2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
4 * Copyright (c) 2002 Cedric Berger
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
11 * - Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * - Redistributions in binary form must reproduce the above
14 * copyright notice, this list of conditions and the following
15 * disclaimer in the documentation and/or other materials provided
16 * with the distribution.
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
21 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
22 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
24 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
25 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
28 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29 * POSSIBILITY OF SUCH DAMAGE.
31 * $OpenBSD: pf_table.c,v 1.79 2008/10/08 06:24:50 mcbride Exp $
34 #include <sys/cdefs.h>
35 __FBSDID("$FreeBSD$");
38 #include "opt_inet6.h"
40 #include <sys/param.h>
41 #include <sys/kernel.h>
43 #include <sys/malloc.h>
45 #include <sys/mutex.h>
46 #include <sys/refcount.h>
47 #include <sys/socket.h>
52 #include <net/pfvar.h>
54 #define DPFPRINTF(n, x) if (V_pf_status.debug >= (n)) printf x
56 #define ACCEPT_FLAGS(flags, oklist) \
58 if ((flags & ~(oklist)) & \
63 #define FILLIN_SIN(sin, addr) \
65 (sin).sin_len = sizeof(sin); \
66 (sin).sin_family = AF_INET; \
67 (sin).sin_addr = (addr); \
70 #define FILLIN_SIN6(sin6, addr) \
72 (sin6).sin6_len = sizeof(sin6); \
73 (sin6).sin6_family = AF_INET6; \
74 (sin6).sin6_addr = (addr); \
77 #define SWAP(type, a1, a2) \
84 #define SUNION2PF(su, af) (((af)==AF_INET) ? \
85 (struct pf_addr *)&(su)->sin.sin_addr : \
86 (struct pf_addr *)&(su)->sin6.sin6_addr)
88 #define AF_BITS(af) (((af)==AF_INET)?32:128)
89 #define ADDR_NETWORK(ad) ((ad)->pfra_net < AF_BITS((ad)->pfra_af))
90 #define KENTRY_NETWORK(ke) ((ke)->pfrke_net < AF_BITS((ke)->pfrke_af))
91 #define KENTRY_RNF_ROOT(ke) \
92 ((((struct radix_node *)(ke))->rn_flags & RNF_ROOT) != 0)
94 #define NO_ADDRESSES (-1)
95 #define ENQUEUE_UNMARKED_ONLY (1)
96 #define INVERT_NEG_FLAG (1)
109 struct pfr_addr *pfrw1_addr;
110 struct pfr_astats *pfrw1_astats;
111 struct pfr_kentryworkq *pfrw1_workq;
112 struct pfr_kentry *pfrw1_kentry;
113 struct pfi_dynaddr *pfrw1_dyn;
118 #define pfrw_addr pfrw_1.pfrw1_addr
119 #define pfrw_astats pfrw_1.pfrw1_astats
120 #define pfrw_workq pfrw_1.pfrw1_workq
121 #define pfrw_kentry pfrw_1.pfrw1_kentry
122 #define pfrw_dyn pfrw_1.pfrw1_dyn
123 #define pfrw_cnt pfrw_free
125 #define senderr(e) do { rv = (e); goto _bad; } while (0)
127 static MALLOC_DEFINE(M_PFTABLE, "pf_table", "pf(4) tables structures");
128 VNET_DEFINE_STATIC(uma_zone_t, pfr_kentry_z);
129 #define V_pfr_kentry_z VNET(pfr_kentry_z)
130 VNET_DEFINE_STATIC(uma_zone_t, pfr_kentry_counter_z);
131 #define V_pfr_kentry_counter_z VNET(pfr_kentry_counter_z)
133 static struct pf_addr pfr_ffaddr = {
134 .addr32 = { 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff }
137 static void pfr_copyout_astats(struct pfr_astats *,
138 const struct pfr_kentry *,
139 const struct pfr_walktree *);
140 static void pfr_copyout_addr(struct pfr_addr *,
141 const struct pfr_kentry *ke);
142 static int pfr_validate_addr(struct pfr_addr *);
143 static void pfr_enqueue_addrs(struct pfr_ktable *,
144 struct pfr_kentryworkq *, int *, int);
145 static void pfr_mark_addrs(struct pfr_ktable *);
146 static struct pfr_kentry
147 *pfr_lookup_addr(struct pfr_ktable *,
148 struct pfr_addr *, int);
149 static struct pfr_kentry *pfr_create_kentry(struct pfr_addr *, bool);
150 static void pfr_destroy_kentries(struct pfr_kentryworkq *);
151 static void pfr_destroy_kentry(struct pfr_kentry *);
152 static void pfr_insert_kentries(struct pfr_ktable *,
153 struct pfr_kentryworkq *, long);
154 static void pfr_remove_kentries(struct pfr_ktable *,
155 struct pfr_kentryworkq *);
156 static void pfr_clstats_kentries(struct pfr_ktable *,
157 struct pfr_kentryworkq *, long, int);
158 static void pfr_reset_feedback(struct pfr_addr *, int);
159 static void pfr_prepare_network(union sockaddr_union *, int, int);
160 static int pfr_route_kentry(struct pfr_ktable *,
161 struct pfr_kentry *);
162 static int pfr_unroute_kentry(struct pfr_ktable *,
163 struct pfr_kentry *);
164 static int pfr_walktree(struct radix_node *, void *);
165 static int pfr_validate_table(struct pfr_table *, int, int);
166 static int pfr_fix_anchor(char *);
167 static void pfr_commit_ktable(struct pfr_ktable *, long);
168 static void pfr_insert_ktables(struct pfr_ktableworkq *);
169 static void pfr_insert_ktable(struct pfr_ktable *);
170 static void pfr_setflags_ktables(struct pfr_ktableworkq *);
171 static void pfr_setflags_ktable(struct pfr_ktable *, int);
172 static void pfr_clstats_ktables(struct pfr_ktableworkq *, long,
174 static void pfr_clstats_ktable(struct pfr_ktable *, long, int);
175 static struct pfr_ktable
176 *pfr_create_ktable(struct pfr_table *, long, int);
177 static void pfr_destroy_ktables(struct pfr_ktableworkq *, int);
178 static void pfr_destroy_ktable(struct pfr_ktable *, int);
179 static int pfr_ktable_compare(struct pfr_ktable *,
180 struct pfr_ktable *);
181 static struct pfr_ktable
182 *pfr_lookup_table(struct pfr_table *);
183 static void pfr_clean_node_mask(struct pfr_ktable *,
184 struct pfr_kentryworkq *);
185 static int pfr_skip_table(struct pfr_table *,
186 struct pfr_ktable *, int);
187 static struct pfr_kentry
188 *pfr_kentry_byidx(struct pfr_ktable *, int, int);
190 static RB_PROTOTYPE(pfr_ktablehead, pfr_ktable, pfrkt_tree, pfr_ktable_compare);
191 static RB_GENERATE(pfr_ktablehead, pfr_ktable, pfrkt_tree, pfr_ktable_compare);
193 VNET_DEFINE_STATIC(struct pfr_ktablehead, pfr_ktables);
194 #define V_pfr_ktables VNET(pfr_ktables)
196 VNET_DEFINE_STATIC(struct pfr_table, pfr_nulltable);
197 #define V_pfr_nulltable VNET(pfr_nulltable)
199 VNET_DEFINE_STATIC(int, pfr_ktable_cnt);
200 #define V_pfr_ktable_cnt VNET(pfr_ktable_cnt)
206 V_pfr_kentry_counter_z = uma_zcreate("pf table entry counters",
207 PFR_NUM_COUNTERS * sizeof(uint64_t), NULL, NULL, NULL, NULL,
208 UMA_ALIGN_PTR, UMA_ZONE_PCPU);
209 V_pfr_kentry_z = uma_zcreate("pf table entries",
210 sizeof(struct pfr_kentry), NULL, NULL, NULL, NULL, UMA_ALIGN_PTR,
212 V_pf_limits[PF_LIMIT_TABLE_ENTRIES].zone = V_pfr_kentry_z;
213 V_pf_limits[PF_LIMIT_TABLE_ENTRIES].limit = PFR_KENTRY_HIWAT;
220 uma_zdestroy(V_pfr_kentry_z);
221 uma_zdestroy(V_pfr_kentry_counter_z);
225 pfr_clr_addrs(struct pfr_table *tbl, int *ndel, int flags)
227 struct pfr_ktable *kt;
228 struct pfr_kentryworkq workq;
232 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY);
233 if (pfr_validate_table(tbl, 0, flags & PFR_FLAG_USERIOCTL))
235 kt = pfr_lookup_table(tbl);
236 if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
238 if (kt->pfrkt_flags & PFR_TFLAG_CONST)
240 pfr_enqueue_addrs(kt, &workq, ndel, 0);
242 if (!(flags & PFR_FLAG_DUMMY)) {
243 pfr_remove_kentries(kt, &workq);
244 KASSERT(kt->pfrkt_cnt == 0, ("%s: non-null pfrkt_cnt", __func__));
250 pfr_add_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int size,
251 int *nadd, int flags)
253 struct pfr_ktable *kt, *tmpkt;
254 struct pfr_kentryworkq workq;
255 struct pfr_kentry *p, *q;
258 long tzero = time_second;
262 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY | PFR_FLAG_FEEDBACK);
263 if (pfr_validate_table(tbl, 0, flags & PFR_FLAG_USERIOCTL))
265 kt = pfr_lookup_table(tbl);
266 if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
268 if (kt->pfrkt_flags & PFR_TFLAG_CONST)
270 tmpkt = pfr_create_ktable(&V_pfr_nulltable, 0, 0);
274 for (i = 0, ad = addr; i < size; i++, ad++) {
275 if (pfr_validate_addr(ad))
277 p = pfr_lookup_addr(kt, ad, 1);
278 q = pfr_lookup_addr(tmpkt, ad, 1);
279 if (flags & PFR_FLAG_FEEDBACK) {
281 ad->pfra_fback = PFR_FB_DUPLICATE;
283 ad->pfra_fback = PFR_FB_ADDED;
284 else if (p->pfrke_not != ad->pfra_not)
285 ad->pfra_fback = PFR_FB_CONFLICT;
287 ad->pfra_fback = PFR_FB_NONE;
289 if (p == NULL && q == NULL) {
290 p = pfr_create_kentry(ad,
291 (kt->pfrkt_flags & PFR_TFLAG_COUNTERS) != 0);
294 if (pfr_route_kentry(tmpkt, p)) {
295 pfr_destroy_kentry(p);
296 ad->pfra_fback = PFR_FB_NONE;
298 SLIST_INSERT_HEAD(&workq, p, pfrke_workq);
303 pfr_clean_node_mask(tmpkt, &workq);
304 if (!(flags & PFR_FLAG_DUMMY))
305 pfr_insert_kentries(kt, &workq, tzero);
307 pfr_destroy_kentries(&workq);
310 pfr_destroy_ktable(tmpkt, 0);
313 pfr_clean_node_mask(tmpkt, &workq);
314 pfr_destroy_kentries(&workq);
315 if (flags & PFR_FLAG_FEEDBACK)
316 pfr_reset_feedback(addr, size);
317 pfr_destroy_ktable(tmpkt, 0);
322 pfr_del_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int size,
323 int *ndel, int flags)
325 struct pfr_ktable *kt;
326 struct pfr_kentryworkq workq;
327 struct pfr_kentry *p;
329 int i, rv, xdel = 0, log = 1;
333 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY | PFR_FLAG_FEEDBACK);
334 if (pfr_validate_table(tbl, 0, flags & PFR_FLAG_USERIOCTL))
336 kt = pfr_lookup_table(tbl);
337 if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
339 if (kt->pfrkt_flags & PFR_TFLAG_CONST)
342 * there are two algorithms to choose from here.
344 * n: number of addresses to delete
345 * N: number of addresses in the table
347 * one is O(N) and is better for large 'n'
348 * one is O(n*LOG(N)) and is better for small 'n'
350 * following code try to decide which one is best.
352 for (i = kt->pfrkt_cnt; i > 0; i >>= 1)
354 if (size > kt->pfrkt_cnt/log) {
355 /* full table scan */
358 /* iterate over addresses to delete */
359 for (i = 0, ad = addr; i < size; i++, ad++) {
360 if (pfr_validate_addr(ad))
362 p = pfr_lookup_addr(kt, ad, 1);
368 for (i = 0, ad = addr; i < size; i++, ad++) {
369 if (pfr_validate_addr(ad))
371 p = pfr_lookup_addr(kt, ad, 1);
372 if (flags & PFR_FLAG_FEEDBACK) {
374 ad->pfra_fback = PFR_FB_NONE;
375 else if (p->pfrke_not != ad->pfra_not)
376 ad->pfra_fback = PFR_FB_CONFLICT;
377 else if (p->pfrke_mark)
378 ad->pfra_fback = PFR_FB_DUPLICATE;
380 ad->pfra_fback = PFR_FB_DELETED;
382 if (p != NULL && p->pfrke_not == ad->pfra_not &&
385 SLIST_INSERT_HEAD(&workq, p, pfrke_workq);
389 if (!(flags & PFR_FLAG_DUMMY))
390 pfr_remove_kentries(kt, &workq);
395 if (flags & PFR_FLAG_FEEDBACK)
396 pfr_reset_feedback(addr, size);
401 pfr_set_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int size,
402 int *size2, int *nadd, int *ndel, int *nchange, int flags,
403 u_int32_t ignore_pfrt_flags)
405 struct pfr_ktable *kt, *tmpkt;
406 struct pfr_kentryworkq addq, delq, changeq;
407 struct pfr_kentry *p, *q;
409 int i, rv, xadd = 0, xdel = 0, xchange = 0;
410 long tzero = time_second;
414 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY | PFR_FLAG_FEEDBACK);
415 if (pfr_validate_table(tbl, ignore_pfrt_flags, flags &
418 kt = pfr_lookup_table(tbl);
419 if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
421 if (kt->pfrkt_flags & PFR_TFLAG_CONST)
423 tmpkt = pfr_create_ktable(&V_pfr_nulltable, 0, 0);
429 SLIST_INIT(&changeq);
430 for (i = 0; i < size; i++) {
432 * XXXGL: undertand pf_if usage of this function
433 * and make ad a moving pointer
435 bcopy(addr + i, &ad, sizeof(ad));
436 if (pfr_validate_addr(&ad))
438 ad.pfra_fback = PFR_FB_NONE;
439 p = pfr_lookup_addr(kt, &ad, 1);
442 ad.pfra_fback = PFR_FB_DUPLICATE;
446 if (p->pfrke_not != ad.pfra_not) {
447 SLIST_INSERT_HEAD(&changeq, p, pfrke_workq);
448 ad.pfra_fback = PFR_FB_CHANGED;
452 q = pfr_lookup_addr(tmpkt, &ad, 1);
454 ad.pfra_fback = PFR_FB_DUPLICATE;
457 p = pfr_create_kentry(&ad,
458 (kt->pfrkt_flags & PFR_TFLAG_COUNTERS) != 0);
461 if (pfr_route_kentry(tmpkt, p)) {
462 pfr_destroy_kentry(p);
463 ad.pfra_fback = PFR_FB_NONE;
465 SLIST_INSERT_HEAD(&addq, p, pfrke_workq);
466 ad.pfra_fback = PFR_FB_ADDED;
471 if (flags & PFR_FLAG_FEEDBACK)
472 bcopy(&ad, addr + i, sizeof(ad));
474 pfr_enqueue_addrs(kt, &delq, &xdel, ENQUEUE_UNMARKED_ONLY);
475 if ((flags & PFR_FLAG_FEEDBACK) && *size2) {
476 if (*size2 < size+xdel) {
481 SLIST_FOREACH(p, &delq, pfrke_workq) {
482 pfr_copyout_addr(&ad, p);
483 ad.pfra_fback = PFR_FB_DELETED;
484 bcopy(&ad, addr + size + i, sizeof(ad));
488 pfr_clean_node_mask(tmpkt, &addq);
489 if (!(flags & PFR_FLAG_DUMMY)) {
490 pfr_insert_kentries(kt, &addq, tzero);
491 pfr_remove_kentries(kt, &delq);
492 pfr_clstats_kentries(kt, &changeq, tzero, INVERT_NEG_FLAG);
494 pfr_destroy_kentries(&addq);
501 if ((flags & PFR_FLAG_FEEDBACK) && size2)
503 pfr_destroy_ktable(tmpkt, 0);
506 pfr_clean_node_mask(tmpkt, &addq);
507 pfr_destroy_kentries(&addq);
508 if (flags & PFR_FLAG_FEEDBACK)
509 pfr_reset_feedback(addr, size);
510 pfr_destroy_ktable(tmpkt, 0);
515 pfr_tst_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int size,
516 int *nmatch, int flags)
518 struct pfr_ktable *kt;
519 struct pfr_kentry *p;
525 ACCEPT_FLAGS(flags, PFR_FLAG_REPLACE);
526 if (pfr_validate_table(tbl, 0, 0))
528 kt = pfr_lookup_table(tbl);
529 if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
532 for (i = 0, ad = addr; i < size; i++, ad++) {
533 if (pfr_validate_addr(ad))
535 if (ADDR_NETWORK(ad))
537 p = pfr_lookup_addr(kt, ad, 0);
538 if (flags & PFR_FLAG_REPLACE)
539 pfr_copyout_addr(ad, p);
540 ad->pfra_fback = (p == NULL) ? PFR_FB_NONE :
541 (p->pfrke_not ? PFR_FB_NOTMATCH : PFR_FB_MATCH);
542 if (p != NULL && !p->pfrke_not)
551 pfr_get_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int *size,
554 struct pfr_ktable *kt;
555 struct pfr_walktree w;
560 ACCEPT_FLAGS(flags, 0);
561 if (pfr_validate_table(tbl, 0, 0))
563 kt = pfr_lookup_table(tbl);
564 if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
566 if (kt->pfrkt_cnt > *size) {
567 *size = kt->pfrkt_cnt;
571 bzero(&w, sizeof(w));
572 w.pfrw_op = PFRW_GET_ADDRS;
574 w.pfrw_free = kt->pfrkt_cnt;
575 rv = kt->pfrkt_ip4->rnh_walktree(&kt->pfrkt_ip4->rh, pfr_walktree, &w);
577 rv = kt->pfrkt_ip6->rnh_walktree(&kt->pfrkt_ip6->rh,
582 KASSERT(w.pfrw_free == 0, ("%s: corruption detected (%d)", __func__,
585 *size = kt->pfrkt_cnt;
590 pfr_get_astats(struct pfr_table *tbl, struct pfr_astats *addr, int *size,
593 struct pfr_ktable *kt;
594 struct pfr_walktree w;
595 struct pfr_kentryworkq workq;
597 long tzero = time_second;
601 /* XXX PFR_FLAG_CLSTATS disabled */
602 ACCEPT_FLAGS(flags, 0);
603 if (pfr_validate_table(tbl, 0, 0))
605 kt = pfr_lookup_table(tbl);
606 if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
608 if (kt->pfrkt_cnt > *size) {
609 *size = kt->pfrkt_cnt;
613 bzero(&w, sizeof(w));
614 w.pfrw_op = PFRW_GET_ASTATS;
615 w.pfrw_astats = addr;
616 w.pfrw_free = kt->pfrkt_cnt;
618 * Flags below are for backward compatibility. It was possible to have
619 * a table without per-entry counters. Now they are always allocated,
620 * we just discard data when reading it if table is not configured to
623 w.pfrw_flags = kt->pfrkt_flags;
624 rv = kt->pfrkt_ip4->rnh_walktree(&kt->pfrkt_ip4->rh, pfr_walktree, &w);
626 rv = kt->pfrkt_ip6->rnh_walktree(&kt->pfrkt_ip6->rh,
628 if (!rv && (flags & PFR_FLAG_CLSTATS)) {
629 pfr_enqueue_addrs(kt, &workq, NULL, 0);
630 pfr_clstats_kentries(kt, &workq, tzero, 0);
636 printf("pfr_get_astats: corruption detected (%d).\n",
640 *size = kt->pfrkt_cnt;
645 pfr_clr_astats(struct pfr_table *tbl, struct pfr_addr *addr, int size,
646 int *nzero, int flags)
648 struct pfr_ktable *kt;
649 struct pfr_kentryworkq workq;
650 struct pfr_kentry *p;
652 int i, rv, xzero = 0;
656 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY | PFR_FLAG_FEEDBACK);
657 if (pfr_validate_table(tbl, 0, 0))
659 kt = pfr_lookup_table(tbl);
660 if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
663 for (i = 0, ad = addr; i < size; i++, ad++) {
664 if (pfr_validate_addr(ad))
666 p = pfr_lookup_addr(kt, ad, 1);
667 if (flags & PFR_FLAG_FEEDBACK) {
668 ad->pfra_fback = (p != NULL) ?
669 PFR_FB_CLEARED : PFR_FB_NONE;
672 SLIST_INSERT_HEAD(&workq, p, pfrke_workq);
677 if (!(flags & PFR_FLAG_DUMMY))
678 pfr_clstats_kentries(kt, &workq, 0, 0);
683 if (flags & PFR_FLAG_FEEDBACK)
684 pfr_reset_feedback(addr, size);
689 pfr_validate_addr(struct pfr_addr *ad)
693 switch (ad->pfra_af) {
696 if (ad->pfra_net > 32)
702 if (ad->pfra_net > 128)
709 if (ad->pfra_net < 128 &&
710 (((caddr_t)ad)[ad->pfra_net/8] & (0xFF >> (ad->pfra_net%8))))
712 for (i = (ad->pfra_net+7)/8; i < sizeof(ad->pfra_u); i++)
713 if (((caddr_t)ad)[i])
715 if (ad->pfra_not && ad->pfra_not != 1)
723 pfr_enqueue_addrs(struct pfr_ktable *kt, struct pfr_kentryworkq *workq,
724 int *naddr, int sweep)
726 struct pfr_walktree w;
729 bzero(&w, sizeof(w));
730 w.pfrw_op = sweep ? PFRW_SWEEP : PFRW_ENQUEUE;
731 w.pfrw_workq = workq;
732 if (kt->pfrkt_ip4 != NULL)
733 if (kt->pfrkt_ip4->rnh_walktree(&kt->pfrkt_ip4->rh,
735 printf("pfr_enqueue_addrs: IPv4 walktree failed.\n");
736 if (kt->pfrkt_ip6 != NULL)
737 if (kt->pfrkt_ip6->rnh_walktree(&kt->pfrkt_ip6->rh,
739 printf("pfr_enqueue_addrs: IPv6 walktree failed.\n");
745 pfr_mark_addrs(struct pfr_ktable *kt)
747 struct pfr_walktree w;
749 bzero(&w, sizeof(w));
750 w.pfrw_op = PFRW_MARK;
751 if (kt->pfrkt_ip4->rnh_walktree(&kt->pfrkt_ip4->rh, pfr_walktree, &w))
752 printf("pfr_mark_addrs: IPv4 walktree failed.\n");
753 if (kt->pfrkt_ip6->rnh_walktree(&kt->pfrkt_ip6->rh, pfr_walktree, &w))
754 printf("pfr_mark_addrs: IPv6 walktree failed.\n");
758 static struct pfr_kentry *
759 pfr_lookup_addr(struct pfr_ktable *kt, struct pfr_addr *ad, int exact)
761 union sockaddr_union sa, mask;
762 struct radix_head *head = NULL;
763 struct pfr_kentry *ke;
767 bzero(&sa, sizeof(sa));
768 if (ad->pfra_af == AF_INET) {
769 FILLIN_SIN(sa.sin, ad->pfra_ip4addr);
770 head = &kt->pfrkt_ip4->rh;
771 } else if ( ad->pfra_af == AF_INET6 ) {
772 FILLIN_SIN6(sa.sin6, ad->pfra_ip6addr);
773 head = &kt->pfrkt_ip6->rh;
775 if (ADDR_NETWORK(ad)) {
776 pfr_prepare_network(&mask, ad->pfra_af, ad->pfra_net);
777 ke = (struct pfr_kentry *)rn_lookup(&sa, &mask, head);
778 if (ke && KENTRY_RNF_ROOT(ke))
781 ke = (struct pfr_kentry *)rn_match(&sa, head);
782 if (ke && KENTRY_RNF_ROOT(ke))
784 if (exact && ke && KENTRY_NETWORK(ke))
790 static struct pfr_kentry *
791 pfr_create_kentry(struct pfr_addr *ad, bool counters)
793 struct pfr_kentry *ke;
796 ke = uma_zalloc(V_pfr_kentry_z, M_NOWAIT | M_ZERO);
800 if (ad->pfra_af == AF_INET)
801 FILLIN_SIN(ke->pfrke_sa.sin, ad->pfra_ip4addr);
802 else if (ad->pfra_af == AF_INET6)
803 FILLIN_SIN6(ke->pfrke_sa.sin6, ad->pfra_ip6addr);
804 ke->pfrke_af = ad->pfra_af;
805 ke->pfrke_net = ad->pfra_net;
806 ke->pfrke_not = ad->pfra_not;
807 ke->pfrke_counters.pfrkc_tzero = 0;
809 c = uma_zalloc_pcpu(V_pfr_kentry_counter_z, M_NOWAIT | M_ZERO);
811 pfr_destroy_kentry(ke);
814 ke->pfrke_counters.pfrkc_counters = c;
820 pfr_destroy_kentries(struct pfr_kentryworkq *workq)
822 struct pfr_kentry *p, *q;
824 for (p = SLIST_FIRST(workq); p != NULL; p = q) {
825 q = SLIST_NEXT(p, pfrke_workq);
826 pfr_destroy_kentry(p);
831 pfr_destroy_kentry(struct pfr_kentry *ke)
835 if ((c = ke->pfrke_counters.pfrkc_counters) != NULL)
836 uma_zfree_pcpu(V_pfr_kentry_counter_z, c);
837 uma_zfree(V_pfr_kentry_z, ke);
841 pfr_insert_kentries(struct pfr_ktable *kt,
842 struct pfr_kentryworkq *workq, long tzero)
844 struct pfr_kentry *p;
847 SLIST_FOREACH(p, workq, pfrke_workq) {
848 rv = pfr_route_kentry(kt, p);
850 printf("pfr_insert_kentries: cannot route entry "
854 p->pfrke_counters.pfrkc_tzero = tzero;
861 pfr_insert_kentry(struct pfr_ktable *kt, struct pfr_addr *ad, long tzero)
863 struct pfr_kentry *p;
866 p = pfr_lookup_addr(kt, ad, 1);
869 p = pfr_create_kentry(ad, (kt->pfrkt_flags & PFR_TFLAG_COUNTERS) != 0);
873 rv = pfr_route_kentry(kt, p);
877 p->pfrke_counters.pfrkc_tzero = tzero;
884 pfr_remove_kentries(struct pfr_ktable *kt,
885 struct pfr_kentryworkq *workq)
887 struct pfr_kentry *p;
890 SLIST_FOREACH(p, workq, pfrke_workq) {
891 pfr_unroute_kentry(kt, p);
895 pfr_destroy_kentries(workq);
899 pfr_clean_node_mask(struct pfr_ktable *kt,
900 struct pfr_kentryworkq *workq)
902 struct pfr_kentry *p;
904 SLIST_FOREACH(p, workq, pfrke_workq)
905 pfr_unroute_kentry(kt, p);
909 pfr_clstats_kentries(struct pfr_ktable *kt, struct pfr_kentryworkq *workq,
910 long tzero, int negchange)
912 struct pfr_kentry *p;
915 SLIST_FOREACH(p, workq, pfrke_workq) {
917 p->pfrke_not = !p->pfrke_not;
918 if ((kt->pfrkt_flags & PFR_TFLAG_COUNTERS) != 0)
919 for (i = 0; i < PFR_NUM_COUNTERS; i++)
921 p->pfrke_counters.pfrkc_counters + i);
922 p->pfrke_counters.pfrkc_tzero = tzero;
927 pfr_reset_feedback(struct pfr_addr *addr, int size)
932 for (i = 0, ad = addr; i < size; i++, ad++)
933 ad->pfra_fback = PFR_FB_NONE;
937 pfr_prepare_network(union sockaddr_union *sa, int af, int net)
941 bzero(sa, sizeof(*sa));
943 sa->sin.sin_len = sizeof(sa->sin);
944 sa->sin.sin_family = AF_INET;
945 sa->sin.sin_addr.s_addr = net ? htonl(-1 << (32-net)) : 0;
946 } else if (af == AF_INET6) {
947 sa->sin6.sin6_len = sizeof(sa->sin6);
948 sa->sin6.sin6_family = AF_INET6;
949 for (i = 0; i < 4; i++) {
951 sa->sin6.sin6_addr.s6_addr32[i] =
952 net ? htonl(-1 << (32-net)) : 0;
955 sa->sin6.sin6_addr.s6_addr32[i] = 0xFFFFFFFF;
962 pfr_route_kentry(struct pfr_ktable *kt, struct pfr_kentry *ke)
964 union sockaddr_union mask;
965 struct radix_node *rn;
966 struct radix_head *head = NULL;
970 bzero(ke->pfrke_node, sizeof(ke->pfrke_node));
971 if (ke->pfrke_af == AF_INET)
972 head = &kt->pfrkt_ip4->rh;
973 else if (ke->pfrke_af == AF_INET6)
974 head = &kt->pfrkt_ip6->rh;
976 if (KENTRY_NETWORK(ke)) {
977 pfr_prepare_network(&mask, ke->pfrke_af, ke->pfrke_net);
978 rn = rn_addroute(&ke->pfrke_sa, &mask, head, ke->pfrke_node);
980 rn = rn_addroute(&ke->pfrke_sa, NULL, head, ke->pfrke_node);
982 return (rn == NULL ? -1 : 0);
986 pfr_unroute_kentry(struct pfr_ktable *kt, struct pfr_kentry *ke)
988 union sockaddr_union mask;
989 struct radix_node *rn;
990 struct radix_head *head = NULL;
992 if (ke->pfrke_af == AF_INET)
993 head = &kt->pfrkt_ip4->rh;
994 else if (ke->pfrke_af == AF_INET6)
995 head = &kt->pfrkt_ip6->rh;
997 if (KENTRY_NETWORK(ke)) {
998 pfr_prepare_network(&mask, ke->pfrke_af, ke->pfrke_net);
999 rn = rn_delete(&ke->pfrke_sa, &mask, head);
1001 rn = rn_delete(&ke->pfrke_sa, NULL, head);
1004 printf("pfr_unroute_kentry: delete failed.\n");
1011 pfr_copyout_addr(struct pfr_addr *ad, const struct pfr_kentry *ke)
1013 bzero(ad, sizeof(*ad));
1016 ad->pfra_af = ke->pfrke_af;
1017 ad->pfra_net = ke->pfrke_net;
1018 ad->pfra_not = ke->pfrke_not;
1019 if (ad->pfra_af == AF_INET)
1020 ad->pfra_ip4addr = ke->pfrke_sa.sin.sin_addr;
1021 else if (ad->pfra_af == AF_INET6)
1022 ad->pfra_ip6addr = ke->pfrke_sa.sin6.sin6_addr;
1026 pfr_copyout_astats(struct pfr_astats *as, const struct pfr_kentry *ke,
1027 const struct pfr_walktree *w)
1030 const struct pfr_kcounters *kc = &ke->pfrke_counters;
1032 pfr_copyout_addr(&as->pfras_a, ke);
1033 as->pfras_tzero = kc->pfrkc_tzero;
1035 if (! (w->pfrw_flags & PFR_TFLAG_COUNTERS)) {
1036 bzero(as->pfras_packets, sizeof(as->pfras_packets));
1037 bzero(as->pfras_bytes, sizeof(as->pfras_bytes));
1038 as->pfras_a.pfra_fback = PFR_FB_NOCOUNT;
1042 for (dir = 0; dir < PFR_DIR_MAX; dir++) {
1043 for (op = 0; op < PFR_OP_ADDR_MAX; op ++) {
1044 as->pfras_packets[dir][op] = counter_u64_fetch(
1045 pfr_kentry_counter(kc, dir, op, PFR_TYPE_PACKETS));
1046 as->pfras_bytes[dir][op] = counter_u64_fetch(
1047 pfr_kentry_counter(kc, dir, op, PFR_TYPE_BYTES));
1053 pfr_walktree(struct radix_node *rn, void *arg)
1055 struct pfr_kentry *ke = (struct pfr_kentry *)rn;
1056 struct pfr_walktree *w = arg;
1058 switch (w->pfrw_op) {
1067 SLIST_INSERT_HEAD(w->pfrw_workq, ke, pfrke_workq);
1070 case PFRW_GET_ADDRS:
1071 if (w->pfrw_free-- > 0) {
1072 pfr_copyout_addr(w->pfrw_addr, ke);
1076 case PFRW_GET_ASTATS:
1077 if (w->pfrw_free-- > 0) {
1078 struct pfr_astats as;
1080 pfr_copyout_astats(&as, ke, w);
1082 bcopy(&as, w->pfrw_astats, sizeof(as));
1088 break; /* negative entries are ignored */
1089 if (!w->pfrw_cnt--) {
1090 w->pfrw_kentry = ke;
1091 return (1); /* finish search */
1094 case PFRW_DYNADDR_UPDATE:
1096 union sockaddr_union pfr_mask;
1098 if (ke->pfrke_af == AF_INET) {
1099 if (w->pfrw_dyn->pfid_acnt4++ > 0)
1101 pfr_prepare_network(&pfr_mask, AF_INET, ke->pfrke_net);
1102 w->pfrw_dyn->pfid_addr4 = *SUNION2PF(&ke->pfrke_sa,
1104 w->pfrw_dyn->pfid_mask4 = *SUNION2PF(&pfr_mask,
1106 } else if (ke->pfrke_af == AF_INET6){
1107 if (w->pfrw_dyn->pfid_acnt6++ > 0)
1109 pfr_prepare_network(&pfr_mask, AF_INET6, ke->pfrke_net);
1110 w->pfrw_dyn->pfid_addr6 = *SUNION2PF(&ke->pfrke_sa,
1112 w->pfrw_dyn->pfid_mask6 = *SUNION2PF(&pfr_mask,
1122 pfr_clr_tables(struct pfr_table *filter, int *ndel, int flags)
1124 struct pfr_ktableworkq workq;
1125 struct pfr_ktable *p;
1128 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY | PFR_FLAG_ALLRSETS);
1129 if (pfr_fix_anchor(filter->pfrt_anchor))
1131 if (pfr_table_count(filter, flags) < 0)
1135 RB_FOREACH(p, pfr_ktablehead, &V_pfr_ktables) {
1136 if (pfr_skip_table(filter, p, flags))
1138 if (!strcmp(p->pfrkt_anchor, PF_RESERVED_ANCHOR))
1140 if (!(p->pfrkt_flags & PFR_TFLAG_ACTIVE))
1142 p->pfrkt_nflags = p->pfrkt_flags & ~PFR_TFLAG_ACTIVE;
1143 SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);
1146 if (!(flags & PFR_FLAG_DUMMY))
1147 pfr_setflags_ktables(&workq);
1154 pfr_add_tables(struct pfr_table *tbl, int size, int *nadd, int flags)
1156 struct pfr_ktableworkq addq, changeq;
1157 struct pfr_ktable *p, *q, *r, key;
1158 int i, rv, xadd = 0;
1159 long tzero = time_second;
1161 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY);
1163 SLIST_INIT(&changeq);
1164 for (i = 0; i < size; i++) {
1165 bcopy(tbl+i, &key.pfrkt_t, sizeof(key.pfrkt_t));
1166 if (pfr_validate_table(&key.pfrkt_t, PFR_TFLAG_USRMASK,
1167 flags & PFR_FLAG_USERIOCTL))
1169 key.pfrkt_flags |= PFR_TFLAG_ACTIVE;
1170 p = RB_FIND(pfr_ktablehead, &V_pfr_ktables, &key);
1172 p = pfr_create_ktable(&key.pfrkt_t, tzero, 1);
1175 SLIST_FOREACH(q, &addq, pfrkt_workq) {
1176 if (!pfr_ktable_compare(p, q)) {
1177 pfr_destroy_ktable(p, 0);
1181 SLIST_INSERT_HEAD(&addq, p, pfrkt_workq);
1183 if (!key.pfrkt_anchor[0])
1186 /* find or create root table */
1187 bzero(key.pfrkt_anchor, sizeof(key.pfrkt_anchor));
1188 r = RB_FIND(pfr_ktablehead, &V_pfr_ktables, &key);
1193 SLIST_FOREACH(q, &addq, pfrkt_workq) {
1194 if (!pfr_ktable_compare(&key, q)) {
1199 key.pfrkt_flags = 0;
1200 r = pfr_create_ktable(&key.pfrkt_t, 0, 1);
1203 SLIST_INSERT_HEAD(&addq, r, pfrkt_workq);
1205 } else if (!(p->pfrkt_flags & PFR_TFLAG_ACTIVE)) {
1206 SLIST_FOREACH(q, &changeq, pfrkt_workq)
1207 if (!pfr_ktable_compare(&key, q))
1209 p->pfrkt_nflags = (p->pfrkt_flags &
1210 ~PFR_TFLAG_USRMASK) | key.pfrkt_flags;
1211 SLIST_INSERT_HEAD(&changeq, p, pfrkt_workq);
1217 if (!(flags & PFR_FLAG_DUMMY)) {
1218 pfr_insert_ktables(&addq);
1219 pfr_setflags_ktables(&changeq);
1221 pfr_destroy_ktables(&addq, 0);
1226 pfr_destroy_ktables(&addq, 0);
1231 pfr_del_tables(struct pfr_table *tbl, int size, int *ndel, int flags)
1233 struct pfr_ktableworkq workq;
1234 struct pfr_ktable *p, *q, key;
1237 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY);
1239 for (i = 0; i < size; i++) {
1240 bcopy(tbl+i, &key.pfrkt_t, sizeof(key.pfrkt_t));
1241 if (pfr_validate_table(&key.pfrkt_t, 0,
1242 flags & PFR_FLAG_USERIOCTL))
1244 p = RB_FIND(pfr_ktablehead, &V_pfr_ktables, &key);
1245 if (p != NULL && (p->pfrkt_flags & PFR_TFLAG_ACTIVE)) {
1246 SLIST_FOREACH(q, &workq, pfrkt_workq)
1247 if (!pfr_ktable_compare(p, q))
1249 p->pfrkt_nflags = p->pfrkt_flags & ~PFR_TFLAG_ACTIVE;
1250 SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);
1257 if (!(flags & PFR_FLAG_DUMMY))
1258 pfr_setflags_ktables(&workq);
1265 pfr_get_tables(struct pfr_table *filter, struct pfr_table *tbl, int *size,
1268 struct pfr_ktable *p;
1273 ACCEPT_FLAGS(flags, PFR_FLAG_ALLRSETS);
1274 if (pfr_fix_anchor(filter->pfrt_anchor))
1276 n = nn = pfr_table_count(filter, flags);
1283 RB_FOREACH(p, pfr_ktablehead, &V_pfr_ktables) {
1284 if (pfr_skip_table(filter, p, flags))
1288 bcopy(&p->pfrkt_t, tbl++, sizeof(*tbl));
1291 KASSERT(n == 0, ("%s: corruption detected (%d)", __func__, n));
1298 pfr_get_tstats(struct pfr_table *filter, struct pfr_tstats *tbl, int *size,
1301 struct pfr_ktable *p;
1302 struct pfr_ktableworkq workq;
1304 long tzero = time_second;
1305 int pfr_dir, pfr_op;
1307 /* XXX PFR_FLAG_CLSTATS disabled */
1308 ACCEPT_FLAGS(flags, PFR_FLAG_ALLRSETS);
1309 if (pfr_fix_anchor(filter->pfrt_anchor))
1311 n = nn = pfr_table_count(filter, flags);
1319 RB_FOREACH(p, pfr_ktablehead, &V_pfr_ktables) {
1320 if (pfr_skip_table(filter, p, flags))
1324 bcopy(&p->pfrkt_kts.pfrts_t, &tbl->pfrts_t,
1325 sizeof(struct pfr_table));
1326 for (pfr_dir = 0; pfr_dir < PFR_DIR_MAX; pfr_dir ++) {
1327 for (pfr_op = 0; pfr_op < PFR_OP_TABLE_MAX; pfr_op ++) {
1328 tbl->pfrts_packets[pfr_dir][pfr_op] =
1330 p->pfrkt_packets[pfr_dir][pfr_op]);
1331 tbl->pfrts_bytes[pfr_dir][pfr_op] =
1333 p->pfrkt_bytes[pfr_dir][pfr_op]);
1336 tbl->pfrts_match = counter_u64_fetch(p->pfrkt_match);
1337 tbl->pfrts_nomatch = counter_u64_fetch(p->pfrkt_nomatch);
1338 tbl->pfrts_tzero = p->pfrkt_tzero;
1339 tbl->pfrts_cnt = p->pfrkt_cnt;
1340 for (pfr_op = 0; pfr_op < PFR_REFCNT_MAX; pfr_op++)
1341 tbl->pfrts_refcnt[pfr_op] = p->pfrkt_refcnt[pfr_op];
1343 SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);
1345 if (flags & PFR_FLAG_CLSTATS)
1346 pfr_clstats_ktables(&workq, tzero,
1347 flags & PFR_FLAG_ADDRSTOO);
1349 KASSERT(n == 0, ("%s: corruption detected (%d)", __func__, n));
1356 pfr_clr_tstats(struct pfr_table *tbl, int size, int *nzero, int flags)
1358 struct pfr_ktableworkq workq;
1359 struct pfr_ktable *p, key;
1361 long tzero = time_second;
1363 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY | PFR_FLAG_ADDRSTOO);
1365 for (i = 0; i < size; i++) {
1366 bcopy(tbl + i, &key.pfrkt_t, sizeof(key.pfrkt_t));
1367 if (pfr_validate_table(&key.pfrkt_t, 0, 0))
1369 p = RB_FIND(pfr_ktablehead, &V_pfr_ktables, &key);
1371 SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);
1375 if (!(flags & PFR_FLAG_DUMMY))
1376 pfr_clstats_ktables(&workq, tzero, flags & PFR_FLAG_ADDRSTOO);
1383 pfr_set_tflags(struct pfr_table *tbl, int size, int setflag, int clrflag,
1384 int *nchange, int *ndel, int flags)
1386 struct pfr_ktableworkq workq;
1387 struct pfr_ktable *p, *q, key;
1388 int i, xchange = 0, xdel = 0;
1390 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY);
1391 if ((setflag & ~PFR_TFLAG_USRMASK) ||
1392 (clrflag & ~PFR_TFLAG_USRMASK) ||
1393 (setflag & clrflag))
1396 for (i = 0; i < size; i++) {
1397 bcopy(tbl + i, &key.pfrkt_t, sizeof(key.pfrkt_t));
1398 if (pfr_validate_table(&key.pfrkt_t, 0,
1399 flags & PFR_FLAG_USERIOCTL))
1401 p = RB_FIND(pfr_ktablehead, &V_pfr_ktables, &key);
1402 if (p != NULL && (p->pfrkt_flags & PFR_TFLAG_ACTIVE)) {
1403 p->pfrkt_nflags = (p->pfrkt_flags | setflag) &
1405 if (p->pfrkt_nflags == p->pfrkt_flags)
1407 SLIST_FOREACH(q, &workq, pfrkt_workq)
1408 if (!pfr_ktable_compare(p, q))
1410 SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);
1411 if ((p->pfrkt_flags & PFR_TFLAG_PERSIST) &&
1412 (clrflag & PFR_TFLAG_PERSIST) &&
1413 !(p->pfrkt_flags & PFR_TFLAG_REFERENCED))
1421 if (!(flags & PFR_FLAG_DUMMY))
1422 pfr_setflags_ktables(&workq);
1423 if (nchange != NULL)
1431 pfr_ina_begin(struct pfr_table *trs, u_int32_t *ticket, int *ndel, int flags)
1433 struct pfr_ktableworkq workq;
1434 struct pfr_ktable *p;
1435 struct pf_ruleset *rs;
1438 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY);
1439 rs = pf_find_or_create_ruleset(trs->pfrt_anchor);
1443 RB_FOREACH(p, pfr_ktablehead, &V_pfr_ktables) {
1444 if (!(p->pfrkt_flags & PFR_TFLAG_INACTIVE) ||
1445 pfr_skip_table(trs, p, 0))
1447 p->pfrkt_nflags = p->pfrkt_flags & ~PFR_TFLAG_INACTIVE;
1448 SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);
1451 if (!(flags & PFR_FLAG_DUMMY)) {
1452 pfr_setflags_ktables(&workq);
1454 *ticket = ++rs->tticket;
1457 pf_remove_if_empty_ruleset(rs);
1464 pfr_ina_define(struct pfr_table *tbl, struct pfr_addr *addr, int size,
1465 int *nadd, int *naddr, u_int32_t ticket, int flags)
1467 struct pfr_ktableworkq tableq;
1468 struct pfr_kentryworkq addrq;
1469 struct pfr_ktable *kt, *rt, *shadow, key;
1470 struct pfr_kentry *p;
1471 struct pfr_addr *ad;
1472 struct pf_ruleset *rs;
1473 int i, rv, xadd = 0, xaddr = 0;
1477 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY | PFR_FLAG_ADDRSTOO);
1478 if (size && !(flags & PFR_FLAG_ADDRSTOO))
1480 if (pfr_validate_table(tbl, PFR_TFLAG_USRMASK,
1481 flags & PFR_FLAG_USERIOCTL))
1483 rs = pf_find_ruleset(tbl->pfrt_anchor);
1484 if (rs == NULL || !rs->topen || ticket != rs->tticket)
1486 tbl->pfrt_flags |= PFR_TFLAG_INACTIVE;
1487 SLIST_INIT(&tableq);
1488 kt = RB_FIND(pfr_ktablehead, &V_pfr_ktables, (struct pfr_ktable *)tbl);
1490 kt = pfr_create_ktable(tbl, 0, 1);
1493 SLIST_INSERT_HEAD(&tableq, kt, pfrkt_workq);
1495 if (!tbl->pfrt_anchor[0])
1498 /* find or create root table */
1499 bzero(&key, sizeof(key));
1500 strlcpy(key.pfrkt_name, tbl->pfrt_name, sizeof(key.pfrkt_name));
1501 rt = RB_FIND(pfr_ktablehead, &V_pfr_ktables, &key);
1503 kt->pfrkt_root = rt;
1506 rt = pfr_create_ktable(&key.pfrkt_t, 0, 1);
1508 pfr_destroy_ktables(&tableq, 0);
1511 SLIST_INSERT_HEAD(&tableq, rt, pfrkt_workq);
1512 kt->pfrkt_root = rt;
1513 } else if (!(kt->pfrkt_flags & PFR_TFLAG_INACTIVE))
1516 shadow = pfr_create_ktable(tbl, 0, 0);
1517 if (shadow == NULL) {
1518 pfr_destroy_ktables(&tableq, 0);
1522 for (i = 0, ad = addr; i < size; i++, ad++) {
1523 if (pfr_validate_addr(ad))
1525 if (pfr_lookup_addr(shadow, ad, 1) != NULL)
1527 p = pfr_create_kentry(ad,
1528 (shadow->pfrkt_flags & PFR_TFLAG_COUNTERS) != 0);
1531 if (pfr_route_kentry(shadow, p)) {
1532 pfr_destroy_kentry(p);
1535 SLIST_INSERT_HEAD(&addrq, p, pfrke_workq);
1538 if (!(flags & PFR_FLAG_DUMMY)) {
1539 if (kt->pfrkt_shadow != NULL)
1540 pfr_destroy_ktable(kt->pfrkt_shadow, 1);
1541 kt->pfrkt_flags |= PFR_TFLAG_INACTIVE;
1542 pfr_insert_ktables(&tableq);
1543 shadow->pfrkt_cnt = (flags & PFR_FLAG_ADDRSTOO) ?
1544 xaddr : NO_ADDRESSES;
1545 kt->pfrkt_shadow = shadow;
1547 pfr_clean_node_mask(shadow, &addrq);
1548 pfr_destroy_ktable(shadow, 0);
1549 pfr_destroy_ktables(&tableq, 0);
1550 pfr_destroy_kentries(&addrq);
1558 pfr_destroy_ktable(shadow, 0);
1559 pfr_destroy_ktables(&tableq, 0);
1560 pfr_destroy_kentries(&addrq);
1565 pfr_ina_rollback(struct pfr_table *trs, u_int32_t ticket, int *ndel, int flags)
1567 struct pfr_ktableworkq workq;
1568 struct pfr_ktable *p;
1569 struct pf_ruleset *rs;
1574 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY);
1575 rs = pf_find_ruleset(trs->pfrt_anchor);
1576 if (rs == NULL || !rs->topen || ticket != rs->tticket)
1579 RB_FOREACH(p, pfr_ktablehead, &V_pfr_ktables) {
1580 if (!(p->pfrkt_flags & PFR_TFLAG_INACTIVE) ||
1581 pfr_skip_table(trs, p, 0))
1583 p->pfrkt_nflags = p->pfrkt_flags & ~PFR_TFLAG_INACTIVE;
1584 SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);
1587 if (!(flags & PFR_FLAG_DUMMY)) {
1588 pfr_setflags_ktables(&workq);
1590 pf_remove_if_empty_ruleset(rs);
1598 pfr_ina_commit(struct pfr_table *trs, u_int32_t ticket, int *nadd,
1599 int *nchange, int flags)
1601 struct pfr_ktable *p, *q;
1602 struct pfr_ktableworkq workq;
1603 struct pf_ruleset *rs;
1604 int xadd = 0, xchange = 0;
1605 long tzero = time_second;
1609 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY);
1610 rs = pf_find_ruleset(trs->pfrt_anchor);
1611 if (rs == NULL || !rs->topen || ticket != rs->tticket)
1615 RB_FOREACH(p, pfr_ktablehead, &V_pfr_ktables) {
1616 if (!(p->pfrkt_flags & PFR_TFLAG_INACTIVE) ||
1617 pfr_skip_table(trs, p, 0))
1619 SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);
1620 if (p->pfrkt_flags & PFR_TFLAG_ACTIVE)
1626 if (!(flags & PFR_FLAG_DUMMY)) {
1627 for (p = SLIST_FIRST(&workq); p != NULL; p = q) {
1628 q = SLIST_NEXT(p, pfrkt_workq);
1629 pfr_commit_ktable(p, tzero);
1632 pf_remove_if_empty_ruleset(rs);
1636 if (nchange != NULL)
1643 pfr_commit_ktable(struct pfr_ktable *kt, long tzero)
1645 struct pfr_ktable *shadow = kt->pfrkt_shadow;
1650 if (shadow->pfrkt_cnt == NO_ADDRESSES) {
1651 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
1652 pfr_clstats_ktable(kt, tzero, 1);
1653 } else if (kt->pfrkt_flags & PFR_TFLAG_ACTIVE) {
1654 /* kt might contain addresses */
1655 struct pfr_kentryworkq addrq, addq, changeq, delq, garbageq;
1656 struct pfr_kentry *p, *q, *next;
1659 pfr_enqueue_addrs(shadow, &addrq, NULL, 0);
1662 SLIST_INIT(&changeq);
1664 SLIST_INIT(&garbageq);
1665 pfr_clean_node_mask(shadow, &addrq);
1666 for (p = SLIST_FIRST(&addrq); p != NULL; p = next) {
1667 next = SLIST_NEXT(p, pfrke_workq); /* XXX */
1668 pfr_copyout_addr(&ad, p);
1669 q = pfr_lookup_addr(kt, &ad, 1);
1671 if (q->pfrke_not != p->pfrke_not)
1672 SLIST_INSERT_HEAD(&changeq, q,
1675 SLIST_INSERT_HEAD(&garbageq, p, pfrke_workq);
1677 p->pfrke_counters.pfrkc_tzero = tzero;
1678 SLIST_INSERT_HEAD(&addq, p, pfrke_workq);
1681 pfr_enqueue_addrs(kt, &delq, NULL, ENQUEUE_UNMARKED_ONLY);
1682 pfr_insert_kentries(kt, &addq, tzero);
1683 pfr_remove_kentries(kt, &delq);
1684 pfr_clstats_kentries(kt, &changeq, tzero, INVERT_NEG_FLAG);
1685 pfr_destroy_kentries(&garbageq);
1687 /* kt cannot contain addresses */
1688 SWAP(struct radix_node_head *, kt->pfrkt_ip4,
1690 SWAP(struct radix_node_head *, kt->pfrkt_ip6,
1692 SWAP(int, kt->pfrkt_cnt, shadow->pfrkt_cnt);
1693 pfr_clstats_ktable(kt, tzero, 1);
1695 nflags = ((shadow->pfrkt_flags & PFR_TFLAG_USRMASK) |
1696 (kt->pfrkt_flags & PFR_TFLAG_SETMASK) | PFR_TFLAG_ACTIVE)
1697 & ~PFR_TFLAG_INACTIVE;
1698 pfr_destroy_ktable(shadow, 0);
1699 kt->pfrkt_shadow = NULL;
1700 pfr_setflags_ktable(kt, nflags);
1704 pfr_validate_table(struct pfr_table *tbl, int allowedflags, int no_reserved)
1708 if (!tbl->pfrt_name[0])
1710 if (no_reserved && !strcmp(tbl->pfrt_anchor, PF_RESERVED_ANCHOR))
1712 if (tbl->pfrt_name[PF_TABLE_NAME_SIZE-1])
1714 for (i = strlen(tbl->pfrt_name); i < PF_TABLE_NAME_SIZE; i++)
1715 if (tbl->pfrt_name[i])
1717 if (pfr_fix_anchor(tbl->pfrt_anchor))
1719 if (tbl->pfrt_flags & ~allowedflags)
1725 * Rewrite anchors referenced by tables to remove slashes
1726 * and check for validity.
1729 pfr_fix_anchor(char *anchor)
1731 size_t siz = MAXPATHLEN;
1734 if (anchor[0] == '/') {
1740 while (*++path == '/')
1742 bcopy(path, anchor, siz - off);
1743 memset(anchor + siz - off, 0, off);
1745 if (anchor[siz - 1])
1747 for (i = strlen(anchor); i < siz; i++)
1754 pfr_table_count(struct pfr_table *filter, int flags)
1756 struct pf_ruleset *rs;
1760 if (flags & PFR_FLAG_ALLRSETS)
1761 return (V_pfr_ktable_cnt);
1762 if (filter->pfrt_anchor[0]) {
1763 rs = pf_find_ruleset(filter->pfrt_anchor);
1764 return ((rs != NULL) ? rs->tables : -1);
1766 return (pf_main_ruleset.tables);
1770 pfr_skip_table(struct pfr_table *filter, struct pfr_ktable *kt, int flags)
1772 if (flags & PFR_FLAG_ALLRSETS)
1774 if (strcmp(filter->pfrt_anchor, kt->pfrkt_anchor))
1780 pfr_insert_ktables(struct pfr_ktableworkq *workq)
1782 struct pfr_ktable *p;
1784 SLIST_FOREACH(p, workq, pfrkt_workq)
1785 pfr_insert_ktable(p);
1789 pfr_insert_ktable(struct pfr_ktable *kt)
1794 RB_INSERT(pfr_ktablehead, &V_pfr_ktables, kt);
1796 if (kt->pfrkt_root != NULL)
1797 if (!kt->pfrkt_root->pfrkt_refcnt[PFR_REFCNT_ANCHOR]++)
1798 pfr_setflags_ktable(kt->pfrkt_root,
1799 kt->pfrkt_root->pfrkt_flags|PFR_TFLAG_REFDANCHOR);
1803 pfr_setflags_ktables(struct pfr_ktableworkq *workq)
1805 struct pfr_ktable *p, *q;
1807 for (p = SLIST_FIRST(workq); p; p = q) {
1808 q = SLIST_NEXT(p, pfrkt_workq);
1809 pfr_setflags_ktable(p, p->pfrkt_nflags);
1814 pfr_setflags_ktable(struct pfr_ktable *kt, int newf)
1816 struct pfr_kentryworkq addrq;
1820 if (!(newf & PFR_TFLAG_REFERENCED) &&
1821 !(newf & PFR_TFLAG_REFDANCHOR) &&
1822 !(newf & PFR_TFLAG_PERSIST))
1823 newf &= ~PFR_TFLAG_ACTIVE;
1824 if (!(newf & PFR_TFLAG_ACTIVE))
1825 newf &= ~PFR_TFLAG_USRMASK;
1826 if (!(newf & PFR_TFLAG_SETMASK)) {
1827 RB_REMOVE(pfr_ktablehead, &V_pfr_ktables, kt);
1828 if (kt->pfrkt_root != NULL)
1829 if (!--kt->pfrkt_root->pfrkt_refcnt[PFR_REFCNT_ANCHOR])
1830 pfr_setflags_ktable(kt->pfrkt_root,
1831 kt->pfrkt_root->pfrkt_flags &
1832 ~PFR_TFLAG_REFDANCHOR);
1833 pfr_destroy_ktable(kt, 1);
1837 if (!(newf & PFR_TFLAG_ACTIVE) && kt->pfrkt_cnt) {
1838 pfr_enqueue_addrs(kt, &addrq, NULL, 0);
1839 pfr_remove_kentries(kt, &addrq);
1841 if (!(newf & PFR_TFLAG_INACTIVE) && kt->pfrkt_shadow != NULL) {
1842 pfr_destroy_ktable(kt->pfrkt_shadow, 1);
1843 kt->pfrkt_shadow = NULL;
1845 kt->pfrkt_flags = newf;
1849 pfr_clstats_ktables(struct pfr_ktableworkq *workq, long tzero, int recurse)
1851 struct pfr_ktable *p;
1853 SLIST_FOREACH(p, workq, pfrkt_workq)
1854 pfr_clstats_ktable(p, tzero, recurse);
1858 pfr_clstats_ktable(struct pfr_ktable *kt, long tzero, int recurse)
1860 struct pfr_kentryworkq addrq;
1861 int pfr_dir, pfr_op;
1864 pfr_enqueue_addrs(kt, &addrq, NULL, 0);
1865 pfr_clstats_kentries(kt, &addrq, tzero, 0);
1867 for (pfr_dir = 0; pfr_dir < PFR_DIR_MAX; pfr_dir ++) {
1868 for (pfr_op = 0; pfr_op < PFR_OP_TABLE_MAX; pfr_op ++) {
1869 counter_u64_zero(kt->pfrkt_packets[pfr_dir][pfr_op]);
1870 counter_u64_zero(kt->pfrkt_bytes[pfr_dir][pfr_op]);
1873 counter_u64_zero(kt->pfrkt_match);
1874 counter_u64_zero(kt->pfrkt_nomatch);
1875 kt->pfrkt_tzero = tzero;
1878 static struct pfr_ktable *
1879 pfr_create_ktable(struct pfr_table *tbl, long tzero, int attachruleset)
1881 struct pfr_ktable *kt;
1882 struct pf_ruleset *rs;
1883 int pfr_dir, pfr_op;
1887 kt = malloc(sizeof(*kt), M_PFTABLE, M_NOWAIT|M_ZERO);
1892 if (attachruleset) {
1893 rs = pf_find_or_create_ruleset(tbl->pfrt_anchor);
1895 pfr_destroy_ktable(kt, 0);
1902 for (pfr_dir = 0; pfr_dir < PFR_DIR_MAX; pfr_dir ++) {
1903 for (pfr_op = 0; pfr_op < PFR_OP_TABLE_MAX; pfr_op ++) {
1904 kt->pfrkt_packets[pfr_dir][pfr_op] =
1905 counter_u64_alloc(M_NOWAIT);
1906 if (! kt->pfrkt_packets[pfr_dir][pfr_op]) {
1907 pfr_destroy_ktable(kt, 0);
1910 kt->pfrkt_bytes[pfr_dir][pfr_op] =
1911 counter_u64_alloc(M_NOWAIT);
1912 if (! kt->pfrkt_bytes[pfr_dir][pfr_op]) {
1913 pfr_destroy_ktable(kt, 0);
1918 kt->pfrkt_match = counter_u64_alloc(M_NOWAIT);
1919 if (! kt->pfrkt_match) {
1920 pfr_destroy_ktable(kt, 0);
1924 kt->pfrkt_nomatch = counter_u64_alloc(M_NOWAIT);
1925 if (! kt->pfrkt_nomatch) {
1926 pfr_destroy_ktable(kt, 0);
1930 if (!rn_inithead((void **)&kt->pfrkt_ip4,
1931 offsetof(struct sockaddr_in, sin_addr) * 8) ||
1932 !rn_inithead((void **)&kt->pfrkt_ip6,
1933 offsetof(struct sockaddr_in6, sin6_addr) * 8)) {
1934 pfr_destroy_ktable(kt, 0);
1937 kt->pfrkt_tzero = tzero;
1943 pfr_destroy_ktables(struct pfr_ktableworkq *workq, int flushaddr)
1945 struct pfr_ktable *p, *q;
1947 for (p = SLIST_FIRST(workq); p; p = q) {
1948 q = SLIST_NEXT(p, pfrkt_workq);
1949 pfr_destroy_ktable(p, flushaddr);
1954 pfr_destroy_ktable(struct pfr_ktable *kt, int flushaddr)
1956 struct pfr_kentryworkq addrq;
1957 int pfr_dir, pfr_op;
1960 pfr_enqueue_addrs(kt, &addrq, NULL, 0);
1961 pfr_clean_node_mask(kt, &addrq);
1962 pfr_destroy_kentries(&addrq);
1964 if (kt->pfrkt_ip4 != NULL)
1965 rn_detachhead((void **)&kt->pfrkt_ip4);
1966 if (kt->pfrkt_ip6 != NULL)
1967 rn_detachhead((void **)&kt->pfrkt_ip6);
1968 if (kt->pfrkt_shadow != NULL)
1969 pfr_destroy_ktable(kt->pfrkt_shadow, flushaddr);
1970 if (kt->pfrkt_rs != NULL) {
1971 kt->pfrkt_rs->tables--;
1972 pf_remove_if_empty_ruleset(kt->pfrkt_rs);
1974 for (pfr_dir = 0; pfr_dir < PFR_DIR_MAX; pfr_dir ++) {
1975 for (pfr_op = 0; pfr_op < PFR_OP_TABLE_MAX; pfr_op ++) {
1976 counter_u64_free(kt->pfrkt_packets[pfr_dir][pfr_op]);
1977 counter_u64_free(kt->pfrkt_bytes[pfr_dir][pfr_op]);
1980 counter_u64_free(kt->pfrkt_match);
1981 counter_u64_free(kt->pfrkt_nomatch);
1983 free(kt, M_PFTABLE);
1987 pfr_ktable_compare(struct pfr_ktable *p, struct pfr_ktable *q)
1991 if ((d = strncmp(p->pfrkt_name, q->pfrkt_name, PF_TABLE_NAME_SIZE)))
1993 return (strcmp(p->pfrkt_anchor, q->pfrkt_anchor));
1996 static struct pfr_ktable *
1997 pfr_lookup_table(struct pfr_table *tbl)
1999 /* struct pfr_ktable start like a struct pfr_table */
2000 return (RB_FIND(pfr_ktablehead, &V_pfr_ktables,
2001 (struct pfr_ktable *)tbl));
2005 pfr_match_addr(struct pfr_ktable *kt, struct pf_addr *a, sa_family_t af)
2007 struct pfr_kentry *ke = NULL;
2012 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root != NULL)
2013 kt = kt->pfrkt_root;
2014 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
2021 struct sockaddr_in sin;
2023 bzero(&sin, sizeof(sin));
2024 sin.sin_len = sizeof(sin);
2025 sin.sin_family = AF_INET;
2026 sin.sin_addr.s_addr = a->addr32[0];
2027 ke = (struct pfr_kentry *)rn_match(&sin, &kt->pfrkt_ip4->rh);
2028 if (ke && KENTRY_RNF_ROOT(ke))
2036 struct sockaddr_in6 sin6;
2038 bzero(&sin6, sizeof(sin6));
2039 sin6.sin6_len = sizeof(sin6);
2040 sin6.sin6_family = AF_INET6;
2041 bcopy(a, &sin6.sin6_addr, sizeof(sin6.sin6_addr));
2042 ke = (struct pfr_kentry *)rn_match(&sin6, &kt->pfrkt_ip6->rh);
2043 if (ke && KENTRY_RNF_ROOT(ke))
2049 match = (ke && !ke->pfrke_not);
2051 counter_u64_add(kt->pfrkt_match, 1);
2053 counter_u64_add(kt->pfrkt_nomatch, 1);
2058 pfr_update_stats(struct pfr_ktable *kt, struct pf_addr *a, sa_family_t af,
2059 u_int64_t len, int dir_out, int op_pass, int notrule)
2061 struct pfr_kentry *ke = NULL;
2063 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root != NULL)
2064 kt = kt->pfrkt_root;
2065 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
2072 struct sockaddr_in sin;
2074 bzero(&sin, sizeof(sin));
2075 sin.sin_len = sizeof(sin);
2076 sin.sin_family = AF_INET;
2077 sin.sin_addr.s_addr = a->addr32[0];
2078 ke = (struct pfr_kentry *)rn_match(&sin, &kt->pfrkt_ip4->rh);
2079 if (ke && KENTRY_RNF_ROOT(ke))
2087 struct sockaddr_in6 sin6;
2089 bzero(&sin6, sizeof(sin6));
2090 sin6.sin6_len = sizeof(sin6);
2091 sin6.sin6_family = AF_INET6;
2092 bcopy(a, &sin6.sin6_addr, sizeof(sin6.sin6_addr));
2093 ke = (struct pfr_kentry *)rn_match(&sin6, &kt->pfrkt_ip6->rh);
2094 if (ke && KENTRY_RNF_ROOT(ke))
2100 panic("%s: unknown address family %u", __func__, af);
2102 if ((ke == NULL || ke->pfrke_not) != notrule) {
2103 if (op_pass != PFR_OP_PASS)
2104 DPFPRINTF(PF_DEBUG_URGENT,
2105 ("pfr_update_stats: assertion failed.\n"));
2106 op_pass = PFR_OP_XPASS;
2108 counter_u64_add(kt->pfrkt_packets[dir_out][op_pass], 1);
2109 counter_u64_add(kt->pfrkt_bytes[dir_out][op_pass], len);
2110 if (ke != NULL && op_pass != PFR_OP_XPASS &&
2111 (kt->pfrkt_flags & PFR_TFLAG_COUNTERS)) {
2112 counter_u64_add(pfr_kentry_counter(&ke->pfrke_counters,
2113 dir_out, op_pass, PFR_TYPE_PACKETS), 1);
2114 counter_u64_add(pfr_kentry_counter(&ke->pfrke_counters,
2115 dir_out, op_pass, PFR_TYPE_BYTES), len);
2120 pfr_attach_table(struct pf_ruleset *rs, char *name)
2122 struct pfr_ktable *kt, *rt;
2123 struct pfr_table tbl;
2124 struct pf_anchor *ac = rs->anchor;
2128 bzero(&tbl, sizeof(tbl));
2129 strlcpy(tbl.pfrt_name, name, sizeof(tbl.pfrt_name));
2131 strlcpy(tbl.pfrt_anchor, ac->path, sizeof(tbl.pfrt_anchor));
2132 kt = pfr_lookup_table(&tbl);
2134 kt = pfr_create_ktable(&tbl, time_second, 1);
2138 bzero(tbl.pfrt_anchor, sizeof(tbl.pfrt_anchor));
2139 rt = pfr_lookup_table(&tbl);
2141 rt = pfr_create_ktable(&tbl, 0, 1);
2143 pfr_destroy_ktable(kt, 0);
2146 pfr_insert_ktable(rt);
2148 kt->pfrkt_root = rt;
2150 pfr_insert_ktable(kt);
2152 if (!kt->pfrkt_refcnt[PFR_REFCNT_RULE]++)
2153 pfr_setflags_ktable(kt, kt->pfrkt_flags|PFR_TFLAG_REFERENCED);
2158 pfr_detach_table(struct pfr_ktable *kt)
2162 KASSERT(kt->pfrkt_refcnt[PFR_REFCNT_RULE] > 0, ("%s: refcount %d\n",
2163 __func__, kt->pfrkt_refcnt[PFR_REFCNT_RULE]));
2165 if (!--kt->pfrkt_refcnt[PFR_REFCNT_RULE])
2166 pfr_setflags_ktable(kt, kt->pfrkt_flags&~PFR_TFLAG_REFERENCED);
2170 pfr_pool_get(struct pfr_ktable *kt, int *pidx, struct pf_addr *counter,
2173 struct pf_addr *addr, *cur, *mask;
2174 union sockaddr_union uaddr, umask;
2175 struct pfr_kentry *ke, *ke2 = NULL;
2176 int idx = -1, use_counter = 0;
2180 uaddr.sin.sin_len = sizeof(struct sockaddr_in);
2181 uaddr.sin.sin_family = AF_INET;
2184 uaddr.sin6.sin6_len = sizeof(struct sockaddr_in6);
2185 uaddr.sin6.sin6_family = AF_INET6;
2188 addr = SUNION2PF(&uaddr, af);
2190 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root != NULL)
2191 kt = kt->pfrkt_root;
2192 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
2197 if (counter != NULL && idx >= 0)
2203 ke = pfr_kentry_byidx(kt, idx, af);
2205 counter_u64_add(kt->pfrkt_nomatch, 1);
2208 pfr_prepare_network(&umask, af, ke->pfrke_net);
2209 cur = SUNION2PF(&ke->pfrke_sa, af);
2210 mask = SUNION2PF(&umask, af);
2213 /* is supplied address within block? */
2214 if (!PF_MATCHA(0, cur, mask, counter, af)) {
2215 /* no, go to next block in table */
2220 PF_ACPY(addr, counter, af);
2222 /* use first address of block */
2223 PF_ACPY(addr, cur, af);
2226 if (!KENTRY_NETWORK(ke)) {
2227 /* this is a single IP address - no possible nested block */
2228 PF_ACPY(counter, addr, af);
2230 counter_u64_add(kt->pfrkt_match, 1);
2234 /* we don't want to use a nested block */
2237 ke2 = (struct pfr_kentry *)rn_match(&uaddr,
2238 &kt->pfrkt_ip4->rh);
2241 ke2 = (struct pfr_kentry *)rn_match(&uaddr,
2242 &kt->pfrkt_ip6->rh);
2245 /* no need to check KENTRY_RNF_ROOT() here */
2247 /* lookup return the same block - perfect */
2248 PF_ACPY(counter, addr, af);
2250 counter_u64_add(kt->pfrkt_match, 1);
2254 /* we need to increase the counter past the nested block */
2255 pfr_prepare_network(&umask, AF_INET, ke2->pfrke_net);
2256 PF_POOLMASK(addr, addr, SUNION2PF(&umask, af), &pfr_ffaddr, af);
2258 if (!PF_MATCHA(0, cur, mask, addr, af)) {
2259 /* ok, we reached the end of our main block */
2260 /* go to next block in table */
2268 static struct pfr_kentry *
2269 pfr_kentry_byidx(struct pfr_ktable *kt, int idx, int af)
2271 struct pfr_walktree w;
2273 bzero(&w, sizeof(w));
2274 w.pfrw_op = PFRW_POOL_GET;
2280 kt->pfrkt_ip4->rnh_walktree(&kt->pfrkt_ip4->rh, pfr_walktree, &w);
2281 return (w.pfrw_kentry);
2285 kt->pfrkt_ip6->rnh_walktree(&kt->pfrkt_ip6->rh, pfr_walktree, &w);
2286 return (w.pfrw_kentry);
2294 pfr_dynaddr_update(struct pfr_ktable *kt, struct pfi_dynaddr *dyn)
2296 struct pfr_walktree w;
2298 bzero(&w, sizeof(w));
2299 w.pfrw_op = PFRW_DYNADDR_UPDATE;
2302 dyn->pfid_acnt4 = 0;
2303 dyn->pfid_acnt6 = 0;
2304 if (!dyn->pfid_af || dyn->pfid_af == AF_INET)
2305 kt->pfrkt_ip4->rnh_walktree(&kt->pfrkt_ip4->rh, pfr_walktree, &w);
2306 if (!dyn->pfid_af || dyn->pfid_af == AF_INET6)
2307 kt->pfrkt_ip6->rnh_walktree(&kt->pfrkt_ip6->rh, pfr_walktree, &w);
projects / FreeBSD / FreeBSD.git / blob