d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

pf: remove unused ioctls.

Browse Source 
Several ioctls are unused in pf, in the sense that no base utility
references them.  Additionally, a cursory review of pf-based ports
indicates they're not used elsewhere either.  Some of them have been
unused since the original import.  As far as I can tell, they're also
unused in OpenBSD.  Finally, removing this code removes the need for
future pf work to take them into account.

Reviewed by:		kp
Differential Revision:	https://reviews.freebsd.org/D16076
This commit is contained in:
Will Andrews 2018-07-01 01:16:03 +00:00
parent e0ddf97a63
commit c1887e9f09
3 changed files with 4 additions and 449 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
share/man/man4/pf.4
View File

@ -139,9 +139,8 @@ Clear the buffer address pool and get a
.Va ticket
for subsequent
.Dv DIOCADDADDR ,
.Dv DIOCADDRULE ,
and
.Dv DIOCCHANGERULE
.Dv DIOCADDRULE
calls.
.It Dv DIOCADDADDR Fa "struct pfioc_pooladdr *pp"
.Pp
@ -149,8 +148,6 @@ Add the pool address
.Va addr
to the buffer address pool to be used in the following
.Dv DIOCADDRULE
or
.Dv DIOCCHANGERULE
call.
All other members of the structure are ignored.
.It Dv DIOCADDRULE Fa "struct pfioc_rule *pr"
@ -319,21 +316,6 @@ This ioctl returns
if the given anchor does not exist or
.Er EBUSY
if another process is concurrently updating a ruleset.
.It Dv DIOCADDSTATE Fa "struct pfioc_state *ps"
Add a state entry.
.Bd -literal
struct pfioc_state {
struct pfsync_state state;
};
.Ed
.It Dv DIOCGETSTATE Fa "struct pfioc_state *ps"
Extract the entry identified by the
.Va id
and
.Va creatorid
fields of the
.Va state
structure from the state table.
.It Dv DIOCKILLSTATES Fa "struct pfioc_state_kill *psk"
Remove matching entries from the state table.
This ioctl returns the number of killed states in
@ -439,11 +421,6 @@ On exit,
is always set to the total size required to hold all state table entries
(i.e., it is set to
.Li sizeof(struct pf_state) * nr ) .
.It Dv DIOCCHANGERULE Fa "struct pfioc_rule *pcr"
Add or remove the
.Va rule
in the ruleset specified by
.Va rule.action .
.Pp
The type of operation to be performed is indicated by
.Va action ,
@ -475,15 +452,6 @@ indicates the rule number against which
or
.Dv PF_CHANGE_REMOVE
actions are applied.
.\" It Dv DIOCCHANGEALTQ Fa "struct pfioc_altq *pcr"
.It Dv DIOCCHANGEADDR Fa "struct pfioc_pooladdr *pca"
Add or remove the pool address
.Va addr
from the rule specified by
.Va r_action ,
.Va r_num ,
and
.Va anchor .
.It Dv DIOCSETTIMEOUT Fa "struct pfioc_tm *pt"
.Bd -literal
struct pfioc_tm {
@ -510,8 +478,6 @@ Get the state timeout of
The value will be placed into the
.Va seconds
field.
.It Dv DIOCCLRRULECTRS
Clear per-rule statistics.
.It Dv DIOCSETLIMIT Fa "struct pfioc_limit *pl"
Set the hard limits on the memory pools used by the packet filter.
.Bd -literal

9
sys/net/pfvar.h
View File

@ -1385,19 +1385,17 @@ struct pfioc_iface {
#define DIOCGETRULE _IOWR('D', 7, struct pfioc_rule)
/* XXX cut 8 - 17 */
#define DIOCCLRSTATES _IOWR('D', 18, struct pfioc_state_kill)
#define DIOCGETSTATE _IOWR('D', 19, struct pfioc_state)
/* XXX cut 19 */
#define DIOCSETSTATUSIF _IOWR('D', 20, struct pfioc_if)
#define DIOCGETSTATUS _IOWR('D', 21, struct pf_status)
#define DIOCCLRSTATUS _IO ('D', 22)
#define DIOCNATLOOK _IOWR('D', 23, struct pfioc_natlook)
#define DIOCSETDEBUG _IOWR('D', 24, u_int32_t)
#define DIOCGETSTATES _IOWR('D', 25, struct pfioc_states)
#define DIOCCHANGERULE _IOWR('D', 26, struct pfioc_rule)
/* XXX cut 26 - 28 */
#define DIOCSETTIMEOUT _IOWR('D', 29, struct pfioc_tm)
#define DIOCGETTIMEOUT _IOWR('D', 30, struct pfioc_tm)
#define DIOCADDSTATE _IOWR('D', 37, struct pfioc_state)
#define DIOCCLRRULECTRS _IO ('D', 38)
/* XXX cut 31-38 */
#define DIOCGETLIMIT _IOWR('D', 39, struct pfioc_limit)
#define DIOCSETLIMIT _IOWR('D', 40, struct pfioc_limit)
#define DIOCKILLSTATES _IOWR('D', 41, struct pfioc_state_kill)
@ -1406,13 +1404,12 @@ struct pfioc_iface {
#define DIOCADDALTQ _IOWR('D', 45, struct pfioc_altq)
#define DIOCGETALTQS _IOWR('D', 47, struct pfioc_altq)
#define DIOCGETALTQ _IOWR('D', 48, struct pfioc_altq)
#define DIOCCHANGEALTQ _IOWR('D', 49, struct pfioc_altq)
/* XXX cut 49 */
#define DIOCGETQSTATS _IOWR('D', 50, struct pfioc_qstats)
#define DIOCBEGINADDRS _IOWR('D', 51, struct pfioc_pooladdr)
#define DIOCADDADDR _IOWR('D', 52, struct pfioc_pooladdr)
#define DIOCGETADDRS _IOWR('D', 53, struct pfioc_pooladdr)
#define DIOCGETADDR _IOWR('D', 54, struct pfioc_pooladdr)
#define DIOCCHANGEADDR _IOWR('D', 55, struct pfioc_pooladdr)
/* XXX cut 55 - 57 */
#define DIOCGETRULESETS _IOWR('D', 58, struct pfioc_ruleset)
#define DIOCGETRULESET _IOWR('D', 59, struct pfioc_ruleset)

408
sys/netpfil/pf/pf_ioctl.c
View File

@ -1003,7 +1003,6 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
case DIOCGETRULE:
case DIOCGETADDRS:
case DIOCGETADDR:
case DIOCGETSTATE:
case DIOCSETSTATUSIF:
case DIOCGETSTATUS:
case DIOCCLRSTATUS:
@ -1011,7 +1010,6 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
case DIOCSETDEBUG:
case DIOCGETSTATES:
case DIOCGETTIMEOUT:
case DIOCCLRRULECTRS:
case DIOCGETLIMIT:
case DIOCGETALTQS:
case DIOCGETALTQ:
@ -1054,7 +1052,6 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
case DIOCGETRULES:
case DIOCGETADDRS:
case DIOCGETADDR:
case DIOCGETSTATE:
case DIOCGETSTATUS:
case DIOCGETSTATES:
case DIOCGETTIMEOUT:
@ -1396,227 +1393,6 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
break;
}
case DIOCCHANGERULE: {
struct pfioc_rule *pcr = (struct pfioc_rule *)addr;
struct pf_ruleset *ruleset;
struct pf_rule *oldrule = NULL, *newrule = NULL;
struct pfi_kif *kif = NULL;
struct pf_pooladdr *pa;
u_int32_t nr = 0;
int rs_num;
if (pcr->action < PF_CHANGE_ADD_HEAD ||
pcr->action > PF_CHANGE_GET_TICKET) {
error = EINVAL;
break;
}
if (pcr->rule.return_icmp >> 8 > ICMP_MAXTYPE) {
error = EINVAL;
break;
}
if (pcr->action != PF_CHANGE_REMOVE) {
#ifndef INET
if (pcr->rule.af == AF_INET) {
error = EAFNOSUPPORT;
break;
}
#endif /* INET */
#ifndef INET6
if (pcr->rule.af == AF_INET6) {
error = EAFNOSUPPORT;
break;
}
#endif /* INET6 */
newrule = malloc(sizeof(*newrule), M_PFRULE, M_WAITOK);
bcopy(&pcr->rule, newrule, sizeof(struct pf_rule));
if (newrule->ifname[0])
kif = malloc(sizeof(*kif), PFI_MTYPE, M_WAITOK);
newrule->states_cur = counter_u64_alloc(M_WAITOK);
newrule->states_tot = counter_u64_alloc(M_WAITOK);
newrule->src_nodes = counter_u64_alloc(M_WAITOK);
newrule->cuid = td->td_ucred->cr_ruid;
newrule->cpid = td->td_proc ? td->td_proc->p_pid : 0;
TAILQ_INIT(&newrule->rpool.list);
}
#define ERROUT(x) { error = (x); goto DIOCCHANGERULE_error; }
PF_RULES_WLOCK();
if (!(pcr->action == PF_CHANGE_REMOVE ||
pcr->action == PF_CHANGE_GET_TICKET) &&
pcr->pool_ticket != V_ticket_pabuf)
ERROUT(EBUSY);
ruleset = pf_find_ruleset(pcr->anchor);
if (ruleset == NULL)
ERROUT(EINVAL);
rs_num = pf_get_ruleset_number(pcr->rule.action);
if (rs_num >= PF_RULESET_MAX)
ERROUT(EINVAL);
if (pcr->action == PF_CHANGE_GET_TICKET) {
pcr->ticket = ++ruleset->rules[rs_num].active.ticket;
ERROUT(0);
} else if (pcr->ticket !=
ruleset->rules[rs_num].active.ticket)
ERROUT(EINVAL);
if (pcr->action != PF_CHANGE_REMOVE) {
if (newrule->ifname[0]) {
newrule->kif = pfi_kif_attach(kif,
newrule->ifname);
pfi_kif_ref(newrule->kif);
} else
newrule->kif = NULL;
if (newrule->rtableid > 0 &&
newrule->rtableid >= rt_numfibs)
error = EBUSY;
#ifdef ALTQ
/* set queue IDs */
if (newrule->qname[0] != 0) {
if ((newrule->qid =
pf_qname2qid(newrule->qname)) == 0)
error = EBUSY;
else if (newrule->pqname[0] != 0) {
if ((newrule->pqid =
pf_qname2qid(newrule->pqname)) == 0)
error = EBUSY;
} else
newrule->pqid = newrule->qid;
}
#endif /* ALTQ */
if (newrule->tagname[0])
if ((newrule->tag =
pf_tagname2tag(newrule->tagname)) == 0)
error = EBUSY;
if (newrule->match_tagname[0])
if ((newrule->match_tag = pf_tagname2tag(
newrule->match_tagname)) == 0)
error = EBUSY;
if (newrule->rt && !newrule->direction)
error = EINVAL;
if (!newrule->log)
newrule->logif = 0;
if (newrule->logif >= PFLOGIFS_MAX)
error = EINVAL;
if (pf_addr_setup(ruleset, &newrule->src.addr, newrule->af))
error = ENOMEM;
if (pf_addr_setup(ruleset, &newrule->dst.addr, newrule->af))
error = ENOMEM;
if (pf_anchor_setup(newrule, ruleset, pcr->anchor_call))
error = EINVAL;
TAILQ_FOREACH(pa, &V_pf_pabuf, entries)
if (pa->addr.type == PF_ADDR_TABLE) {
pa->addr.p.tbl =
pfr_attach_table(ruleset,
pa->addr.v.tblname);
if (pa->addr.p.tbl == NULL)
error = ENOMEM;
}
newrule->overload_tbl = NULL;
if (newrule->overload_tblname[0]) {
if ((newrule->overload_tbl = pfr_attach_table(
ruleset, newrule->overload_tblname)) ==
NULL)
error = EINVAL;
else
newrule->overload_tbl->pfrkt_flags |=
PFR_TFLAG_ACTIVE;
}
pf_mv_pool(&V_pf_pabuf, &newrule->rpool.list);
if (((((newrule->action == PF_NAT) ||
(newrule->action == PF_RDR) ||
(newrule->action == PF_BINAT) ||
(newrule->rt > PF_NOPFROUTE)) &&
!newrule->anchor)) &&
(TAILQ_FIRST(&newrule->rpool.list) == NULL))
error = EINVAL;
if (error) {
pf_free_rule(newrule);
PF_RULES_WUNLOCK();
break;
}
newrule->rpool.cur = TAILQ_FIRST(&newrule->rpool.list);
newrule->evaluations = 0;
newrule->packets[0] = newrule->packets[1] = 0;
newrule->bytes[0] = newrule->bytes[1] = 0;
}
pf_empty_pool(&V_pf_pabuf);
if (pcr->action == PF_CHANGE_ADD_HEAD)
oldrule = TAILQ_FIRST(
ruleset->rules[rs_num].active.ptr);
else if (pcr->action == PF_CHANGE_ADD_TAIL)
oldrule = TAILQ_LAST(
ruleset->rules[rs_num].active.ptr, pf_rulequeue);
else {
oldrule = TAILQ_FIRST(
ruleset->rules[rs_num].active.ptr);
while ((oldrule != NULL) && (oldrule->nr != pcr->nr))
oldrule = TAILQ_NEXT(oldrule, entries);
if (oldrule == NULL) {
if (newrule != NULL)
pf_free_rule(newrule);
PF_RULES_WUNLOCK();
error = EINVAL;
break;
}
}
if (pcr->action == PF_CHANGE_REMOVE) {
pf_unlink_rule(ruleset->rules[rs_num].active.ptr,
oldrule);
ruleset->rules[rs_num].active.rcount--;
} else {
if (oldrule == NULL)
TAILQ_INSERT_TAIL(
ruleset->rules[rs_num].active.ptr,
newrule, entries);
else if (pcr->action == PF_CHANGE_ADD_HEAD ||
pcr->action == PF_CHANGE_ADD_BEFORE)
TAILQ_INSERT_BEFORE(oldrule, newrule, entries);
else
TAILQ_INSERT_AFTER(
ruleset->rules[rs_num].active.ptr,
oldrule, newrule, entries);
ruleset->rules[rs_num].active.rcount++;
}
nr = 0;
TAILQ_FOREACH(oldrule,
ruleset->rules[rs_num].active.ptr, entries)
oldrule->nr = nr++;
ruleset->rules[rs_num].active.ticket++;
pf_calc_skip_steps(ruleset->rules[rs_num].active.ptr);
pf_remove_if_empty_ruleset(ruleset);
PF_RULES_WUNLOCK();
break;
#undef ERROUT
DIOCCHANGERULE_error:
PF_RULES_WUNLOCK();
if (newrule != NULL) {
counter_u64_free(newrule->states_cur);
counter_u64_free(newrule->states_tot);
counter_u64_free(newrule->src_nodes);
free(newrule, M_PFRULE);
}
if (kif != NULL)
free(kif, PFI_MTYPE);
break;
}
case DIOCCLRSTATES: {
struct pf_state *s;
struct pfioc_state_kill *psk = (struct pfioc_state_kill *)addr;
@ -1723,38 +1499,6 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
break;
}
case DIOCADDSTATE: {
struct pfioc_state *ps = (struct pfioc_state *)addr;
struct pfsync_state *sp = &ps->state;
if (sp->timeout >= PFTM_MAX) {
error = EINVAL;
break;
}
if (pfsync_state_import_ptr != NULL) {
PF_RULES_RLOCK();
error = pfsync_state_import_ptr(sp, PFSYNC_SI_IOCTL);
PF_RULES_RUNLOCK();
} else
error = EOPNOTSUPP;
break;
}
case DIOCGETSTATE: {
struct pfioc_state *ps = (struct pfioc_state *)addr;
struct pf_state *s;
s = pf_find_state_byid(ps->state.id, ps->state.creatorid);
if (s == NULL) {
error = ENOENT;
break;
}
pfsync_state_export(&ps->state, s);
PF_STATE_UNLOCK(s);
break;
}
case DIOCGETSTATES: {
struct pfioc_states *ps = (struct pfioc_states *)addr;
struct pf_state *s;
@ -1985,22 +1729,6 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
break;
}
case DIOCCLRRULECTRS: {
/* obsoleted by DIOCGETRULE with action=PF_GET_CLR_CNTR */
struct pf_ruleset *ruleset = &pf_main_ruleset;
struct pf_rule *rule;
PF_RULES_WLOCK();
TAILQ_FOREACH(rule,
ruleset->rules[PF_RULESET_FILTER].active.ptr, entries) {
rule->evaluations = 0;
rule->packets[0] = rule->packets[1] = 0;
rule->bytes[0] = rule->bytes[1] = 0;
}
PF_RULES_WUNLOCK();
break;
}
case DIOCGIFSPEED: {
struct pf_ifspeed *psp = (struct pf_ifspeed *)addr;
struct pf_ifspeed ps;
@ -2155,11 +1883,6 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
break;
}
case DIOCCHANGEALTQ:
/* CHANGEALTQ not supported yet! */
error = ENODEV;
break;
case DIOCGETQSTATS: {
struct pfioc_qstats *pq = (struct pfioc_qstats *)addr;
struct pf_altq *altq;
@ -2314,137 +2037,6 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
break;
}
case DIOCCHANGEADDR: {
struct pfioc_pooladdr *pca = (struct pfioc_pooladdr *)addr;
struct pf_pool *pool;
struct pf_pooladdr *oldpa = NULL, *newpa = NULL;
struct pf_ruleset *ruleset;
struct pfi_kif *kif = NULL;
if (pca->action < PF_CHANGE_ADD_HEAD ||
pca->action > PF_CHANGE_REMOVE) {
error = EINVAL;
break;
}
if (pca->addr.addr.type != PF_ADDR_ADDRMASK &&
pca->addr.addr.type != PF_ADDR_DYNIFTL &&
pca->addr.addr.type != PF_ADDR_TABLE) {
error = EINVAL;
break;
}
if (pca->action != PF_CHANGE_REMOVE) {
#ifndef INET
if (pca->af == AF_INET) {
error = EAFNOSUPPORT;
break;
}
#endif /* INET */
#ifndef INET6
if (pca->af == AF_INET6) {
error = EAFNOSUPPORT;
break;
}
#endif /* INET6 */
newpa = malloc(sizeof(*newpa), M_PFRULE, M_WAITOK);
bcopy(&pca->addr, newpa, sizeof(struct pf_pooladdr));
if (newpa->ifname[0])
kif = malloc(sizeof(*kif), PFI_MTYPE, M_WAITOK);
newpa->kif = NULL;
}
#define ERROUT(x) { error = (x); goto DIOCCHANGEADDR_error; }
PF_RULES_WLOCK();
ruleset = pf_find_ruleset(pca->anchor);
if (ruleset == NULL)
ERROUT(EBUSY);
pool = pf_get_pool(pca->anchor, pca->ticket, pca->r_action,
pca->r_num, pca->r_last, 1, 1);
if (pool == NULL)
ERROUT(EBUSY);
if (pca->action != PF_CHANGE_REMOVE) {
if (newpa->ifname[0]) {
newpa->kif = pfi_kif_attach(kif, newpa->ifname);
pfi_kif_ref(newpa->kif);
kif = NULL;
}
switch (newpa->addr.type) {
case PF_ADDR_DYNIFTL:
error = pfi_dynaddr_setup(&newpa->addr,
pca->af);
break;
case PF_ADDR_TABLE:
newpa->addr.p.tbl = pfr_attach_table(ruleset,
newpa->addr.v.tblname);
if (newpa->addr.p.tbl == NULL)
error = ENOMEM;
break;
}
if (error)
goto DIOCCHANGEADDR_error;
}
switch (pca->action) {
case PF_CHANGE_ADD_HEAD:
oldpa = TAILQ_FIRST(&pool->list);
break;
case PF_CHANGE_ADD_TAIL:
oldpa = TAILQ_LAST(&pool->list, pf_palist);
break;
default:
oldpa = TAILQ_FIRST(&pool->list);
for (int i = 0; oldpa && i < pca->nr; i++)
oldpa = TAILQ_NEXT(oldpa, entries);
if (oldpa == NULL)
ERROUT(EINVAL);
}
if (pca->action == PF_CHANGE_REMOVE) {
TAILQ_REMOVE(&pool->list, oldpa, entries);
switch (oldpa->addr.type) {
case PF_ADDR_DYNIFTL:
pfi_dynaddr_remove(oldpa->addr.p.dyn);
break;
case PF_ADDR_TABLE:
pfr_detach_table(oldpa->addr.p.tbl);
break;
}
if (oldpa->kif)
pfi_kif_unref(oldpa->kif);
free(oldpa, M_PFRULE);
} else {
if (oldpa == NULL)
TAILQ_INSERT_TAIL(&pool->list, newpa, entries);
else if (pca->action == PF_CHANGE_ADD_HEAD ||
pca->action == PF_CHANGE_ADD_BEFORE)
TAILQ_INSERT_BEFORE(oldpa, newpa, entries);
else
TAILQ_INSERT_AFTER(&pool->list, oldpa,
newpa, entries);
}
pool->cur = TAILQ_FIRST(&pool->list);
PF_ACPY(&pool->counter, &pool->cur->addr.v.a.addr, pca->af);
PF_RULES_WUNLOCK();
break;
#undef ERROUT
DIOCCHANGEADDR_error:
if (newpa != NULL) {
if (newpa->kif)
pfi_kif_unref(newpa->kif);
free(newpa, M_PFRULE);
}
PF_RULES_WUNLOCK();
if (kif != NULL)
free(kif, PFI_MTYPE);
break;
}
case DIOCGETRULESETS: {
struct pfioc_ruleset *pr = (struct pfioc_ruleset *)addr;
struct pf_ruleset *ruleset;