2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
4 * Copyright (c) 2002 Cedric Berger
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
11 * - Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * - Redistributions in binary form must reproduce the above
14 * copyright notice, this list of conditions and the following
15 * disclaimer in the documentation and/or other materials provided
16 * with the distribution.
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
21 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
22 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
24 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
25 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
28 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29 * POSSIBILITY OF SUCH DAMAGE.
31 * $OpenBSD: pf_table.c,v 1.79 2008/10/08 06:24:50 mcbride Exp $
34 #include <sys/cdefs.h>
35 __FBSDID("$FreeBSD$");
38 #include "opt_inet6.h"
40 #include <sys/param.h>
41 #include <sys/kernel.h>
43 #include <sys/malloc.h>
45 #include <sys/mutex.h>
46 #include <sys/refcount.h>
47 #include <sys/rwlock.h>
48 #include <sys/socket.h>
53 #include <net/pfvar.h>
55 #define ACCEPT_FLAGS(flags, oklist) \
57 if ((flags & ~(oklist)) & \
62 #define FILLIN_SIN(sin, addr) \
64 (sin).sin_len = sizeof(sin); \
65 (sin).sin_family = AF_INET; \
66 (sin).sin_addr = (addr); \
69 #define FILLIN_SIN6(sin6, addr) \
71 (sin6).sin6_len = sizeof(sin6); \
72 (sin6).sin6_family = AF_INET6; \
73 (sin6).sin6_addr = (addr); \
76 #define SWAP(type, a1, a2) \
83 #define SUNION2PF(su, af) (((af)==AF_INET) ? \
84 (struct pf_addr *)&(su)->sin.sin_addr : \
85 (struct pf_addr *)&(su)->sin6.sin6_addr)
87 #define AF_BITS(af) (((af)==AF_INET)?32:128)
88 #define ADDR_NETWORK(ad) ((ad)->pfra_net < AF_BITS((ad)->pfra_af))
89 #define KENTRY_NETWORK(ke) ((ke)->pfrke_net < AF_BITS((ke)->pfrke_af))
90 #define KENTRY_RNF_ROOT(ke) \
91 ((((struct radix_node *)(ke))->rn_flags & RNF_ROOT) != 0)
93 #define NO_ADDRESSES (-1)
94 #define ENQUEUE_UNMARKED_ONLY (1)
95 #define INVERT_NEG_FLAG (1)
108 struct pfr_addr *pfrw1_addr;
109 struct pfr_astats *pfrw1_astats;
110 struct pfr_kentryworkq *pfrw1_workq;
111 struct pfr_kentry *pfrw1_kentry;
112 struct pfi_dynaddr *pfrw1_dyn;
116 #define pfrw_addr pfrw_1.pfrw1_addr
117 #define pfrw_astats pfrw_1.pfrw1_astats
118 #define pfrw_workq pfrw_1.pfrw1_workq
119 #define pfrw_kentry pfrw_1.pfrw1_kentry
120 #define pfrw_dyn pfrw_1.pfrw1_dyn
121 #define pfrw_cnt pfrw_free
123 #define senderr(e) do { rv = (e); goto _bad; } while (0)
125 static MALLOC_DEFINE(M_PFTABLE, "pf_table", "pf(4) tables structures");
126 static VNET_DEFINE(uma_zone_t, pfr_kentry_z);
127 #define V_pfr_kentry_z VNET(pfr_kentry_z)
128 static VNET_DEFINE(uma_zone_t, pfr_kcounters_z);
129 #define V_pfr_kcounters_z VNET(pfr_kcounters_z)
131 static struct pf_addr pfr_ffaddr = {
132 .addr32 = { 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff }
135 static void pfr_copyout_addr(struct pfr_addr *,
136 struct pfr_kentry *ke);
137 static int pfr_validate_addr(struct pfr_addr *);
138 static void pfr_enqueue_addrs(struct pfr_ktable *,
139 struct pfr_kentryworkq *, int *, int);
140 static void pfr_mark_addrs(struct pfr_ktable *);
141 static struct pfr_kentry
142 *pfr_lookup_addr(struct pfr_ktable *,
143 struct pfr_addr *, int);
144 static struct pfr_kentry *pfr_create_kentry(struct pfr_addr *);
145 static void pfr_destroy_kentries(struct pfr_kentryworkq *);
146 static void pfr_destroy_kentry(struct pfr_kentry *);
147 static void pfr_insert_kentries(struct pfr_ktable *,
148 struct pfr_kentryworkq *, long);
149 static void pfr_remove_kentries(struct pfr_ktable *,
150 struct pfr_kentryworkq *);
151 static void pfr_clstats_kentries(struct pfr_kentryworkq *, long,
153 static void pfr_reset_feedback(struct pfr_addr *, int);
154 static void pfr_prepare_network(union sockaddr_union *, int, int);
155 static int pfr_route_kentry(struct pfr_ktable *,
156 struct pfr_kentry *);
157 static int pfr_unroute_kentry(struct pfr_ktable *,
158 struct pfr_kentry *);
159 static int pfr_walktree(struct radix_node *, void *);
160 static int pfr_validate_table(struct pfr_table *, int, int);
161 static int pfr_fix_anchor(char *);
162 static void pfr_commit_ktable(struct pfr_ktable *, long);
163 static void pfr_insert_ktables(struct pfr_ktableworkq *);
164 static void pfr_insert_ktable(struct pfr_ktable *);
165 static void pfr_setflags_ktables(struct pfr_ktableworkq *);
166 static void pfr_setflags_ktable(struct pfr_ktable *, int);
167 static void pfr_clstats_ktables(struct pfr_ktableworkq *, long,
169 static void pfr_clstats_ktable(struct pfr_ktable *, long, int);
170 static struct pfr_ktable
171 *pfr_create_ktable(struct pfr_table *, long, int);
172 static void pfr_destroy_ktables(struct pfr_ktableworkq *, int);
173 static void pfr_destroy_ktable(struct pfr_ktable *, int);
174 static int pfr_ktable_compare(struct pfr_ktable *,
175 struct pfr_ktable *);
176 static struct pfr_ktable
177 *pfr_lookup_table(struct pfr_table *);
178 static void pfr_clean_node_mask(struct pfr_ktable *,
179 struct pfr_kentryworkq *);
180 static int pfr_skip_table(struct pfr_table *,
181 struct pfr_ktable *, int);
182 static struct pfr_kentry
183 *pfr_kentry_byidx(struct pfr_ktable *, int, int);
185 static RB_PROTOTYPE(pfr_ktablehead, pfr_ktable, pfrkt_tree, pfr_ktable_compare);
186 static RB_GENERATE(pfr_ktablehead, pfr_ktable, pfrkt_tree, pfr_ktable_compare);
188 static VNET_DEFINE(struct pfr_ktablehead, pfr_ktables);
189 #define V_pfr_ktables VNET(pfr_ktables)
191 static VNET_DEFINE(struct pfr_table, pfr_nulltable);
192 #define V_pfr_nulltable VNET(pfr_nulltable)
194 static VNET_DEFINE(int, pfr_ktable_cnt);
195 #define V_pfr_ktable_cnt VNET(pfr_ktable_cnt)
201 V_pfr_kentry_z = uma_zcreate("pf table entries",
202 sizeof(struct pfr_kentry), NULL, NULL, NULL, NULL, UMA_ALIGN_PTR,
204 V_pfr_kcounters_z = uma_zcreate("pf table counters",
205 sizeof(struct pfr_kcounters), NULL, NULL, NULL, NULL,
207 V_pf_limits[PF_LIMIT_TABLE_ENTRIES].zone = V_pfr_kentry_z;
208 V_pf_limits[PF_LIMIT_TABLE_ENTRIES].limit = PFR_KENTRY_HIWAT;
215 uma_zdestroy(V_pfr_kentry_z);
216 uma_zdestroy(V_pfr_kcounters_z);
220 pfr_clr_addrs(struct pfr_table *tbl, int *ndel, int flags)
222 struct pfr_ktable *kt;
223 struct pfr_kentryworkq workq;
227 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY);
228 if (pfr_validate_table(tbl, 0, flags & PFR_FLAG_USERIOCTL))
230 kt = pfr_lookup_table(tbl);
231 if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
233 if (kt->pfrkt_flags & PFR_TFLAG_CONST)
235 pfr_enqueue_addrs(kt, &workq, ndel, 0);
237 if (!(flags & PFR_FLAG_DUMMY)) {
238 pfr_remove_kentries(kt, &workq);
239 KASSERT(kt->pfrkt_cnt == 0, ("%s: non-null pfrkt_cnt", __func__));
245 pfr_add_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int size,
246 int *nadd, int flags)
248 struct pfr_ktable *kt, *tmpkt;
249 struct pfr_kentryworkq workq;
250 struct pfr_kentry *p, *q;
253 long tzero = time_second;
257 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY | PFR_FLAG_FEEDBACK);
258 if (pfr_validate_table(tbl, 0, flags & PFR_FLAG_USERIOCTL))
260 kt = pfr_lookup_table(tbl);
261 if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
263 if (kt->pfrkt_flags & PFR_TFLAG_CONST)
265 tmpkt = pfr_create_ktable(&V_pfr_nulltable, 0, 0);
269 for (i = 0, ad = addr; i < size; i++, ad++) {
270 if (pfr_validate_addr(ad))
272 p = pfr_lookup_addr(kt, ad, 1);
273 q = pfr_lookup_addr(tmpkt, ad, 1);
274 if (flags & PFR_FLAG_FEEDBACK) {
276 ad->pfra_fback = PFR_FB_DUPLICATE;
278 ad->pfra_fback = PFR_FB_ADDED;
279 else if (p->pfrke_not != ad->pfra_not)
280 ad->pfra_fback = PFR_FB_CONFLICT;
282 ad->pfra_fback = PFR_FB_NONE;
284 if (p == NULL && q == NULL) {
285 p = pfr_create_kentry(ad);
288 if (pfr_route_kentry(tmpkt, p)) {
289 pfr_destroy_kentry(p);
290 ad->pfra_fback = PFR_FB_NONE;
292 SLIST_INSERT_HEAD(&workq, p, pfrke_workq);
297 pfr_clean_node_mask(tmpkt, &workq);
298 if (!(flags & PFR_FLAG_DUMMY))
299 pfr_insert_kentries(kt, &workq, tzero);
301 pfr_destroy_kentries(&workq);
304 pfr_destroy_ktable(tmpkt, 0);
307 pfr_clean_node_mask(tmpkt, &workq);
308 pfr_destroy_kentries(&workq);
309 if (flags & PFR_FLAG_FEEDBACK)
310 pfr_reset_feedback(addr, size);
311 pfr_destroy_ktable(tmpkt, 0);
316 pfr_del_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int size,
317 int *ndel, int flags)
319 struct pfr_ktable *kt;
320 struct pfr_kentryworkq workq;
321 struct pfr_kentry *p;
323 int i, rv, xdel = 0, log = 1;
327 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY | PFR_FLAG_FEEDBACK);
328 if (pfr_validate_table(tbl, 0, flags & PFR_FLAG_USERIOCTL))
330 kt = pfr_lookup_table(tbl);
331 if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
333 if (kt->pfrkt_flags & PFR_TFLAG_CONST)
336 * there are two algorithms to choose from here.
338 * n: number of addresses to delete
339 * N: number of addresses in the table
341 * one is O(N) and is better for large 'n'
342 * one is O(n*LOG(N)) and is better for small 'n'
344 * following code try to decide which one is best.
346 for (i = kt->pfrkt_cnt; i > 0; i >>= 1)
348 if (size > kt->pfrkt_cnt/log) {
349 /* full table scan */
352 /* iterate over addresses to delete */
353 for (i = 0, ad = addr; i < size; i++, ad++) {
354 if (pfr_validate_addr(ad))
356 p = pfr_lookup_addr(kt, ad, 1);
362 for (i = 0, ad = addr; i < size; i++, ad++) {
363 if (pfr_validate_addr(ad))
365 p = pfr_lookup_addr(kt, ad, 1);
366 if (flags & PFR_FLAG_FEEDBACK) {
368 ad->pfra_fback = PFR_FB_NONE;
369 else if (p->pfrke_not != ad->pfra_not)
370 ad->pfra_fback = PFR_FB_CONFLICT;
371 else if (p->pfrke_mark)
372 ad->pfra_fback = PFR_FB_DUPLICATE;
374 ad->pfra_fback = PFR_FB_DELETED;
376 if (p != NULL && p->pfrke_not == ad->pfra_not &&
379 SLIST_INSERT_HEAD(&workq, p, pfrke_workq);
383 if (!(flags & PFR_FLAG_DUMMY))
384 pfr_remove_kentries(kt, &workq);
389 if (flags & PFR_FLAG_FEEDBACK)
390 pfr_reset_feedback(addr, size);
395 pfr_set_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int size,
396 int *size2, int *nadd, int *ndel, int *nchange, int flags,
397 u_int32_t ignore_pfrt_flags)
399 struct pfr_ktable *kt, *tmpkt;
400 struct pfr_kentryworkq addq, delq, changeq;
401 struct pfr_kentry *p, *q;
403 int i, rv, xadd = 0, xdel = 0, xchange = 0;
404 long tzero = time_second;
408 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY | PFR_FLAG_FEEDBACK);
409 if (pfr_validate_table(tbl, ignore_pfrt_flags, flags &
412 kt = pfr_lookup_table(tbl);
413 if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
415 if (kt->pfrkt_flags & PFR_TFLAG_CONST)
417 tmpkt = pfr_create_ktable(&V_pfr_nulltable, 0, 0);
423 SLIST_INIT(&changeq);
424 for (i = 0; i < size; i++) {
426 * XXXGL: undertand pf_if usage of this function
427 * and make ad a moving pointer
429 bcopy(addr + i, &ad, sizeof(ad));
430 if (pfr_validate_addr(&ad))
432 ad.pfra_fback = PFR_FB_NONE;
433 p = pfr_lookup_addr(kt, &ad, 1);
436 ad.pfra_fback = PFR_FB_DUPLICATE;
440 if (p->pfrke_not != ad.pfra_not) {
441 SLIST_INSERT_HEAD(&changeq, p, pfrke_workq);
442 ad.pfra_fback = PFR_FB_CHANGED;
446 q = pfr_lookup_addr(tmpkt, &ad, 1);
448 ad.pfra_fback = PFR_FB_DUPLICATE;
451 p = pfr_create_kentry(&ad);
454 if (pfr_route_kentry(tmpkt, p)) {
455 pfr_destroy_kentry(p);
456 ad.pfra_fback = PFR_FB_NONE;
458 SLIST_INSERT_HEAD(&addq, p, pfrke_workq);
459 ad.pfra_fback = PFR_FB_ADDED;
464 if (flags & PFR_FLAG_FEEDBACK)
465 bcopy(&ad, addr + i, sizeof(ad));
467 pfr_enqueue_addrs(kt, &delq, &xdel, ENQUEUE_UNMARKED_ONLY);
468 if ((flags & PFR_FLAG_FEEDBACK) && *size2) {
469 if (*size2 < size+xdel) {
474 SLIST_FOREACH(p, &delq, pfrke_workq) {
475 pfr_copyout_addr(&ad, p);
476 ad.pfra_fback = PFR_FB_DELETED;
477 bcopy(&ad, addr + size + i, sizeof(ad));
481 pfr_clean_node_mask(tmpkt, &addq);
482 if (!(flags & PFR_FLAG_DUMMY)) {
483 pfr_insert_kentries(kt, &addq, tzero);
484 pfr_remove_kentries(kt, &delq);
485 pfr_clstats_kentries(&changeq, tzero, INVERT_NEG_FLAG);
487 pfr_destroy_kentries(&addq);
494 if ((flags & PFR_FLAG_FEEDBACK) && size2)
496 pfr_destroy_ktable(tmpkt, 0);
499 pfr_clean_node_mask(tmpkt, &addq);
500 pfr_destroy_kentries(&addq);
501 if (flags & PFR_FLAG_FEEDBACK)
502 pfr_reset_feedback(addr, size);
503 pfr_destroy_ktable(tmpkt, 0);
508 pfr_tst_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int size,
509 int *nmatch, int flags)
511 struct pfr_ktable *kt;
512 struct pfr_kentry *p;
518 ACCEPT_FLAGS(flags, PFR_FLAG_REPLACE);
519 if (pfr_validate_table(tbl, 0, 0))
521 kt = pfr_lookup_table(tbl);
522 if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
525 for (i = 0, ad = addr; i < size; i++, ad++) {
526 if (pfr_validate_addr(ad))
528 if (ADDR_NETWORK(ad))
530 p = pfr_lookup_addr(kt, ad, 0);
531 if (flags & PFR_FLAG_REPLACE)
532 pfr_copyout_addr(ad, p);
533 ad->pfra_fback = (p == NULL) ? PFR_FB_NONE :
534 (p->pfrke_not ? PFR_FB_NOTMATCH : PFR_FB_MATCH);
535 if (p != NULL && !p->pfrke_not)
544 pfr_get_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int *size,
547 struct pfr_ktable *kt;
548 struct pfr_walktree w;
553 ACCEPT_FLAGS(flags, 0);
554 if (pfr_validate_table(tbl, 0, 0))
556 kt = pfr_lookup_table(tbl);
557 if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
559 if (kt->pfrkt_cnt > *size) {
560 *size = kt->pfrkt_cnt;
564 bzero(&w, sizeof(w));
565 w.pfrw_op = PFRW_GET_ADDRS;
567 w.pfrw_free = kt->pfrkt_cnt;
568 rv = kt->pfrkt_ip4->rnh_walktree(&kt->pfrkt_ip4->rh, pfr_walktree, &w);
570 rv = kt->pfrkt_ip6->rnh_walktree(&kt->pfrkt_ip6->rh,
575 KASSERT(w.pfrw_free == 0, ("%s: corruption detected (%d)", __func__,
578 *size = kt->pfrkt_cnt;
583 pfr_get_astats(struct pfr_table *tbl, struct pfr_astats *addr, int *size,
586 struct pfr_ktable *kt;
587 struct pfr_walktree w;
588 struct pfr_kentryworkq workq;
590 long tzero = time_second;
594 /* XXX PFR_FLAG_CLSTATS disabled */
595 ACCEPT_FLAGS(flags, 0);
596 if (pfr_validate_table(tbl, 0, 0))
598 kt = pfr_lookup_table(tbl);
599 if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
601 if (kt->pfrkt_cnt > *size) {
602 *size = kt->pfrkt_cnt;
606 bzero(&w, sizeof(w));
607 w.pfrw_op = PFRW_GET_ASTATS;
608 w.pfrw_astats = addr;
609 w.pfrw_free = kt->pfrkt_cnt;
610 rv = kt->pfrkt_ip4->rnh_walktree(&kt->pfrkt_ip4->rh, pfr_walktree, &w);
612 rv = kt->pfrkt_ip6->rnh_walktree(&kt->pfrkt_ip6->rh,
614 if (!rv && (flags & PFR_FLAG_CLSTATS)) {
615 pfr_enqueue_addrs(kt, &workq, NULL, 0);
616 pfr_clstats_kentries(&workq, tzero, 0);
622 printf("pfr_get_astats: corruption detected (%d).\n",
626 *size = kt->pfrkt_cnt;
631 pfr_clr_astats(struct pfr_table *tbl, struct pfr_addr *addr, int size,
632 int *nzero, int flags)
634 struct pfr_ktable *kt;
635 struct pfr_kentryworkq workq;
636 struct pfr_kentry *p;
638 int i, rv, xzero = 0;
642 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY | PFR_FLAG_FEEDBACK);
643 if (pfr_validate_table(tbl, 0, 0))
645 kt = pfr_lookup_table(tbl);
646 if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
649 for (i = 0, ad = addr; i < size; i++, ad++) {
650 if (pfr_validate_addr(ad))
652 p = pfr_lookup_addr(kt, ad, 1);
653 if (flags & PFR_FLAG_FEEDBACK) {
654 ad->pfra_fback = (p != NULL) ?
655 PFR_FB_CLEARED : PFR_FB_NONE;
658 SLIST_INSERT_HEAD(&workq, p, pfrke_workq);
663 if (!(flags & PFR_FLAG_DUMMY))
664 pfr_clstats_kentries(&workq, 0, 0);
669 if (flags & PFR_FLAG_FEEDBACK)
670 pfr_reset_feedback(addr, size);
675 pfr_validate_addr(struct pfr_addr *ad)
679 switch (ad->pfra_af) {
682 if (ad->pfra_net > 32)
688 if (ad->pfra_net > 128)
695 if (ad->pfra_net < 128 &&
696 (((caddr_t)ad)[ad->pfra_net/8] & (0xFF >> (ad->pfra_net%8))))
698 for (i = (ad->pfra_net+7)/8; i < sizeof(ad->pfra_u); i++)
699 if (((caddr_t)ad)[i])
701 if (ad->pfra_not && ad->pfra_not != 1)
709 pfr_enqueue_addrs(struct pfr_ktable *kt, struct pfr_kentryworkq *workq,
710 int *naddr, int sweep)
712 struct pfr_walktree w;
715 bzero(&w, sizeof(w));
716 w.pfrw_op = sweep ? PFRW_SWEEP : PFRW_ENQUEUE;
717 w.pfrw_workq = workq;
718 if (kt->pfrkt_ip4 != NULL)
719 if (kt->pfrkt_ip4->rnh_walktree(&kt->pfrkt_ip4->rh,
721 printf("pfr_enqueue_addrs: IPv4 walktree failed.\n");
722 if (kt->pfrkt_ip6 != NULL)
723 if (kt->pfrkt_ip6->rnh_walktree(&kt->pfrkt_ip6->rh,
725 printf("pfr_enqueue_addrs: IPv6 walktree failed.\n");
731 pfr_mark_addrs(struct pfr_ktable *kt)
733 struct pfr_walktree w;
735 bzero(&w, sizeof(w));
736 w.pfrw_op = PFRW_MARK;
737 if (kt->pfrkt_ip4->rnh_walktree(&kt->pfrkt_ip4->rh, pfr_walktree, &w))
738 printf("pfr_mark_addrs: IPv4 walktree failed.\n");
739 if (kt->pfrkt_ip6->rnh_walktree(&kt->pfrkt_ip6->rh, pfr_walktree, &w))
740 printf("pfr_mark_addrs: IPv6 walktree failed.\n");
744 static struct pfr_kentry *
745 pfr_lookup_addr(struct pfr_ktable *kt, struct pfr_addr *ad, int exact)
747 union sockaddr_union sa, mask;
748 struct radix_head *head = NULL;
749 struct pfr_kentry *ke;
753 bzero(&sa, sizeof(sa));
754 if (ad->pfra_af == AF_INET) {
755 FILLIN_SIN(sa.sin, ad->pfra_ip4addr);
756 head = &kt->pfrkt_ip4->rh;
757 } else if ( ad->pfra_af == AF_INET6 ) {
758 FILLIN_SIN6(sa.sin6, ad->pfra_ip6addr);
759 head = &kt->pfrkt_ip6->rh;
761 if (ADDR_NETWORK(ad)) {
762 pfr_prepare_network(&mask, ad->pfra_af, ad->pfra_net);
763 ke = (struct pfr_kentry *)rn_lookup(&sa, &mask, head);
764 if (ke && KENTRY_RNF_ROOT(ke))
767 ke = (struct pfr_kentry *)rn_match(&sa, head);
768 if (ke && KENTRY_RNF_ROOT(ke))
770 if (exact && ke && KENTRY_NETWORK(ke))
776 static struct pfr_kentry *
777 pfr_create_kentry(struct pfr_addr *ad)
779 struct pfr_kentry *ke;
781 ke = uma_zalloc(V_pfr_kentry_z, M_NOWAIT | M_ZERO);
785 if (ad->pfra_af == AF_INET)
786 FILLIN_SIN(ke->pfrke_sa.sin, ad->pfra_ip4addr);
787 else if (ad->pfra_af == AF_INET6)
788 FILLIN_SIN6(ke->pfrke_sa.sin6, ad->pfra_ip6addr);
789 ke->pfrke_af = ad->pfra_af;
790 ke->pfrke_net = ad->pfra_net;
791 ke->pfrke_not = ad->pfra_not;
796 pfr_destroy_kentries(struct pfr_kentryworkq *workq)
798 struct pfr_kentry *p, *q;
800 for (p = SLIST_FIRST(workq); p != NULL; p = q) {
801 q = SLIST_NEXT(p, pfrke_workq);
802 pfr_destroy_kentry(p);
807 pfr_destroy_kentry(struct pfr_kentry *ke)
809 if (ke->pfrke_counters)
810 uma_zfree(V_pfr_kcounters_z, ke->pfrke_counters);
811 uma_zfree(V_pfr_kentry_z, ke);
815 pfr_insert_kentries(struct pfr_ktable *kt,
816 struct pfr_kentryworkq *workq, long tzero)
818 struct pfr_kentry *p;
821 SLIST_FOREACH(p, workq, pfrke_workq) {
822 rv = pfr_route_kentry(kt, p);
824 printf("pfr_insert_kentries: cannot route entry "
828 p->pfrke_tzero = tzero;
835 pfr_insert_kentry(struct pfr_ktable *kt, struct pfr_addr *ad, long tzero)
837 struct pfr_kentry *p;
840 p = pfr_lookup_addr(kt, ad, 1);
843 p = pfr_create_kentry(ad);
847 rv = pfr_route_kentry(kt, p);
851 p->pfrke_tzero = tzero;
858 pfr_remove_kentries(struct pfr_ktable *kt,
859 struct pfr_kentryworkq *workq)
861 struct pfr_kentry *p;
864 SLIST_FOREACH(p, workq, pfrke_workq) {
865 pfr_unroute_kentry(kt, p);
869 pfr_destroy_kentries(workq);
873 pfr_clean_node_mask(struct pfr_ktable *kt,
874 struct pfr_kentryworkq *workq)
876 struct pfr_kentry *p;
878 SLIST_FOREACH(p, workq, pfrke_workq)
879 pfr_unroute_kentry(kt, p);
883 pfr_clstats_kentries(struct pfr_kentryworkq *workq, long tzero, int negchange)
885 struct pfr_kentry *p;
887 SLIST_FOREACH(p, workq, pfrke_workq) {
889 p->pfrke_not = !p->pfrke_not;
890 if (p->pfrke_counters) {
891 uma_zfree(V_pfr_kcounters_z, p->pfrke_counters);
892 p->pfrke_counters = NULL;
894 p->pfrke_tzero = tzero;
899 pfr_reset_feedback(struct pfr_addr *addr, int size)
904 for (i = 0, ad = addr; i < size; i++, ad++)
905 ad->pfra_fback = PFR_FB_NONE;
909 pfr_prepare_network(union sockaddr_union *sa, int af, int net)
913 bzero(sa, sizeof(*sa));
915 sa->sin.sin_len = sizeof(sa->sin);
916 sa->sin.sin_family = AF_INET;
917 sa->sin.sin_addr.s_addr = net ? htonl(-1 << (32-net)) : 0;
918 } else if (af == AF_INET6) {
919 sa->sin6.sin6_len = sizeof(sa->sin6);
920 sa->sin6.sin6_family = AF_INET6;
921 for (i = 0; i < 4; i++) {
923 sa->sin6.sin6_addr.s6_addr32[i] =
924 net ? htonl(-1 << (32-net)) : 0;
927 sa->sin6.sin6_addr.s6_addr32[i] = 0xFFFFFFFF;
934 pfr_route_kentry(struct pfr_ktable *kt, struct pfr_kentry *ke)
936 union sockaddr_union mask;
937 struct radix_node *rn;
938 struct radix_head *head = NULL;
942 bzero(ke->pfrke_node, sizeof(ke->pfrke_node));
943 if (ke->pfrke_af == AF_INET)
944 head = &kt->pfrkt_ip4->rh;
945 else if (ke->pfrke_af == AF_INET6)
946 head = &kt->pfrkt_ip6->rh;
948 if (KENTRY_NETWORK(ke)) {
949 pfr_prepare_network(&mask, ke->pfrke_af, ke->pfrke_net);
950 rn = rn_addroute(&ke->pfrke_sa, &mask, head, ke->pfrke_node);
952 rn = rn_addroute(&ke->pfrke_sa, NULL, head, ke->pfrke_node);
954 return (rn == NULL ? -1 : 0);
958 pfr_unroute_kentry(struct pfr_ktable *kt, struct pfr_kentry *ke)
960 union sockaddr_union mask;
961 struct radix_node *rn;
962 struct radix_head *head = NULL;
964 if (ke->pfrke_af == AF_INET)
965 head = &kt->pfrkt_ip4->rh;
966 else if (ke->pfrke_af == AF_INET6)
967 head = &kt->pfrkt_ip6->rh;
969 if (KENTRY_NETWORK(ke)) {
970 pfr_prepare_network(&mask, ke->pfrke_af, ke->pfrke_net);
971 rn = rn_delete(&ke->pfrke_sa, &mask, head);
973 rn = rn_delete(&ke->pfrke_sa, NULL, head);
976 printf("pfr_unroute_kentry: delete failed.\n");
983 pfr_copyout_addr(struct pfr_addr *ad, struct pfr_kentry *ke)
985 bzero(ad, sizeof(*ad));
988 ad->pfra_af = ke->pfrke_af;
989 ad->pfra_net = ke->pfrke_net;
990 ad->pfra_not = ke->pfrke_not;
991 if (ad->pfra_af == AF_INET)
992 ad->pfra_ip4addr = ke->pfrke_sa.sin.sin_addr;
993 else if (ad->pfra_af == AF_INET6)
994 ad->pfra_ip6addr = ke->pfrke_sa.sin6.sin6_addr;
998 pfr_walktree(struct radix_node *rn, void *arg)
1000 struct pfr_kentry *ke = (struct pfr_kentry *)rn;
1001 struct pfr_walktree *w = arg;
1003 switch (w->pfrw_op) {
1012 SLIST_INSERT_HEAD(w->pfrw_workq, ke, pfrke_workq);
1015 case PFRW_GET_ADDRS:
1016 if (w->pfrw_free-- > 0) {
1017 pfr_copyout_addr(w->pfrw_addr, ke);
1021 case PFRW_GET_ASTATS:
1022 if (w->pfrw_free-- > 0) {
1023 struct pfr_astats as;
1025 pfr_copyout_addr(&as.pfras_a, ke);
1027 if (ke->pfrke_counters) {
1028 bcopy(ke->pfrke_counters->pfrkc_packets,
1029 as.pfras_packets, sizeof(as.pfras_packets));
1030 bcopy(ke->pfrke_counters->pfrkc_bytes,
1031 as.pfras_bytes, sizeof(as.pfras_bytes));
1033 bzero(as.pfras_packets, sizeof(as.pfras_packets));
1034 bzero(as.pfras_bytes, sizeof(as.pfras_bytes));
1035 as.pfras_a.pfra_fback = PFR_FB_NOCOUNT;
1037 as.pfras_tzero = ke->pfrke_tzero;
1039 bcopy(&as, w->pfrw_astats, sizeof(as));
1045 break; /* negative entries are ignored */
1046 if (!w->pfrw_cnt--) {
1047 w->pfrw_kentry = ke;
1048 return (1); /* finish search */
1051 case PFRW_DYNADDR_UPDATE:
1053 union sockaddr_union pfr_mask;
1055 if (ke->pfrke_af == AF_INET) {
1056 if (w->pfrw_dyn->pfid_acnt4++ > 0)
1058 pfr_prepare_network(&pfr_mask, AF_INET, ke->pfrke_net);
1059 w->pfrw_dyn->pfid_addr4 = *SUNION2PF(&ke->pfrke_sa,
1061 w->pfrw_dyn->pfid_mask4 = *SUNION2PF(&pfr_mask,
1063 } else if (ke->pfrke_af == AF_INET6){
1064 if (w->pfrw_dyn->pfid_acnt6++ > 0)
1066 pfr_prepare_network(&pfr_mask, AF_INET6, ke->pfrke_net);
1067 w->pfrw_dyn->pfid_addr6 = *SUNION2PF(&ke->pfrke_sa,
1069 w->pfrw_dyn->pfid_mask6 = *SUNION2PF(&pfr_mask,
1079 pfr_clr_tables(struct pfr_table *filter, int *ndel, int flags)
1081 struct pfr_ktableworkq workq;
1082 struct pfr_ktable *p;
1085 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY | PFR_FLAG_ALLRSETS);
1086 if (pfr_fix_anchor(filter->pfrt_anchor))
1088 if (pfr_table_count(filter, flags) < 0)
1092 RB_FOREACH(p, pfr_ktablehead, &V_pfr_ktables) {
1093 if (pfr_skip_table(filter, p, flags))
1095 if (!strcmp(p->pfrkt_anchor, PF_RESERVED_ANCHOR))
1097 if (!(p->pfrkt_flags & PFR_TFLAG_ACTIVE))
1099 p->pfrkt_nflags = p->pfrkt_flags & ~PFR_TFLAG_ACTIVE;
1100 SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);
1103 if (!(flags & PFR_FLAG_DUMMY))
1104 pfr_setflags_ktables(&workq);
1111 pfr_add_tables(struct pfr_table *tbl, int size, int *nadd, int flags)
1113 struct pfr_ktableworkq addq, changeq;
1114 struct pfr_ktable *p, *q, *r, key;
1115 int i, rv, xadd = 0;
1116 long tzero = time_second;
1118 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY);
1120 SLIST_INIT(&changeq);
1121 for (i = 0; i < size; i++) {
1122 bcopy(tbl+i, &key.pfrkt_t, sizeof(key.pfrkt_t));
1123 if (pfr_validate_table(&key.pfrkt_t, PFR_TFLAG_USRMASK,
1124 flags & PFR_FLAG_USERIOCTL))
1126 key.pfrkt_flags |= PFR_TFLAG_ACTIVE;
1127 p = RB_FIND(pfr_ktablehead, &V_pfr_ktables, &key);
1129 p = pfr_create_ktable(&key.pfrkt_t, tzero, 1);
1132 SLIST_FOREACH(q, &addq, pfrkt_workq) {
1133 if (!pfr_ktable_compare(p, q)) {
1134 pfr_destroy_ktable(p, 0);
1138 SLIST_INSERT_HEAD(&addq, p, pfrkt_workq);
1140 if (!key.pfrkt_anchor[0])
1143 /* find or create root table */
1144 bzero(key.pfrkt_anchor, sizeof(key.pfrkt_anchor));
1145 r = RB_FIND(pfr_ktablehead, &V_pfr_ktables, &key);
1150 SLIST_FOREACH(q, &addq, pfrkt_workq) {
1151 if (!pfr_ktable_compare(&key, q)) {
1156 key.pfrkt_flags = 0;
1157 r = pfr_create_ktable(&key.pfrkt_t, 0, 1);
1160 SLIST_INSERT_HEAD(&addq, r, pfrkt_workq);
1162 } else if (!(p->pfrkt_flags & PFR_TFLAG_ACTIVE)) {
1163 SLIST_FOREACH(q, &changeq, pfrkt_workq)
1164 if (!pfr_ktable_compare(&key, q))
1166 p->pfrkt_nflags = (p->pfrkt_flags &
1167 ~PFR_TFLAG_USRMASK) | key.pfrkt_flags;
1168 SLIST_INSERT_HEAD(&changeq, p, pfrkt_workq);
1174 if (!(flags & PFR_FLAG_DUMMY)) {
1175 pfr_insert_ktables(&addq);
1176 pfr_setflags_ktables(&changeq);
1178 pfr_destroy_ktables(&addq, 0);
1183 pfr_destroy_ktables(&addq, 0);
1188 pfr_del_tables(struct pfr_table *tbl, int size, int *ndel, int flags)
1190 struct pfr_ktableworkq workq;
1191 struct pfr_ktable *p, *q, key;
1194 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY);
1196 for (i = 0; i < size; i++) {
1197 bcopy(tbl+i, &key.pfrkt_t, sizeof(key.pfrkt_t));
1198 if (pfr_validate_table(&key.pfrkt_t, 0,
1199 flags & PFR_FLAG_USERIOCTL))
1201 p = RB_FIND(pfr_ktablehead, &V_pfr_ktables, &key);
1202 if (p != NULL && (p->pfrkt_flags & PFR_TFLAG_ACTIVE)) {
1203 SLIST_FOREACH(q, &workq, pfrkt_workq)
1204 if (!pfr_ktable_compare(p, q))
1206 p->pfrkt_nflags = p->pfrkt_flags & ~PFR_TFLAG_ACTIVE;
1207 SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);
1214 if (!(flags & PFR_FLAG_DUMMY))
1215 pfr_setflags_ktables(&workq);
1222 pfr_get_tables(struct pfr_table *filter, struct pfr_table *tbl, int *size,
1225 struct pfr_ktable *p;
1230 ACCEPT_FLAGS(flags, PFR_FLAG_ALLRSETS);
1231 if (pfr_fix_anchor(filter->pfrt_anchor))
1233 n = nn = pfr_table_count(filter, flags);
1240 RB_FOREACH(p, pfr_ktablehead, &V_pfr_ktables) {
1241 if (pfr_skip_table(filter, p, flags))
1245 bcopy(&p->pfrkt_t, tbl++, sizeof(*tbl));
1248 KASSERT(n == 0, ("%s: corruption detected (%d)", __func__, n));
1255 pfr_get_tstats(struct pfr_table *filter, struct pfr_tstats *tbl, int *size,
1258 struct pfr_ktable *p;
1259 struct pfr_ktableworkq workq;
1261 long tzero = time_second;
1263 /* XXX PFR_FLAG_CLSTATS disabled */
1264 ACCEPT_FLAGS(flags, PFR_FLAG_ALLRSETS);
1265 if (pfr_fix_anchor(filter->pfrt_anchor))
1267 n = nn = pfr_table_count(filter, flags);
1275 RB_FOREACH(p, pfr_ktablehead, &V_pfr_ktables) {
1276 if (pfr_skip_table(filter, p, flags))
1280 bcopy(&p->pfrkt_ts, tbl++, sizeof(*tbl));
1281 SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);
1283 if (flags & PFR_FLAG_CLSTATS)
1284 pfr_clstats_ktables(&workq, tzero,
1285 flags & PFR_FLAG_ADDRSTOO);
1287 KASSERT(n == 0, ("%s: corruption detected (%d)", __func__, n));
1294 pfr_clr_tstats(struct pfr_table *tbl, int size, int *nzero, int flags)
1296 struct pfr_ktableworkq workq;
1297 struct pfr_ktable *p, key;
1299 long tzero = time_second;
1301 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY | PFR_FLAG_ADDRSTOO);
1303 for (i = 0; i < size; i++) {
1304 bcopy(tbl + i, &key.pfrkt_t, sizeof(key.pfrkt_t));
1305 if (pfr_validate_table(&key.pfrkt_t, 0, 0))
1307 p = RB_FIND(pfr_ktablehead, &V_pfr_ktables, &key);
1309 SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);
1313 if (!(flags & PFR_FLAG_DUMMY))
1314 pfr_clstats_ktables(&workq, tzero, flags & PFR_FLAG_ADDRSTOO);
1321 pfr_set_tflags(struct pfr_table *tbl, int size, int setflag, int clrflag,
1322 int *nchange, int *ndel, int flags)
1324 struct pfr_ktableworkq workq;
1325 struct pfr_ktable *p, *q, key;
1326 int i, xchange = 0, xdel = 0;
1328 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY);
1329 if ((setflag & ~PFR_TFLAG_USRMASK) ||
1330 (clrflag & ~PFR_TFLAG_USRMASK) ||
1331 (setflag & clrflag))
1334 for (i = 0; i < size; i++) {
1335 bcopy(tbl + i, &key.pfrkt_t, sizeof(key.pfrkt_t));
1336 if (pfr_validate_table(&key.pfrkt_t, 0,
1337 flags & PFR_FLAG_USERIOCTL))
1339 p = RB_FIND(pfr_ktablehead, &V_pfr_ktables, &key);
1340 if (p != NULL && (p->pfrkt_flags & PFR_TFLAG_ACTIVE)) {
1341 p->pfrkt_nflags = (p->pfrkt_flags | setflag) &
1343 if (p->pfrkt_nflags == p->pfrkt_flags)
1345 SLIST_FOREACH(q, &workq, pfrkt_workq)
1346 if (!pfr_ktable_compare(p, q))
1348 SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);
1349 if ((p->pfrkt_flags & PFR_TFLAG_PERSIST) &&
1350 (clrflag & PFR_TFLAG_PERSIST) &&
1351 !(p->pfrkt_flags & PFR_TFLAG_REFERENCED))
1359 if (!(flags & PFR_FLAG_DUMMY))
1360 pfr_setflags_ktables(&workq);
1361 if (nchange != NULL)
1369 pfr_ina_begin(struct pfr_table *trs, u_int32_t *ticket, int *ndel, int flags)
1371 struct pfr_ktableworkq workq;
1372 struct pfr_ktable *p;
1373 struct pf_ruleset *rs;
1376 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY);
1377 rs = pf_find_or_create_ruleset(trs->pfrt_anchor);
1381 RB_FOREACH(p, pfr_ktablehead, &V_pfr_ktables) {
1382 if (!(p->pfrkt_flags & PFR_TFLAG_INACTIVE) ||
1383 pfr_skip_table(trs, p, 0))
1385 p->pfrkt_nflags = p->pfrkt_flags & ~PFR_TFLAG_INACTIVE;
1386 SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);
1389 if (!(flags & PFR_FLAG_DUMMY)) {
1390 pfr_setflags_ktables(&workq);
1392 *ticket = ++rs->tticket;
1395 pf_remove_if_empty_ruleset(rs);
1402 pfr_ina_define(struct pfr_table *tbl, struct pfr_addr *addr, int size,
1403 int *nadd, int *naddr, u_int32_t ticket, int flags)
1405 struct pfr_ktableworkq tableq;
1406 struct pfr_kentryworkq addrq;
1407 struct pfr_ktable *kt, *rt, *shadow, key;
1408 struct pfr_kentry *p;
1409 struct pfr_addr *ad;
1410 struct pf_ruleset *rs;
1411 int i, rv, xadd = 0, xaddr = 0;
1415 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY | PFR_FLAG_ADDRSTOO);
1416 if (size && !(flags & PFR_FLAG_ADDRSTOO))
1418 if (pfr_validate_table(tbl, PFR_TFLAG_USRMASK,
1419 flags & PFR_FLAG_USERIOCTL))
1421 rs = pf_find_ruleset(tbl->pfrt_anchor);
1422 if (rs == NULL || !rs->topen || ticket != rs->tticket)
1424 tbl->pfrt_flags |= PFR_TFLAG_INACTIVE;
1425 SLIST_INIT(&tableq);
1426 kt = RB_FIND(pfr_ktablehead, &V_pfr_ktables, (struct pfr_ktable *)tbl);
1428 kt = pfr_create_ktable(tbl, 0, 1);
1431 SLIST_INSERT_HEAD(&tableq, kt, pfrkt_workq);
1433 if (!tbl->pfrt_anchor[0])
1436 /* find or create root table */
1437 bzero(&key, sizeof(key));
1438 strlcpy(key.pfrkt_name, tbl->pfrt_name, sizeof(key.pfrkt_name));
1439 rt = RB_FIND(pfr_ktablehead, &V_pfr_ktables, &key);
1441 kt->pfrkt_root = rt;
1444 rt = pfr_create_ktable(&key.pfrkt_t, 0, 1);
1446 pfr_destroy_ktables(&tableq, 0);
1449 SLIST_INSERT_HEAD(&tableq, rt, pfrkt_workq);
1450 kt->pfrkt_root = rt;
1451 } else if (!(kt->pfrkt_flags & PFR_TFLAG_INACTIVE))
1454 shadow = pfr_create_ktable(tbl, 0, 0);
1455 if (shadow == NULL) {
1456 pfr_destroy_ktables(&tableq, 0);
1460 for (i = 0, ad = addr; i < size; i++, ad++) {
1461 if (pfr_validate_addr(ad))
1463 if (pfr_lookup_addr(shadow, ad, 1) != NULL)
1465 p = pfr_create_kentry(ad);
1468 if (pfr_route_kentry(shadow, p)) {
1469 pfr_destroy_kentry(p);
1472 SLIST_INSERT_HEAD(&addrq, p, pfrke_workq);
1475 if (!(flags & PFR_FLAG_DUMMY)) {
1476 if (kt->pfrkt_shadow != NULL)
1477 pfr_destroy_ktable(kt->pfrkt_shadow, 1);
1478 kt->pfrkt_flags |= PFR_TFLAG_INACTIVE;
1479 pfr_insert_ktables(&tableq);
1480 shadow->pfrkt_cnt = (flags & PFR_FLAG_ADDRSTOO) ?
1481 xaddr : NO_ADDRESSES;
1482 kt->pfrkt_shadow = shadow;
1484 pfr_clean_node_mask(shadow, &addrq);
1485 pfr_destroy_ktable(shadow, 0);
1486 pfr_destroy_ktables(&tableq, 0);
1487 pfr_destroy_kentries(&addrq);
1495 pfr_destroy_ktable(shadow, 0);
1496 pfr_destroy_ktables(&tableq, 0);
1497 pfr_destroy_kentries(&addrq);
1502 pfr_ina_rollback(struct pfr_table *trs, u_int32_t ticket, int *ndel, int flags)
1504 struct pfr_ktableworkq workq;
1505 struct pfr_ktable *p;
1506 struct pf_ruleset *rs;
1511 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY);
1512 rs = pf_find_ruleset(trs->pfrt_anchor);
1513 if (rs == NULL || !rs->topen || ticket != rs->tticket)
1516 RB_FOREACH(p, pfr_ktablehead, &V_pfr_ktables) {
1517 if (!(p->pfrkt_flags & PFR_TFLAG_INACTIVE) ||
1518 pfr_skip_table(trs, p, 0))
1520 p->pfrkt_nflags = p->pfrkt_flags & ~PFR_TFLAG_INACTIVE;
1521 SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);
1524 if (!(flags & PFR_FLAG_DUMMY)) {
1525 pfr_setflags_ktables(&workq);
1527 pf_remove_if_empty_ruleset(rs);
1535 pfr_ina_commit(struct pfr_table *trs, u_int32_t ticket, int *nadd,
1536 int *nchange, int flags)
1538 struct pfr_ktable *p, *q;
1539 struct pfr_ktableworkq workq;
1540 struct pf_ruleset *rs;
1541 int xadd = 0, xchange = 0;
1542 long tzero = time_second;
1546 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY);
1547 rs = pf_find_ruleset(trs->pfrt_anchor);
1548 if (rs == NULL || !rs->topen || ticket != rs->tticket)
1552 RB_FOREACH(p, pfr_ktablehead, &V_pfr_ktables) {
1553 if (!(p->pfrkt_flags & PFR_TFLAG_INACTIVE) ||
1554 pfr_skip_table(trs, p, 0))
1556 SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);
1557 if (p->pfrkt_flags & PFR_TFLAG_ACTIVE)
1563 if (!(flags & PFR_FLAG_DUMMY)) {
1564 for (p = SLIST_FIRST(&workq); p != NULL; p = q) {
1565 q = SLIST_NEXT(p, pfrkt_workq);
1566 pfr_commit_ktable(p, tzero);
1569 pf_remove_if_empty_ruleset(rs);
1573 if (nchange != NULL)
1580 pfr_commit_ktable(struct pfr_ktable *kt, long tzero)
1582 struct pfr_ktable *shadow = kt->pfrkt_shadow;
1587 if (shadow->pfrkt_cnt == NO_ADDRESSES) {
1588 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
1589 pfr_clstats_ktable(kt, tzero, 1);
1590 } else if (kt->pfrkt_flags & PFR_TFLAG_ACTIVE) {
1591 /* kt might contain addresses */
1592 struct pfr_kentryworkq addrq, addq, changeq, delq, garbageq;
1593 struct pfr_kentry *p, *q, *next;
1596 pfr_enqueue_addrs(shadow, &addrq, NULL, 0);
1599 SLIST_INIT(&changeq);
1601 SLIST_INIT(&garbageq);
1602 pfr_clean_node_mask(shadow, &addrq);
1603 for (p = SLIST_FIRST(&addrq); p != NULL; p = next) {
1604 next = SLIST_NEXT(p, pfrke_workq); /* XXX */
1605 pfr_copyout_addr(&ad, p);
1606 q = pfr_lookup_addr(kt, &ad, 1);
1608 if (q->pfrke_not != p->pfrke_not)
1609 SLIST_INSERT_HEAD(&changeq, q,
1612 SLIST_INSERT_HEAD(&garbageq, p, pfrke_workq);
1614 p->pfrke_tzero = tzero;
1615 SLIST_INSERT_HEAD(&addq, p, pfrke_workq);
1618 pfr_enqueue_addrs(kt, &delq, NULL, ENQUEUE_UNMARKED_ONLY);
1619 pfr_insert_kentries(kt, &addq, tzero);
1620 pfr_remove_kentries(kt, &delq);
1621 pfr_clstats_kentries(&changeq, tzero, INVERT_NEG_FLAG);
1622 pfr_destroy_kentries(&garbageq);
1624 /* kt cannot contain addresses */
1625 SWAP(struct radix_node_head *, kt->pfrkt_ip4,
1627 SWAP(struct radix_node_head *, kt->pfrkt_ip6,
1629 SWAP(int, kt->pfrkt_cnt, shadow->pfrkt_cnt);
1630 pfr_clstats_ktable(kt, tzero, 1);
1632 nflags = ((shadow->pfrkt_flags & PFR_TFLAG_USRMASK) |
1633 (kt->pfrkt_flags & PFR_TFLAG_SETMASK) | PFR_TFLAG_ACTIVE)
1634 & ~PFR_TFLAG_INACTIVE;
1635 pfr_destroy_ktable(shadow, 0);
1636 kt->pfrkt_shadow = NULL;
1637 pfr_setflags_ktable(kt, nflags);
1641 pfr_validate_table(struct pfr_table *tbl, int allowedflags, int no_reserved)
1645 if (!tbl->pfrt_name[0])
1647 if (no_reserved && !strcmp(tbl->pfrt_anchor, PF_RESERVED_ANCHOR))
1649 if (tbl->pfrt_name[PF_TABLE_NAME_SIZE-1])
1651 for (i = strlen(tbl->pfrt_name); i < PF_TABLE_NAME_SIZE; i++)
1652 if (tbl->pfrt_name[i])
1654 if (pfr_fix_anchor(tbl->pfrt_anchor))
1656 if (tbl->pfrt_flags & ~allowedflags)
1662 * Rewrite anchors referenced by tables to remove slashes
1663 * and check for validity.
1666 pfr_fix_anchor(char *anchor)
1668 size_t siz = MAXPATHLEN;
1671 if (anchor[0] == '/') {
1677 while (*++path == '/')
1679 bcopy(path, anchor, siz - off);
1680 memset(anchor + siz - off, 0, off);
1682 if (anchor[siz - 1])
1684 for (i = strlen(anchor); i < siz; i++)
1691 pfr_table_count(struct pfr_table *filter, int flags)
1693 struct pf_ruleset *rs;
1697 if (flags & PFR_FLAG_ALLRSETS)
1698 return (V_pfr_ktable_cnt);
1699 if (filter->pfrt_anchor[0]) {
1700 rs = pf_find_ruleset(filter->pfrt_anchor);
1701 return ((rs != NULL) ? rs->tables : -1);
1703 return (pf_main_ruleset.tables);
1707 pfr_skip_table(struct pfr_table *filter, struct pfr_ktable *kt, int flags)
1709 if (flags & PFR_FLAG_ALLRSETS)
1711 if (strcmp(filter->pfrt_anchor, kt->pfrkt_anchor))
1717 pfr_insert_ktables(struct pfr_ktableworkq *workq)
1719 struct pfr_ktable *p;
1721 SLIST_FOREACH(p, workq, pfrkt_workq)
1722 pfr_insert_ktable(p);
1726 pfr_insert_ktable(struct pfr_ktable *kt)
1731 RB_INSERT(pfr_ktablehead, &V_pfr_ktables, kt);
1733 if (kt->pfrkt_root != NULL)
1734 if (!kt->pfrkt_root->pfrkt_refcnt[PFR_REFCNT_ANCHOR]++)
1735 pfr_setflags_ktable(kt->pfrkt_root,
1736 kt->pfrkt_root->pfrkt_flags|PFR_TFLAG_REFDANCHOR);
1740 pfr_setflags_ktables(struct pfr_ktableworkq *workq)
1742 struct pfr_ktable *p, *q;
1744 for (p = SLIST_FIRST(workq); p; p = q) {
1745 q = SLIST_NEXT(p, pfrkt_workq);
1746 pfr_setflags_ktable(p, p->pfrkt_nflags);
1751 pfr_setflags_ktable(struct pfr_ktable *kt, int newf)
1753 struct pfr_kentryworkq addrq;
1757 if (!(newf & PFR_TFLAG_REFERENCED) &&
1758 !(newf & PFR_TFLAG_PERSIST))
1759 newf &= ~PFR_TFLAG_ACTIVE;
1760 if (!(newf & PFR_TFLAG_ACTIVE))
1761 newf &= ~PFR_TFLAG_USRMASK;
1762 if (!(newf & PFR_TFLAG_SETMASK)) {
1763 RB_REMOVE(pfr_ktablehead, &V_pfr_ktables, kt);
1764 if (kt->pfrkt_root != NULL)
1765 if (!--kt->pfrkt_root->pfrkt_refcnt[PFR_REFCNT_ANCHOR])
1766 pfr_setflags_ktable(kt->pfrkt_root,
1767 kt->pfrkt_root->pfrkt_flags &
1768 ~PFR_TFLAG_REFDANCHOR);
1769 pfr_destroy_ktable(kt, 1);
1773 if (!(newf & PFR_TFLAG_ACTIVE) && kt->pfrkt_cnt) {
1774 pfr_enqueue_addrs(kt, &addrq, NULL, 0);
1775 pfr_remove_kentries(kt, &addrq);
1777 if (!(newf & PFR_TFLAG_INACTIVE) && kt->pfrkt_shadow != NULL) {
1778 pfr_destroy_ktable(kt->pfrkt_shadow, 1);
1779 kt->pfrkt_shadow = NULL;
1781 kt->pfrkt_flags = newf;
1785 pfr_clstats_ktables(struct pfr_ktableworkq *workq, long tzero, int recurse)
1787 struct pfr_ktable *p;
1789 SLIST_FOREACH(p, workq, pfrkt_workq)
1790 pfr_clstats_ktable(p, tzero, recurse);
1794 pfr_clstats_ktable(struct pfr_ktable *kt, long tzero, int recurse)
1796 struct pfr_kentryworkq addrq;
1799 pfr_enqueue_addrs(kt, &addrq, NULL, 0);
1800 pfr_clstats_kentries(&addrq, tzero, 0);
1802 bzero(kt->pfrkt_packets, sizeof(kt->pfrkt_packets));
1803 bzero(kt->pfrkt_bytes, sizeof(kt->pfrkt_bytes));
1804 kt->pfrkt_match = kt->pfrkt_nomatch = 0;
1805 kt->pfrkt_tzero = tzero;
1808 static struct pfr_ktable *
1809 pfr_create_ktable(struct pfr_table *tbl, long tzero, int attachruleset)
1811 struct pfr_ktable *kt;
1812 struct pf_ruleset *rs;
1816 kt = malloc(sizeof(*kt), M_PFTABLE, M_NOWAIT|M_ZERO);
1821 if (attachruleset) {
1822 rs = pf_find_or_create_ruleset(tbl->pfrt_anchor);
1824 pfr_destroy_ktable(kt, 0);
1831 if (!rn_inithead((void **)&kt->pfrkt_ip4,
1832 offsetof(struct sockaddr_in, sin_addr) * 8) ||
1833 !rn_inithead((void **)&kt->pfrkt_ip6,
1834 offsetof(struct sockaddr_in6, sin6_addr) * 8)) {
1835 pfr_destroy_ktable(kt, 0);
1838 kt->pfrkt_tzero = tzero;
1844 pfr_destroy_ktables(struct pfr_ktableworkq *workq, int flushaddr)
1846 struct pfr_ktable *p, *q;
1848 for (p = SLIST_FIRST(workq); p; p = q) {
1849 q = SLIST_NEXT(p, pfrkt_workq);
1850 pfr_destroy_ktable(p, flushaddr);
1855 pfr_destroy_ktable(struct pfr_ktable *kt, int flushaddr)
1857 struct pfr_kentryworkq addrq;
1860 pfr_enqueue_addrs(kt, &addrq, NULL, 0);
1861 pfr_clean_node_mask(kt, &addrq);
1862 pfr_destroy_kentries(&addrq);
1864 if (kt->pfrkt_ip4 != NULL)
1865 rn_detachhead((void **)&kt->pfrkt_ip4);
1866 if (kt->pfrkt_ip6 != NULL)
1867 rn_detachhead((void **)&kt->pfrkt_ip6);
1868 if (kt->pfrkt_shadow != NULL)
1869 pfr_destroy_ktable(kt->pfrkt_shadow, flushaddr);
1870 if (kt->pfrkt_rs != NULL) {
1871 kt->pfrkt_rs->tables--;
1872 pf_remove_if_empty_ruleset(kt->pfrkt_rs);
1874 free(kt, M_PFTABLE);
1878 pfr_ktable_compare(struct pfr_ktable *p, struct pfr_ktable *q)
1882 if ((d = strncmp(p->pfrkt_name, q->pfrkt_name, PF_TABLE_NAME_SIZE)))
1884 return (strcmp(p->pfrkt_anchor, q->pfrkt_anchor));
1887 static struct pfr_ktable *
1888 pfr_lookup_table(struct pfr_table *tbl)
1890 /* struct pfr_ktable start like a struct pfr_table */
1891 return (RB_FIND(pfr_ktablehead, &V_pfr_ktables,
1892 (struct pfr_ktable *)tbl));
1896 pfr_match_addr(struct pfr_ktable *kt, struct pf_addr *a, sa_family_t af)
1898 struct pfr_kentry *ke = NULL;
1903 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root != NULL)
1904 kt = kt->pfrkt_root;
1905 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
1912 struct sockaddr_in sin;
1914 bzero(&sin, sizeof(sin));
1915 sin.sin_len = sizeof(sin);
1916 sin.sin_family = AF_INET;
1917 sin.sin_addr.s_addr = a->addr32[0];
1918 ke = (struct pfr_kentry *)rn_match(&sin, &kt->pfrkt_ip4->rh);
1919 if (ke && KENTRY_RNF_ROOT(ke))
1927 struct sockaddr_in6 sin6;
1929 bzero(&sin6, sizeof(sin6));
1930 sin6.sin6_len = sizeof(sin6);
1931 sin6.sin6_family = AF_INET6;
1932 bcopy(a, &sin6.sin6_addr, sizeof(sin6.sin6_addr));
1933 ke = (struct pfr_kentry *)rn_match(&sin6, &kt->pfrkt_ip6->rh);
1934 if (ke && KENTRY_RNF_ROOT(ke))
1940 match = (ke && !ke->pfrke_not);
1944 kt->pfrkt_nomatch++;
1949 pfr_update_stats(struct pfr_ktable *kt, struct pf_addr *a, sa_family_t af,
1950 u_int64_t len, int dir_out, int op_pass, int notrule)
1952 struct pfr_kentry *ke = NULL;
1954 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root != NULL)
1955 kt = kt->pfrkt_root;
1956 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
1963 struct sockaddr_in sin;
1965 bzero(&sin, sizeof(sin));
1966 sin.sin_len = sizeof(sin);
1967 sin.sin_family = AF_INET;
1968 sin.sin_addr.s_addr = a->addr32[0];
1969 ke = (struct pfr_kentry *)rn_match(&sin, &kt->pfrkt_ip4->rh);
1970 if (ke && KENTRY_RNF_ROOT(ke))
1978 struct sockaddr_in6 sin6;
1980 bzero(&sin6, sizeof(sin6));
1981 sin6.sin6_len = sizeof(sin6);
1982 sin6.sin6_family = AF_INET6;
1983 bcopy(a, &sin6.sin6_addr, sizeof(sin6.sin6_addr));
1984 ke = (struct pfr_kentry *)rn_match(&sin6, &kt->pfrkt_ip6->rh);
1985 if (ke && KENTRY_RNF_ROOT(ke))
1991 panic("%s: unknown address family %u", __func__, af);
1993 if ((ke == NULL || ke->pfrke_not) != notrule) {
1994 if (op_pass != PFR_OP_PASS)
1995 printf("pfr_update_stats: assertion failed.\n");
1996 op_pass = PFR_OP_XPASS;
1998 kt->pfrkt_packets[dir_out][op_pass]++;
1999 kt->pfrkt_bytes[dir_out][op_pass] += len;
2000 if (ke != NULL && op_pass != PFR_OP_XPASS &&
2001 (kt->pfrkt_flags & PFR_TFLAG_COUNTERS)) {
2002 if (ke->pfrke_counters == NULL)
2003 ke->pfrke_counters = uma_zalloc(V_pfr_kcounters_z,
2005 if (ke->pfrke_counters != NULL) {
2006 ke->pfrke_counters->pfrkc_packets[dir_out][op_pass]++;
2007 ke->pfrke_counters->pfrkc_bytes[dir_out][op_pass] += len;
2013 pfr_attach_table(struct pf_ruleset *rs, char *name)
2015 struct pfr_ktable *kt, *rt;
2016 struct pfr_table tbl;
2017 struct pf_anchor *ac = rs->anchor;
2021 bzero(&tbl, sizeof(tbl));
2022 strlcpy(tbl.pfrt_name, name, sizeof(tbl.pfrt_name));
2024 strlcpy(tbl.pfrt_anchor, ac->path, sizeof(tbl.pfrt_anchor));
2025 kt = pfr_lookup_table(&tbl);
2027 kt = pfr_create_ktable(&tbl, time_second, 1);
2031 bzero(tbl.pfrt_anchor, sizeof(tbl.pfrt_anchor));
2032 rt = pfr_lookup_table(&tbl);
2034 rt = pfr_create_ktable(&tbl, 0, 1);
2036 pfr_destroy_ktable(kt, 0);
2039 pfr_insert_ktable(rt);
2041 kt->pfrkt_root = rt;
2043 pfr_insert_ktable(kt);
2045 if (!kt->pfrkt_refcnt[PFR_REFCNT_RULE]++)
2046 pfr_setflags_ktable(kt, kt->pfrkt_flags|PFR_TFLAG_REFERENCED);
2051 pfr_detach_table(struct pfr_ktable *kt)
2055 KASSERT(kt->pfrkt_refcnt[PFR_REFCNT_RULE] > 0, ("%s: refcount %d\n",
2056 __func__, kt->pfrkt_refcnt[PFR_REFCNT_RULE]));
2058 if (!--kt->pfrkt_refcnt[PFR_REFCNT_RULE])
2059 pfr_setflags_ktable(kt, kt->pfrkt_flags&~PFR_TFLAG_REFERENCED);
2063 pfr_pool_get(struct pfr_ktable *kt, int *pidx, struct pf_addr *counter,
2066 struct pf_addr *addr, *cur, *mask;
2067 union sockaddr_union uaddr, umask;
2068 struct pfr_kentry *ke, *ke2 = NULL;
2069 int idx = -1, use_counter = 0;
2073 uaddr.sin.sin_len = sizeof(struct sockaddr_in);
2074 uaddr.sin.sin_family = AF_INET;
2077 uaddr.sin6.sin6_len = sizeof(struct sockaddr_in6);
2078 uaddr.sin6.sin6_family = AF_INET6;
2081 addr = SUNION2PF(&uaddr, af);
2083 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root != NULL)
2084 kt = kt->pfrkt_root;
2085 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
2090 if (counter != NULL && idx >= 0)
2096 ke = pfr_kentry_byidx(kt, idx, af);
2098 kt->pfrkt_nomatch++;
2101 pfr_prepare_network(&umask, af, ke->pfrke_net);
2102 cur = SUNION2PF(&ke->pfrke_sa, af);
2103 mask = SUNION2PF(&umask, af);
2106 /* is supplied address within block? */
2107 if (!PF_MATCHA(0, cur, mask, counter, af)) {
2108 /* no, go to next block in table */
2113 PF_ACPY(addr, counter, af);
2115 /* use first address of block */
2116 PF_ACPY(addr, cur, af);
2119 if (!KENTRY_NETWORK(ke)) {
2120 /* this is a single IP address - no possible nested block */
2121 PF_ACPY(counter, addr, af);
2127 /* we don't want to use a nested block */
2130 ke2 = (struct pfr_kentry *)rn_match(&uaddr,
2131 &kt->pfrkt_ip4->rh);
2134 ke2 = (struct pfr_kentry *)rn_match(&uaddr,
2135 &kt->pfrkt_ip6->rh);
2138 /* no need to check KENTRY_RNF_ROOT() here */
2140 /* lookup return the same block - perfect */
2141 PF_ACPY(counter, addr, af);
2147 /* we need to increase the counter past the nested block */
2148 pfr_prepare_network(&umask, AF_INET, ke2->pfrke_net);
2149 PF_POOLMASK(addr, addr, SUNION2PF(&umask, af), &pfr_ffaddr, af);
2151 if (!PF_MATCHA(0, cur, mask, addr, af)) {
2152 /* ok, we reached the end of our main block */
2153 /* go to next block in table */
2161 static struct pfr_kentry *
2162 pfr_kentry_byidx(struct pfr_ktable *kt, int idx, int af)
2164 struct pfr_walktree w;
2166 bzero(&w, sizeof(w));
2167 w.pfrw_op = PFRW_POOL_GET;
2173 kt->pfrkt_ip4->rnh_walktree(&kt->pfrkt_ip4->rh, pfr_walktree, &w);
2174 return (w.pfrw_kentry);
2178 kt->pfrkt_ip6->rnh_walktree(&kt->pfrkt_ip6->rh, pfr_walktree, &w);
2179 return (w.pfrw_kentry);
2187 pfr_dynaddr_update(struct pfr_ktable *kt, struct pfi_dynaddr *dyn)
2189 struct pfr_walktree w;
2191 bzero(&w, sizeof(w));
2192 w.pfrw_op = PFRW_DYNADDR_UPDATE;
2195 dyn->pfid_acnt4 = 0;
2196 dyn->pfid_acnt6 = 0;
2197 if (!dyn->pfid_af || dyn->pfid_af == AF_INET)
2198 kt->pfrkt_ip4->rnh_walktree(&kt->pfrkt_ip4->rh, pfr_walktree, &w);
2199 if (!dyn->pfid_af || dyn->pfid_af == AF_INET6)
2200 kt->pfrkt_ip6->rnh_walktree(&kt->pfrkt_ip6->rh, pfr_walktree, &w);
projects / FreeBSD / FreeBSD.git / blob