
629 struct pfr_kentryworkq workq;
630 struct pfr_kentry *p;
632 int i, rv, xzero = 0;
636 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY | PFR_FLAG_FEEDBACK);
637 if (pfr_validate_table(tbl, 0, 0))
639 kt = pfr_lookup_table(tbl);
640 if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
643 for (i = 0, ad = addr; i < size; i++, ad++) {
644 if (pfr_validate_addr(ad))
646 p = pfr_lookup_addr(kt, ad, 1);
647 if (flags & PFR_FLAG_FEEDBACK) {
648 ad->pfra_fback = (p != NULL) ?
649 PFR_FB_CLEARED : PFR_FB_NONE;
652 SLIST_INSERT_HEAD(&workq, p, pfrke_workq);
657 if (!(flags & PFR_FLAG_DUMMY))
658 pfr_clstats_kentries(&workq, 0, 0);
663 if (flags & PFR_FLAG_FEEDBACK)
664 pfr_reset_feedback(addr, size);
669 pfr_validate_addr(struct pfr_addr *ad)
673 switch (ad->pfra_af) {
676 if (ad->pfra_net > 32)
682 if (ad->pfra_net > 128)
689 if (ad->pfra_net < 128 &&
690 (((caddr_t)ad)[ad->pfra_net/8] & (0xFF >> (ad->pfra_net%8))))
692 for (i = (ad->pfra_net+7)/8; i < sizeof(ad->pfra_u); i++)
693 if (((caddr_t)ad)[i])
695 if (ad->pfra_not && ad->pfra_not != 1)
703 pfr_enqueue_addrs(struct pfr_ktable *kt, struct pfr_kentryworkq *workq,
704 int *naddr, int sweep)
706 struct pfr_walktree w;
709 bzero(&w, sizeof(w));
710 w.pfrw_op = sweep ? PFRW_SWEEP : PFRW_ENQUEUE;
711 w.pfrw_workq = workq;
712 if (kt->pfrkt_ip4 != NULL)
713 if (kt->pfrkt_ip4->rnh_walktree(&kt->pfrkt_ip4->rh,
715 printf("pfr_enqueue_addrs: IPv4 walktree failed.\n");
716 if (kt->pfrkt_ip6 != NULL)
717 if (kt->pfrkt_ip6->rnh_walktree(&kt->pfrkt_ip6->rh,
719 printf("pfr_enqueue_addrs: IPv6 walktree failed.\n");
725 pfr_mark_addrs(struct pfr_ktable *kt)
727 struct pfr_walktree w;
729 bzero(&w, sizeof(w));
730 w.pfrw_op = PFRW_MARK;
731 if (kt->pfrkt_ip4->rnh_walktree(&kt->pfrkt_ip4->rh, pfr_walktree, &w))
732 printf("pfr_mark_addrs: IPv4 walktree failed.\n");
733 if (kt->pfrkt_ip6->rnh_walktree(&kt->pfrkt_ip6->rh, pfr_walktree, &w))
734 printf("pfr_mark_addrs: IPv6 walktree failed.\n");
738 static struct pfr_kentry *
739 pfr_lookup_addr(struct pfr_ktable *kt, struct pfr_addr *ad, int exact)
741 union sockaddr_union sa, mask;
742 struct radix_head *head = NULL;
743 struct pfr_kentry *ke;
747 bzero(&sa, sizeof(sa));
748 if (ad->pfra_af == AF_INET) {
749 FILLIN_SIN(sa.sin, ad->pfra_ip4addr);
750 head = &kt->pfrkt_ip4->rh;
751 } else if ( ad->pfra_af == AF_INET6 ) {
752 FILLIN_SIN6(sa.sin6, ad->pfra_ip6addr);
753 head = &kt->pfrkt_ip6->rh;
755 if (ADDR_NETWORK(ad)) {
756 pfr_prepare_network(&mask, ad->pfra_af, ad->pfra_net);
757 ke = (struct pfr_kentry *)rn_lookup(&sa, &mask, head);
758 if (ke && KENTRY_RNF_ROOT(ke))
761 ke = (struct pfr_kentry *)rn_match(&sa, head);
762 if (ke && KENTRY_RNF_ROOT(ke))
764 if (exact && ke && KENTRY_NETWORK(ke))
770 static struct pfr_kentry *
771 pfr_create_kentry(struct pfr_addr *ad)
773 struct pfr_kentry *ke;
775 ke = uma_zalloc(V_pfr_kentry_z, M_NOWAIT | M_ZERO);
779 if (ad->pfra_af == AF_INET)
780 FILLIN_SIN(ke->pfrke_sa.sin, ad->pfra_ip4addr);
781 else if (ad->pfra_af == AF_INET6)
782 FILLIN_SIN6(ke->pfrke_sa.sin6, ad->pfra_ip6addr);
783 ke->pfrke_af = ad->pfra_af;
784 ke->pfrke_net = ad->pfra_net;
785 ke->pfrke_not = ad->pfra_not;
790 pfr_destroy_kentries(struct pfr_kentryworkq *workq)
792 struct pfr_kentry *p, *q;
794 for (p = SLIST_FIRST(workq); p != NULL; p = q) {
795 q = SLIST_NEXT(p, pfrke_workq);
796 pfr_destroy_kentry(p);
801 pfr_destroy_kentry(struct pfr_kentry *ke)
803 if (ke->pfrke_counters)
804 uma_zfree(V_pfr_kcounters_z, ke->pfrke_counters);
805 uma_zfree(V_pfr_kentry_z, ke);
809 pfr_insert_kentries(struct pfr_ktable *kt,
810 struct pfr_kentryworkq *workq, long tzero)
812 struct pfr_kentry *p;
815 SLIST_FOREACH(p, workq, pfrke_workq) {
816 rv = pfr_route_kentry(kt, p);
818 printf("pfr_insert_kentries: cannot route entry "
822 p->pfrke_tzero = tzero;
829 pfr_insert_kentry(struct pfr_ktable *kt, struct pfr_addr *ad, long tzero)
831 struct pfr_kentry *p;
834 p = pfr_lookup_addr(kt, ad, 1);
837 p = pfr_create_kentry(ad);
841 rv = pfr_route_kentry(kt, p);
845 p->pfrke_tzero = tzero;
852 pfr_remove_kentries(struct pfr_ktable *kt,
853 struct pfr_kentryworkq *workq)
855 struct pfr_kentry *p;
858 SLIST_FOREACH(p, workq, pfrke_workq) {
859 pfr_unroute_kentry(kt, p);
863 pfr_destroy_kentries(workq);
867 pfr_clean_node_mask(struct pfr_ktable *kt,
868 struct pfr_kentryworkq *workq)
870 struct pfr_kentry *p;
872 SLIST_FOREACH(p, workq, pfrke_workq)
873 pfr_unroute_kentry(kt, p);
877 pfr_clstats_kentries(struct pfr_kentryworkq *workq, long tzero, int negchange)
879 struct pfr_kentry *p;
881 SLIST_FOREACH(p, workq, pfrke_workq) {
883 p->pfrke_not = !p->pfrke_not;
884 if (p->pfrke_counters) {
885 uma_zfree(V_pfr_kcounters_z, p->pfrke_counters);
886 p->pfrke_counters = NULL;
888 p->pfrke_tzero = tzero;
893 pfr_reset_feedback(struct pfr_addr *addr, int size)
898 for (i = 0, ad = addr; i < size; i++, ad++)
899 ad->pfra_fback = PFR_FB_NONE;
903 pfr_prepare_network(union sockaddr_union *sa, int af, int net)
907 bzero(sa, sizeof(*sa));
909 sa->sin.sin_len = sizeof(sa->sin);
910 sa->sin.sin_family = AF_INET;
911 sa->sin.sin_addr.s_addr = net ? htonl(-1 << (32-net)) : 0;
912 } else if (af == AF_INET6) {
913 sa->sin6.sin6_len = sizeof(sa->sin6);
914 sa->sin6.sin6_family = AF_INET6;
915 for (i = 0; i < 4; i++) {
917 sa->sin6.sin6_addr.s6_addr32[i] =
918 net ? htonl(-1 << (32-net)) : 0;
921 sa->sin6.sin6_addr.s6_addr32[i] = 0xFFFFFFFF;
928 pfr_route_kentry(struct pfr_ktable *kt, struct pfr_kentry *ke)
930 union sockaddr_union mask;
931 struct radix_node *rn;
932 struct radix_head *head = NULL;
936 bzero(ke->pfrke_node, sizeof(ke->pfrke_node));
937 if (ke->pfrke_af == AF_INET)
938 head = &kt->pfrkt_ip4->rh;
939 else if (ke->pfrke_af == AF_INET6)
940 head = &kt->pfrkt_ip6->rh;
942 if (KENTRY_NETWORK(ke)) {
943 pfr_prepare_network(&mask, ke->pfrke_af, ke->pfrke_net);
944 rn = rn_addroute(&ke->pfrke_sa, &mask, head, ke->pfrke_node);
946 rn = rn_addroute(&ke->pfrke_sa, NULL, head, ke->pfrke_node);
948 return (rn == NULL ? -1 : 0);
952 pfr_unroute_kentry(struct pfr_ktable *kt, struct pfr_kentry *ke)
954 union sockaddr_union mask;
955 struct radix_node *rn;
956 struct radix_head *head = NULL;
958 if (ke->pfrke_af == AF_INET)
959 head = &kt->pfrkt_ip4->rh;
960 else if (ke->pfrke_af == AF_INET6)
961 head = &kt->pfrkt_ip6->rh;
963 if (KENTRY_NETWORK(ke)) {
964 pfr_prepare_network(&mask, ke->pfrke_af, ke->pfrke_net);
965 rn = rn_delete(&ke->pfrke_sa, &mask, head);
967 rn = rn_delete(&ke->pfrke_sa, NULL, head);
970 printf("pfr_unroute_kentry: delete failed.\n");
977 pfr_copyout_addr(struct pfr_addr *ad, struct pfr_kentry *ke)
979 bzero(ad, sizeof(*ad));
982 ad->pfra_af = ke->pfrke_af;
983 ad->pfra_net = ke->pfrke_net;
984 ad->pfra_not = ke->pfrke_not;
985 if (ad->pfra_af == AF_INET)
986 ad->pfra_ip4addr = ke->pfrke_sa.sin.sin_addr;
987 else if (ad->pfra_af == AF_INET6)
988 ad->pfra_ip6addr = ke->pfrke_sa.sin6.sin6_addr;
992 pfr_walktree(struct radix_node *rn, void *arg)
994 struct pfr_kentry *ke = (struct pfr_kentry *)rn;
995 struct pfr_walktree *w = arg;
997 switch (w->pfrw_op) {
1006 SLIST_INSERT_HEAD(w->pfrw_workq, ke, pfrke_workq);
1009 case PFRW_GET_ADDRS:
1010 if (w->pfrw_free-- > 0) {
1011 pfr_copyout_addr(w->pfrw_addr, ke);
1015 case PFRW_GET_ASTATS:
1016 if (w->pfrw_free-- > 0) {
1017 struct pfr_astats as;
1019 pfr_copyout_addr(&as.pfras_a, ke);
1021 if (ke->pfrke_counters) {
1022 bcopy(ke->pfrke_counters->pfrkc_packets,
1023 as.pfras_packets, sizeof(as.pfras_packets));
1024 bcopy(ke->pfrke_counters->pfrkc_bytes,
1025 as.pfras_bytes, sizeof(as.pfras_bytes));
1027 bzero(as.pfras_packets, sizeof(as.pfras_packets));
1028 bzero(as.pfras_bytes, sizeof(as.pfras_bytes));
1029 as.pfras_a.pfra_fback = PFR_FB_NOCOUNT;
1031 as.pfras_tzero = ke->pfrke_tzero;
1033 bcopy(&as, w->pfrw_astats, sizeof(as));
1039 break; /* negative entries are ignored */
1040 if (!w->pfrw_cnt--) {
1041 w->pfrw_kentry = ke;
1042 return (1); /* finish search */
1045 case PFRW_DYNADDR_UPDATE:
1047 union sockaddr_union pfr_mask;
1049 if (ke->pfrke_af == AF_INET) {
1050 if (w->pfrw_dyn->pfid_acnt4++ > 0)
1052 pfr_prepare_network(&pfr_mask, AF_INET, ke->pfrke_net);
1053 w->pfrw_dyn->pfid_addr4 = *SUNION2PF(&ke->pfrke_sa,
1055 w->pfrw_dyn->pfid_mask4 = *SUNION2PF(&pfr_mask,
1057 } else if (ke->pfrke_af == AF_INET6){
1058 if (w->pfrw_dyn->pfid_acnt6++ > 0)
1060 pfr_prepare_network(&pfr_mask, AF_INET6, ke->pfrke_net);
1061 w->pfrw_dyn->pfid_addr6 = *SUNION2PF(&ke->pfrke_sa,
1063 w->pfrw_dyn->pfid_mask6 = *SUNION2PF(&pfr_mask,
1073 pfr_clr_tables(struct pfr_table *filter, int *ndel, int flags)
1075 struct pfr_ktableworkq workq;
1076 struct pfr_ktable *p;
1079 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY | PFR_FLAG_ALLRSETS);
1080 if (pfr_fix_anchor(filter->pfrt_anchor))
1082 if (pfr_table_count(filter, flags) < 0)
1086 RB_FOREACH(p, pfr_ktablehead, &pfr_ktables) {
1087 if (pfr_skip_table(filter, p, flags))
1089 if (!strcmp(p->pfrkt_anchor, PF_RESERVED_ANCHOR))
1091 if (!(p->pfrkt_flags & PFR_TFLAG_ACTIVE))
1093 p->pfrkt_nflags = p->pfrkt_flags & ~PFR_TFLAG_ACTIVE;
1094 SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);
1097 if (!(flags & PFR_FLAG_DUMMY))
1098 pfr_setflags_ktables(&workq);
1105 pfr_add_tables(struct pfr_table *tbl, int size, int *nadd, int flags)
1107 struct pfr_ktableworkq addq, changeq;
1108 struct pfr_ktable *p, *q, *r, key;
1109 int i, rv, xadd = 0;
1110 long tzero = time_second;
1112 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY);
1114 SLIST_INIT(&changeq);
1115 for (i = 0; i < size; i++) {
1116 bcopy(tbl+i, &key.pfrkt_t, sizeof(key.pfrkt_t));
1117 if (pfr_validate_table(&key.pfrkt_t, PFR_TFLAG_USRMASK,
1118 flags & PFR_FLAG_USERIOCTL))
1120 key.pfrkt_flags |= PFR_TFLAG_ACTIVE;
1121 p = RB_FIND(pfr_ktablehead, &pfr_ktables, &key);
1123 p = pfr_create_ktable(&key.pfrkt_t, tzero, 1);
1126 SLIST_FOREACH(q, &addq, pfrkt_workq) {
1127 if (!pfr_ktable_compare(p, q))
1130 SLIST_INSERT_HEAD(&addq, p, pfrkt_workq);
1132 if (!key.pfrkt_anchor[0])
1135 /* find or create root table */
1136 bzero(key.pfrkt_anchor, sizeof(key.pfrkt_anchor));
1137 r = RB_FIND(pfr_ktablehead, &pfr_ktables, &key);
1142 SLIST_FOREACH(q, &addq, pfrkt_workq) {
1143 if (!pfr_ktable_compare(&key, q)) {
1148 key.pfrkt_flags = 0;
1149 r = pfr_create_ktable(&key.pfrkt_t, 0, 1);
1152 SLIST_INSERT_HEAD(&addq, r, pfrkt_workq);
1154 } else if (!(p->pfrkt_flags & PFR_TFLAG_ACTIVE)) {
1155 SLIST_FOREACH(q, &changeq, pfrkt_workq)
1156 if (!pfr_ktable_compare(&key, q))
1158 p->pfrkt_nflags = (p->pfrkt_flags &
1159 ~PFR_TFLAG_USRMASK) | key.pfrkt_flags;
1160 SLIST_INSERT_HEAD(&changeq, p, pfrkt_workq);
1166 if (!(flags & PFR_FLAG_DUMMY)) {
1167 pfr_insert_ktables(&addq);
1168 pfr_setflags_ktables(&changeq);
1170 pfr_destroy_ktables(&addq, 0);
1175 pfr_destroy_ktables(&addq, 0);
1180 pfr_del_tables(struct pfr_table *tbl, int size, int *ndel, int flags)
1182 struct pfr_ktableworkq workq;
1183 struct pfr_ktable *p, *q, key;
1186 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY);
1188 for (i = 0; i < size; i++) {
1189 bcopy(tbl+i, &key.pfrkt_t, sizeof(key.pfrkt_t));
1190 if (pfr_validate_table(&key.pfrkt_t, 0,
1191 flags & PFR_FLAG_USERIOCTL))
1193 p = RB_FIND(pfr_ktablehead, &pfr_ktables, &key);
1194 if (p != NULL && (p->pfrkt_flags & PFR_TFLAG_ACTIVE)) {
1195 SLIST_FOREACH(q, &workq, pfrkt_workq)
1196 if (!pfr_ktable_compare(p, q))
1198 p->pfrkt_nflags = p->pfrkt_flags & ~PFR_TFLAG_ACTIVE;
1199 SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);
1206 if (!(flags & PFR_FLAG_DUMMY))
1207 pfr_setflags_ktables(&workq);
1214 pfr_get_tables(struct pfr_table *filter, struct pfr_table *tbl, int *size,
1217 struct pfr_ktable *p;
1222 ACCEPT_FLAGS(flags, PFR_FLAG_ALLRSETS);
1223 if (pfr_fix_anchor(filter->pfrt_anchor))
1225 n = nn = pfr_table_count(filter, flags);
1232 RB_FOREACH(p, pfr_ktablehead, &pfr_ktables) {
1233 if (pfr_skip_table(filter, p, flags))
1237 bcopy(&p->pfrkt_t, tbl++, sizeof(*tbl));
1240 KASSERT(n == 0, ("%s: corruption detected (%d)", __func__, n));
1247 pfr_get_tstats(struct pfr_table *filter, struct pfr_tstats *tbl, int *size,
1250 struct pfr_ktable *p;
1251 struct pfr_ktableworkq workq;
1253 long tzero = time_second;
1255 /* XXX PFR_FLAG_CLSTATS disabled */
1256 ACCEPT_FLAGS(flags, PFR_FLAG_ALLRSETS);
1257 if (pfr_fix_anchor(filter->pfrt_anchor))
1259 n = nn = pfr_table_count(filter, flags);
1267 RB_FOREACH(p, pfr_ktablehead, &pfr_ktables) {
1268 if (pfr_skip_table(filter, p, flags))
1272 bcopy(&p->pfrkt_ts, tbl++, sizeof(*tbl));
1273 SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);
1275 if (flags & PFR_FLAG_CLSTATS)
1276 pfr_clstats_ktables(&workq, tzero,
1277 flags & PFR_FLAG_ADDRSTOO);
1279 KASSERT(n == 0, ("%s: corruption detected (%d)", __func__, n));
1286 pfr_clr_tstats(struct pfr_table *tbl, int size, int *nzero, int flags)
1288 struct pfr_ktableworkq workq;
1289 struct pfr_ktable *p, key;
1291 long tzero = time_second;
1293 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY | PFR_FLAG_ADDRSTOO);
1295 for (i = 0; i < size; i++) {
1296 bcopy(tbl + i, &key.pfrkt_t, sizeof(key.pfrkt_t));
1297 if (pfr_validate_table(&key.pfrkt_t, 0, 0))
1299 p = RB_FIND(pfr_ktablehead, &pfr_ktables, &key);
1301 SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);
1305 if (!(flags & PFR_FLAG_DUMMY))
1306 pfr_clstats_ktables(&workq, tzero, flags & PFR_FLAG_ADDRSTOO);
1313 pfr_set_tflags(struct pfr_table *tbl, int size, int setflag, int clrflag,
1314 int *nchange, int *ndel, int flags)
1316 struct pfr_ktableworkq workq;
1317 struct pfr_ktable *p, *q, key;
1318 int i, xchange = 0, xdel = 0;
1320 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY);
1321 if ((setflag & ~PFR_TFLAG_USRMASK) ||
1322 (clrflag & ~PFR_TFLAG_USRMASK) ||
1323 (setflag & clrflag))
1326 for (i = 0; i < size; i++) {
1327 bcopy(tbl + i, &key.pfrkt_t, sizeof(key.pfrkt_t));
1328 if (pfr_validate_table(&key.pfrkt_t, 0,
1329 flags & PFR_FLAG_USERIOCTL))
1331 p = RB_FIND(pfr_ktablehead, &pfr_ktables, &key);
1332 if (p != NULL && (p->pfrkt_flags & PFR_TFLAG_ACTIVE)) {
1333 p->pfrkt_nflags = (p->pfrkt_flags | setflag) &
1335 if (p->pfrkt_nflags == p->pfrkt_flags)
1337 SLIST_FOREACH(q, &workq, pfrkt_workq)
1338 if (!pfr_ktable_compare(p, q))
1340 SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);
1341 if ((p->pfrkt_flags & PFR_TFLAG_PERSIST) &&
1342 (clrflag & PFR_TFLAG_PERSIST) &&
1343 !(p->pfrkt_flags & PFR_TFLAG_REFERENCED))
1351 if (!(flags & PFR_FLAG_DUMMY))
1352 pfr_setflags_ktables(&workq);
1353 if (nchange != NULL)
1361 pfr_ina_begin(struct pfr_table *trs, u_int32_t *ticket, int *ndel, int flags)
1363 struct pfr_ktableworkq workq;
1364 struct pfr_ktable *p;
1365 struct pf_ruleset *rs;
1368 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY);
1369 rs = pf_find_or_create_ruleset(trs->pfrt_anchor);
1373 RB_FOREACH(p, pfr_ktablehead, &pfr_ktables) {
1374 if (!(p->pfrkt_flags & PFR_TFLAG_INACTIVE) ||
1375 pfr_skip_table(trs, p, 0))
1377 p->pfrkt_nflags = p->pfrkt_flags & ~PFR_TFLAG_INACTIVE;
1378 SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);
1381 if (!(flags & PFR_FLAG_DUMMY)) {
1382 pfr_setflags_ktables(&workq);
1384 *ticket = ++rs->tticket;
1387 pf_remove_if_empty_ruleset(rs);
1394 pfr_ina_define(struct pfr_table *tbl, struct pfr_addr *addr, int size,
1395 int *nadd, int *naddr, u_int32_t ticket, int flags)
1397 struct pfr_ktableworkq tableq;
1398 struct pfr_kentryworkq addrq;
1399 struct pfr_ktable *kt, *rt, *shadow, key;
1400 struct pfr_kentry *p;
1401 struct pfr_addr *ad;
1402 struct pf_ruleset *rs;
1403 int i, rv, xadd = 0, xaddr = 0;
1407 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY | PFR_FLAG_ADDRSTOO);
1408 if (size && !(flags & PFR_FLAG_ADDRSTOO))
1410 if (pfr_validate_table(tbl, PFR_TFLAG_USRMASK,
1411 flags & PFR_FLAG_USERIOCTL))
1413 rs = pf_find_ruleset(tbl->pfrt_anchor);
1414 if (rs == NULL || !rs->topen || ticket != rs->tticket)
1416 tbl->pfrt_flags |= PFR_TFLAG_INACTIVE;
1417 SLIST_INIT(&tableq);
1418 kt = RB_FIND(pfr_ktablehead, &pfr_ktables, (struct pfr_ktable *)tbl);
1420 kt = pfr_create_ktable(tbl, 0, 1);
1423 SLIST_INSERT_HEAD(&tableq, kt, pfrkt_workq);
1425 if (!tbl->pfrt_anchor[0])
1428 /* find or create root table */
1429 bzero(&key, sizeof(key));
1430 strlcpy(key.pfrkt_name, tbl->pfrt_name, sizeof(key.pfrkt_name));
1431 rt = RB_FIND(pfr_ktablehead, &pfr_ktables, &key);
1433 kt->pfrkt_root = rt;
1436 rt = pfr_create_ktable(&key.pfrkt_t, 0, 1);
1438 pfr_destroy_ktables(&tableq, 0);
1441 SLIST_INSERT_HEAD(&tableq, rt, pfrkt_workq);
1442 kt->pfrkt_root = rt;
1443 } else if (!(kt->pfrkt_flags & PFR_TFLAG_INACTIVE))
1446 shadow = pfr_create_ktable(tbl, 0, 0);
1447 if (shadow == NULL) {
1448 pfr_destroy_ktables(&tableq, 0);
1452 for (i = 0, ad = addr; i < size; i++, ad++) {
1453 if (pfr_validate_addr(ad))
1455 if (pfr_lookup_addr(shadow, ad, 1) != NULL)
1457 p = pfr_create_kentry(ad);
1460 if (pfr_route_kentry(shadow, p)) {
1461 pfr_destroy_kentry(p);
1464 SLIST_INSERT_HEAD(&addrq, p, pfrke_workq);
1467 if (!(flags & PFR_FLAG_DUMMY)) {
1468 if (kt->pfrkt_shadow != NULL)
1469 pfr_destroy_ktable(kt->pfrkt_shadow, 1);
1470 kt->pfrkt_flags |= PFR_TFLAG_INACTIVE;
1471 pfr_insert_ktables(&tableq);
1472 shadow->pfrkt_cnt = (flags & PFR_FLAG_ADDRSTOO) ?
1473 xaddr : NO_ADDRESSES;
1474 kt->pfrkt_shadow = shadow;
1476 pfr_clean_node_mask(shadow, &addrq);
1477 pfr_destroy_ktable(shadow, 0);
1478 pfr_destroy_ktables(&tableq, 0);
1479 pfr_destroy_kentries(&addrq);
1487 pfr_destroy_ktable(shadow, 0);
1488 pfr_destroy_ktables(&tableq, 0);
1489 pfr_destroy_kentries(&addrq);
1494 pfr_ina_rollback(struct pfr_table *trs, u_int32_t ticket, int *ndel, int flags)
1496 struct pfr_ktableworkq workq;
1497 struct pfr_ktable *p;
1498 struct pf_ruleset *rs;
1503 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY);
1504 rs = pf_find_ruleset(trs->pfrt_anchor);
1505 if (rs == NULL || !rs->topen || ticket != rs->tticket)
1508 RB_FOREACH(p, pfr_ktablehead, &pfr_ktables) {
1509 if (!(p->pfrkt_flags & PFR_TFLAG_INACTIVE) ||
1510 pfr_skip_table(trs, p, 0))
1512 p->pfrkt_nflags = p->pfrkt_flags & ~PFR_TFLAG_INACTIVE;
1513 SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);
1516 if (!(flags & PFR_FLAG_DUMMY)) {
1517 pfr_setflags_ktables(&workq);
1519 pf_remove_if_empty_ruleset(rs);
1527 pfr_ina_commit(struct pfr_table *trs, u_int32_t ticket, int *nadd,
1528 int *nchange, int flags)
1530 struct pfr_ktable *p, *q;
1531 struct pfr_ktableworkq workq;
1532 struct pf_ruleset *rs;
1533 int xadd = 0, xchange = 0;
1534 long tzero = time_second;
1538 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY);
1539 rs = pf_find_ruleset(trs->pfrt_anchor);
1540 if (rs == NULL || !rs->topen || ticket != rs->tticket)
1544 RB_FOREACH(p, pfr_ktablehead, &pfr_ktables) {
1545 if (!(p->pfrkt_flags & PFR_TFLAG_INACTIVE) ||
1546 pfr_skip_table(trs, p, 0))
1548 SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);
1549 if (p->pfrkt_flags & PFR_TFLAG_ACTIVE)
1555 if (!(flags & PFR_FLAG_DUMMY)) {
1556 for (p = SLIST_FIRST(&workq); p != NULL; p = q) {
1557 q = SLIST_NEXT(p, pfrkt_workq);
1558 pfr_commit_ktable(p, tzero);
1561 pf_remove_if_empty_ruleset(rs);
1565 if (nchange != NULL)
1572 pfr_commit_ktable(struct pfr_ktable *kt, long tzero)
1574 struct pfr_ktable *shadow = kt->pfrkt_shadow;
1579 if (shadow->pfrkt_cnt == NO_ADDRESSES) {
1580 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
1581 pfr_clstats_ktable(kt, tzero, 1);
1582 } else if (kt->pfrkt_flags & PFR_TFLAG_ACTIVE) {
1583 /* kt might contain addresses */
1584 struct pfr_kentryworkq addrq, addq, changeq, delq, garbageq;
1585 struct pfr_kentry *p, *q, *next;
1588 pfr_enqueue_addrs(shadow, &addrq, NULL, 0);
1591 SLIST_INIT(&changeq);
1593 SLIST_INIT(&garbageq);
1594 pfr_clean_node_mask(shadow, &addrq);
1595 for (p = SLIST_FIRST(&addrq); p != NULL; p = next) {
1596 next = SLIST_NEXT(p, pfrke_workq); /* XXX */
1597 pfr_copyout_addr(&ad, p);
1598 q = pfr_lookup_addr(kt, &ad, 1);
1600 if (q->pfrke_not != p->pfrke_not)
1601 SLIST_INSERT_HEAD(&changeq, q,
1604 SLIST_INSERT_HEAD(&garbageq, p, pfrke_workq);
1606 p->pfrke_tzero = tzero;
1607 SLIST_INSERT_HEAD(&addq, p, pfrke_workq);
1610 pfr_enqueue_addrs(kt, &delq, NULL, ENQUEUE_UNMARKED_ONLY);
1611 pfr_insert_kentries(kt, &addq, tzero);
1612 pfr_remove_kentries(kt, &delq);
1613 pfr_clstats_kentries(&changeq, tzero, INVERT_NEG_FLAG);
1614 pfr_destroy_kentries(&garbageq);
1616 /* kt cannot contain addresses */
1617 SWAP(struct radix_node_head *, kt->pfrkt_ip4,
1619 SWAP(struct radix_node_head *, kt->pfrkt_ip6,
1621 SWAP(int, kt->pfrkt_cnt, shadow->pfrkt_cnt);
1622 pfr_clstats_ktable(kt, tzero, 1);
1624 nflags = ((shadow->pfrkt_flags & PFR_TFLAG_USRMASK) |
1625 (kt->pfrkt_flags & PFR_TFLAG_SETMASK) | PFR_TFLAG_ACTIVE)
1626 & ~PFR_TFLAG_INACTIVE;
1627 pfr_destroy_ktable(shadow, 0);
1628 kt->pfrkt_shadow = NULL;
1629 pfr_setflags_ktable(kt, nflags);
1633 pfr_validate_table(struct pfr_table *tbl, int allowedflags, int no_reserved)
1637 if (!tbl->pfrt_name[0])
1639 if (no_reserved && !strcmp(tbl->pfrt_anchor, PF_RESERVED_ANCHOR))
1641 if (tbl->pfrt_name[PF_TABLE_NAME_SIZE-1])
1643 for (i = strlen(tbl->pfrt_name); i < PF_TABLE_NAME_SIZE; i++)
1644 if (tbl->pfrt_name[i])
1646 if (pfr_fix_anchor(tbl->pfrt_anchor))
1648 if (tbl->pfrt_flags & ~allowedflags)
1654 * Rewrite anchors referenced by tables to remove slashes
1655 * and check for validity.
1658 pfr_fix_anchor(char *anchor)
1660 size_t siz = MAXPATHLEN;
1663 if (anchor[0] == '/') {
1669 while (*++path == '/')
1671 bcopy(path, anchor, siz - off);
1672 memset(anchor + siz - off, 0, off);
1674 if (anchor[siz - 1])
1676 for (i = strlen(anchor); i < siz; i++)
1683 pfr_table_count(struct pfr_table *filter, int flags)
1685 struct pf_ruleset *rs;
1689 if (flags & PFR_FLAG_ALLRSETS)
1690 return (pfr_ktable_cnt);
1691 if (filter->pfrt_anchor[0]) {
1692 rs = pf_find_ruleset(filter->pfrt_anchor);
1693 return ((rs != NULL) ? rs->tables : -1);
1695 return (pf_main_ruleset.tables);
1699 pfr_skip_table(struct pfr_table *filter, struct pfr_ktable *kt, int flags)
1701 if (flags & PFR_FLAG_ALLRSETS)
1703 if (strcmp(filter->pfrt_anchor, kt->pfrkt_anchor))
1709 pfr_insert_ktables(struct pfr_ktableworkq *workq)
1711 struct pfr_ktable *p;
1713 SLIST_FOREACH(p, workq, pfrkt_workq)
1714 pfr_insert_ktable(p);
1718 pfr_insert_ktable(struct pfr_ktable *kt)
1723 RB_INSERT(pfr_ktablehead, &pfr_ktables, kt);
1725 if (kt->pfrkt_root != NULL)
1726 if (!kt->pfrkt_root->pfrkt_refcnt[PFR_REFCNT_ANCHOR]++)
1727 pfr_setflags_ktable(kt->pfrkt_root,
1728 kt->pfrkt_root->pfrkt_flags|PFR_TFLAG_REFDANCHOR);
1732 pfr_setflags_ktables(struct pfr_ktableworkq *workq)
1734 struct pfr_ktable *p, *q;
1736 for (p = SLIST_FIRST(workq); p; p = q) {
1737 q = SLIST_NEXT(p, pfrkt_workq);
1738 pfr_setflags_ktable(p, p->pfrkt_nflags);
1743 pfr_setflags_ktable(struct pfr_ktable *kt, int newf)
1745 struct pfr_kentryworkq addrq;
1749 if (!(newf & PFR_TFLAG_REFERENCED) &&
1750 !(newf & PFR_TFLAG_PERSIST))
1751 newf &= ~PFR_TFLAG_ACTIVE;
1752 if (!(newf & PFR_TFLAG_ACTIVE))
1753 newf &= ~PFR_TFLAG_USRMASK;
1754 if (!(newf & PFR_TFLAG_SETMASK)) {
1755 RB_REMOVE(pfr_ktablehead, &pfr_ktables, kt);
1756 if (kt->pfrkt_root != NULL)
1757 if (!--kt->pfrkt_root->pfrkt_refcnt[PFR_REFCNT_ANCHOR])
1758 pfr_setflags_ktable(kt->pfrkt_root,
1759 kt->pfrkt_root->pfrkt_flags &
1760 ~PFR_TFLAG_REFDANCHOR);
1761 pfr_destroy_ktable(kt, 1);
1765 if (!(newf & PFR_TFLAG_ACTIVE) && kt->pfrkt_cnt) {
1766 pfr_enqueue_addrs(kt, &addrq, NULL, 0);
1767 pfr_remove_kentries(kt, &addrq);
1769 if (!(newf & PFR_TFLAG_INACTIVE) && kt->pfrkt_shadow != NULL) {
1770 pfr_destroy_ktable(kt->pfrkt_shadow, 1);
1771 kt->pfrkt_shadow = NULL;
1773 kt->pfrkt_flags = newf;
1777 pfr_clstats_ktables(struct pfr_ktableworkq *workq, long tzero, int recurse)
1779 struct pfr_ktable *p;
1781 SLIST_FOREACH(p, workq, pfrkt_workq)
1782 pfr_clstats_ktable(p, tzero, recurse);
1786 pfr_clstats_ktable(struct pfr_ktable *kt, long tzero, int recurse)
1788 struct pfr_kentryworkq addrq;
1791 pfr_enqueue_addrs(kt, &addrq, NULL, 0);
1792 pfr_clstats_kentries(&addrq, tzero, 0);
1794 bzero(kt->pfrkt_packets, sizeof(kt->pfrkt_packets));
1795 bzero(kt->pfrkt_bytes, sizeof(kt->pfrkt_bytes));
1796 kt->pfrkt_match = kt->pfrkt_nomatch = 0;
1797 kt->pfrkt_tzero = tzero;
1800 static struct pfr_ktable *
1801 pfr_create_ktable(struct pfr_table *tbl, long tzero, int attachruleset)
1803 struct pfr_ktable *kt;
1804 struct pf_ruleset *rs;
1808 kt = malloc(sizeof(*kt), M_PFTABLE, M_NOWAIT|M_ZERO);
1813 if (attachruleset) {
1814 rs = pf_find_or_create_ruleset(tbl->pfrt_anchor);
1816 pfr_destroy_ktable(kt, 0);
1823 if (!rn_inithead((void **)&kt->pfrkt_ip4,
1824 offsetof(struct sockaddr_in, sin_addr) * 8) ||
1825 !rn_inithead((void **)&kt->pfrkt_ip6,
1826 offsetof(struct sockaddr_in6, sin6_addr) * 8)) {
1827 pfr_destroy_ktable(kt, 0);
1830 kt->pfrkt_tzero = tzero;
1836 pfr_destroy_ktables(struct pfr_ktableworkq *workq, int flushaddr)
1838 struct pfr_ktable *p, *q;
1840 for (p = SLIST_FIRST(workq); p; p = q) {
1841 q = SLIST_NEXT(p, pfrkt_workq);
1842 pfr_destroy_ktable(p, flushaddr);
1847 pfr_destroy_ktable(struct pfr_ktable *kt, int flushaddr)
1849 struct pfr_kentryworkq addrq;
1852 pfr_enqueue_addrs(kt, &addrq, NULL, 0);
1853 pfr_clean_node_mask(kt, &addrq);
1854 pfr_destroy_kentries(&addrq);
1856 if (kt->pfrkt_ip4 != NULL)
1857 rn_detachhead((void **)&kt->pfrkt_ip4);
1858 if (kt->pfrkt_ip6 != NULL)
1859 rn_detachhead((void **)&kt->pfrkt_ip6);
1860 if (kt->pfrkt_shadow != NULL)
1861 pfr_destroy_ktable(kt->pfrkt_shadow, flushaddr);
1862 if (kt->pfrkt_rs != NULL) {
1863 kt->pfrkt_rs->tables--;
1864 pf_remove_if_empty_ruleset(kt->pfrkt_rs);
1866 free(kt, M_PFTABLE);
1870 pfr_ktable_compare(struct pfr_ktable *p, struct pfr_ktable *q)
1874 if ((d = strncmp(p->pfrkt_name, q->pfrkt_name, PF_TABLE_NAME_SIZE)))
1876 return (strcmp(p->pfrkt_anchor, q->pfrkt_anchor));
1879 static struct pfr_ktable *
1880 pfr_lookup_table(struct pfr_table *tbl)
1882 /* struct pfr_ktable start like a struct pfr_table */
1883 return (RB_FIND(pfr_ktablehead, &pfr_ktables,
1884 (struct pfr_ktable *)tbl));
1888 pfr_match_addr(struct pfr_ktable *kt, struct pf_addr *a, sa_family_t af)
1890 struct pfr_kentry *ke = NULL;
1895 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root != NULL)
1896 kt = kt->pfrkt_root;
1897 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
1904 struct sockaddr_in sin;
1906 bzero(&sin, sizeof(sin));
1907 sin.sin_len = sizeof(sin);
1908 sin.sin_family = AF_INET;
1909 sin.sin_addr.s_addr = a->addr32[0];
1910 ke = (struct pfr_kentry *)rn_match(&sin, &kt->pfrkt_ip4->rh);
1911 if (ke && KENTRY_RNF_ROOT(ke))
1919 struct sockaddr_in6 sin6;
1921 bzero(&sin6, sizeof(sin6));
1922 sin6.sin6_len = sizeof(sin6);
1923 sin6.sin6_family = AF_INET6;
1924 bcopy(a, &sin6.sin6_addr, sizeof(sin6.sin6_addr));
1925 ke = (struct pfr_kentry *)rn_match(&sin6, &kt->pfrkt_ip6->rh);
1926 if (ke && KENTRY_RNF_ROOT(ke))
1932 match = (ke && !ke->pfrke_not);
1936 kt->pfrkt_nomatch++;
1941 pfr_update_stats(struct pfr_ktable *kt, struct pf_addr *a, sa_family_t af,
1942 u_int64_t len, int dir_out, int op_pass, int notrule)
1944 struct pfr_kentry *ke = NULL;
1946 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root != NULL)
1947 kt = kt->pfrkt_root;
1948 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
1955 struct sockaddr_in sin;
1957 bzero(&sin, sizeof(sin));
1958 sin.sin_len = sizeof(sin);
1959 sin.sin_family = AF_INET;
1960 sin.sin_addr.s_addr = a->addr32[0];
1961 ke = (struct pfr_kentry *)rn_match(&sin, &kt->pfrkt_ip4->rh);
1962 if (ke && KENTRY_RNF_ROOT(ke))
1970 struct sockaddr_in6 sin6;
1972 bzero(&sin6, sizeof(sin6));
1973 sin6.sin6_len = sizeof(sin6);
1974 sin6.sin6_family = AF_INET6;
1975 bcopy(a, &sin6.sin6_addr, sizeof(sin6.sin6_addr));
1976 ke = (struct pfr_kentry *)rn_match(&sin6, &kt->pfrkt_ip6->rh);
1977 if (ke && KENTRY_RNF_ROOT(ke))
1983 panic("%s: unknown address family %u", __func__, af);
1985 if ((ke == NULL || ke->pfrke_not) != notrule) {
1986 if (op_pass != PFR_OP_PASS)
1987 printf("pfr_update_stats: assertion failed.\n");
1988 op_pass = PFR_OP_XPASS;
1990 kt->pfrkt_packets[dir_out][op_pass]++;
1991 kt->pfrkt_bytes[dir_out][op_pass] += len;
1992 if (ke != NULL && op_pass != PFR_OP_XPASS &&
1993 (kt->pfrkt_flags & PFR_TFLAG_COUNTERS)) {
1994 if (ke->pfrke_counters == NULL)
1995 ke->pfrke_counters = uma_zalloc(V_pfr_kcounters_z,
1997 if (ke->pfrke_counters != NULL) {
1998 ke->pfrke_counters->pfrkc_packets[dir_out][op_pass]++;
1999 ke->pfrke_counters->pfrkc_bytes[dir_out][op_pass] += len;
2005 pfr_attach_table(struct pf_ruleset *rs, char *name)
2007 struct pfr_ktable *kt, *rt;
2008 struct pfr_table tbl;
2009 struct pf_anchor *ac = rs->anchor;
2013 bzero(&tbl, sizeof(tbl));
2014 strlcpy(tbl.pfrt_name, name, sizeof(tbl.pfrt_name));
2016 strlcpy(tbl.pfrt_anchor, ac->path, sizeof(tbl.pfrt_anchor));
2017 kt = pfr_lookup_table(&tbl);
2019 kt = pfr_create_ktable(&tbl, time_second, 1);
2023 bzero(tbl.pfrt_anchor, sizeof(tbl.pfrt_anchor));
2024 rt = pfr_lookup_table(&tbl);
2026 rt = pfr_create_ktable(&tbl, 0, 1);
2028 pfr_destroy_ktable(kt, 0);
2031 pfr_insert_ktable(rt);
2033 kt->pfrkt_root = rt;
2035 pfr_insert_ktable(kt);
2037 if (!kt->pfrkt_refcnt[PFR_REFCNT_RULE]++)
2038 pfr_setflags_ktable(kt, kt->pfrkt_flags|PFR_TFLAG_REFERENCED);
2043 pfr_detach_table(struct pfr_ktable *kt)
2047 KASSERT(kt->pfrkt_refcnt[PFR_REFCNT_RULE] > 0, ("%s: refcount %d\n",
2048 __func__, kt->pfrkt_refcnt[PFR_REFCNT_RULE]));
2050 if (!--kt->pfrkt_refcnt[PFR_REFCNT_RULE])
2051 pfr_setflags_ktable(kt, kt->pfrkt_flags&~PFR_TFLAG_REFERENCED);
2055 pfr_pool_get(struct pfr_ktable *kt, int *pidx, struct pf_addr *counter,
2058 struct pf_addr *addr, *cur, *mask;
2059 union sockaddr_union uaddr, umask;
2060 struct pfr_kentry *ke, *ke2 = NULL;
2061 int idx = -1, use_counter = 0;
2065 uaddr.sin.sin_len = sizeof(struct sockaddr_in);
2066 uaddr.sin.sin_family = AF_INET;
2069 uaddr.sin6.sin6_len = sizeof(struct sockaddr_in6);
2070 uaddr.sin6.sin6_family = AF_INET6;
2073 addr = SUNION2PF(&uaddr, af);
2075 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root != NULL)
2076 kt = kt->pfrkt_root;
2077 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
2082 if (counter != NULL && idx >= 0)
2088 ke = pfr_kentry_byidx(kt, idx, af);
2090 kt->pfrkt_nomatch++;
2093 pfr_prepare_network(&umask, af, ke->pfrke_net);
2094 cur = SUNION2PF(&ke->pfrke_sa, af);
2095 mask = SUNION2PF(&umask, af);
2098 /* is supplied address within block? */
2099 if (!PF_MATCHA(0, cur, mask, counter, af)) {
2100 /* no, go to next block in table */
2105 PF_ACPY(addr, counter, af);
2107 /* use first address of block */
2108 PF_ACPY(addr, cur, af);
2111 if (!KENTRY_NETWORK(ke)) {
2112 /* this is a single IP address - no possible nested block */
2113 PF_ACPY(counter, addr, af);
2119 /* we don't want to use a nested block */
2122 ke2 = (struct pfr_kentry *)rn_match(&uaddr,
2123 &kt->pfrkt_ip4->rh);
2126 ke2 = (struct pfr_kentry *)rn_match(&uaddr,
2127 &kt->pfrkt_ip6->rh);
2130 /* no need to check KENTRY_RNF_ROOT() here */
2132 /* lookup return the same block - perfect */
2133 PF_ACPY(counter, addr, af);
2139 /* we need to increase the counter past the nested block */
2140 pfr_prepare_network(&umask, AF_INET, ke2->pfrke_net);
2141 PF_POOLMASK(addr, addr, SUNION2PF(&umask, af), &pfr_ffaddr, af);
2143 if (!PF_MATCHA(0, cur, mask, addr, af)) {
2144 /* ok, we reached the end of our main block */
2145 /* go to next block in table */
2153 static struct pfr_kentry *
2154 pfr_kentry_byidx(struct pfr_ktable *kt, int idx, int af)
2156 struct pfr_walktree w;
2158 bzero(&w, sizeof(w));
2159 w.pfrw_op = PFRW_POOL_GET;
2165 kt->pfrkt_ip4->rnh_walktree(&kt->pfrkt_ip4->rh, pfr_walktree, &w);
2166 return (w.pfrw_kentry);
2170 kt->pfrkt_ip6->rnh_walktree(&kt->pfrkt_ip6->rh, pfr_walktree, &w);
2171 return (w.pfrw_kentry);
2179 pfr_dynaddr_update(struct pfr_ktable *kt, struct pfi_dynaddr *dyn)
2181 struct pfr_walktree w;
2183 bzero(&w, sizeof(w));
2184 w.pfrw_op = PFRW_DYNADDR_UPDATE;
2187 dyn->pfid_acnt4 = 0;
2188 dyn->pfid_acnt6 = 0;
2189 if (!dyn->pfid_af || dyn->pfid_af == AF_INET)
2190 kt->pfrkt_ip4->rnh_walktree(&kt->pfrkt_ip4->rh, pfr_walktree, &w);
2191 if (!dyn->pfid_af || dyn->pfid_af == AF_INET6)
2192 kt->pfrkt_ip6->rnh_walktree(&kt->pfrkt_ip6->rh, pfr_walktree, &w);
projects / FreeBSD / FreeBSD.git / blob