d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

pf: Split pfi_kif into a user and kernel space structure

Browse Source 
No functional change.

MFC after:	2 weeks
Sponsored by:	Orange Business Services
Differential Revision:	https://reviews.freebsd.org/D27761
This commit is contained in:
Kristof Provost 2020-12-12 15:14:56 +01:00
parent c3adacdad4
commit 320c11165b
9 changed files with 264 additions and 185 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
sys/net/pfvar.h
View File

@ -66,7 +66,7 @@ struct pfi_dynaddr {
struct pf_addr pfid_addr6;
struct pf_addr pfid_mask6;
struct pfr_ktable *pfid_kt;
struct pfi_kif *pfid_kif;
struct pfi_kkif *pfid_kif;
int pfid_net; /* mask or 128 */
int pfid_acnt4; /* address count IPv4 */
int pfid_acnt6; /* address count IPv6 */
@ -294,6 +294,25 @@ extern struct sx pf_end_lock;
#ifdef _KERNEL
struct pf_kpooladdr {
struct pf_addr_wrap addr;
TAILQ_ENTRY(pf_kpooladdr) entries;
char ifname[IFNAMSIZ];
struct pfi_kkif *kif;
};
TAILQ_HEAD(pf_kpalist, pf_kpooladdr);
struct pf_kpool {
struct pf_kpalist list;
struct pf_kpooladdr *cur;
struct pf_poolhashkey key;
struct pf_addr counter;
int tblidx;
u_int16_t proxy_port[2];
u_int8_t opts;
};
union pf_krule_ptr {
struct pf_krule *ptr;
u_int32_t nr;
@ -313,13 +332,13 @@ struct pf_krule {
char overload_tblname[PF_TABLE_NAME_SIZE];
TAILQ_ENTRY(pf_krule) entries;
struct pf_pool rpool;
struct pf_kpool rpool;
counter_u64_t evaluations;
counter_u64_t packets[2];
counter_u64_t bytes[2];
struct pfi_kif *kif;
struct pfi_kkif *kif;
struct pf_kanchor *anchor;
struct pfr_ktable *overload_tbl;
@ -398,7 +417,7 @@ struct pf_ksrc_node {
struct pf_addr addr;
struct pf_addr raddr;
union pf_krule_ptr rule;
struct pfi_kif *kif;
struct pfi_kkif *kif;
counter_u64_t bytes[2];
counter_u64_t packets[2];
u_int32_t states;
@ -500,8 +519,8 @@ struct pf_state {
union pf_krule_ptr nat_rule;
struct pf_addr rt_addr;
struct pf_state_key *key[2]; /* addresses stack and wire */
struct pfi_kif *kif;
struct pfi_kif *rt_kif;
struct pfi_kkif *kif;
struct pfi_kkif *rt_kif;
struct pf_ksrc_node *src_node;
struct pf_ksrc_node *nat_src_node;
counter_u64_t packets[2];
@ -606,7 +625,7 @@ void pfsync_state_export(struct pfsync_state *,
/* pflog */
struct pf_kruleset;
struct pf_pdesc;
typedef int pflog_packet_t(struct pfi_kif *, struct mbuf *, sa_family_t,
typedef int pflog_packet_t(struct pfi_kkif *, struct mbuf *, sa_family_t,
u_int8_t, u_int8_t, struct pf_krule *, struct pf_krule *,
struct pf_kruleset *, struct pf_pdesc *, int);
extern pflog_packet_t *pflog_packet_ptr;
@ -851,16 +870,12 @@ struct pfr_ktable {
#define pfrkt_tzero pfrkt_kts.pfrkts_tzero
#endif
/* keep synced with pfi_kif, used in RB_FIND */
struct pfi_kif_cmp {
char pfik_name[IFNAMSIZ];
};
struct pfi_kif {
#ifdef _KERNEL
struct pfi_kkif {
char pfik_name[IFNAMSIZ];
union {
RB_ENTRY(pfi_kif) _pfik_tree;
LIST_ENTRY(pfi_kif) _pfik_list;
RB_ENTRY(pfi_kkif) _pfik_tree;
LIST_ENTRY(pfi_kkif) _pfik_list;
} _pfik_glue;
#define pfik_tree _pfik_glue._pfik_tree
#define pfik_list _pfik_glue._pfik_list
@ -873,6 +888,7 @@ struct pfi_kif {
u_int pfik_rulerefs;
TAILQ_HEAD(, pfi_dynaddr) pfik_dynaddrs;
};
#endif
#define PFI_IFLAG_REFS 0x0001 /* has state references */
#define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */
@ -1379,7 +1395,7 @@ VNET_DECLARE(uint64_t, pf_stateid[MAXCPU]);
TAILQ_HEAD(pf_altqqueue, pf_altq);
VNET_DECLARE(struct pf_altqqueue, pf_altqs[4]);
#define V_pf_altqs VNET(pf_altqs)
VNET_DECLARE(struct pf_palist, pf_pabuf);
VNET_DECLARE(struct pf_kpalist, pf_pabuf);
#define V_pf_pabuf VNET(pf_pabuf)
VNET_DECLARE(u_int32_t, ticket_altqs_active);
@ -1428,7 +1444,7 @@ extern void pf_purge_expired_src_nodes(void);
extern int pf_unlink_state(struct pf_state *, u_int);
#define PF_ENTER_LOCKED 0x00000001
#define PF_RETURN_LOCKED 0x00000002
extern int pf_state_insert(struct pfi_kif *,
extern int pf_state_insert(struct pfi_kkif *,
struct pf_state_key *,
struct pf_state_key *,
struct pf_state *);
@ -1476,13 +1492,13 @@ void pf_free_rule(struct pf_krule *);
#ifdef INET
int pf_test(int, int, struct ifnet *, struct mbuf **, struct inpcb *);
int pf_normalize_ip(struct mbuf **, int, struct pfi_kif *, u_short *,
int pf_normalize_ip(struct mbuf **, int, struct pfi_kkif *, u_short *,
struct pf_pdesc *);
#endif /* INET */
#ifdef INET6
int pf_test6(int, int, struct ifnet *, struct mbuf **, struct inpcb *);
int pf_normalize_ip6(struct mbuf **, int, struct pfi_kif *, u_short *,
int pf_normalize_ip6(struct mbuf **, int, struct pfi_kkif *, u_short *,
struct pf_pdesc *);
void pf_poolmask(struct pf_addr *, struct pf_addr*,
struct pf_addr *, struct pf_addr *, u_int8_t);
@ -1510,7 +1526,7 @@ int pf_match_port(u_int8_t, u_int16_t, u_int16_t, u_int16_t);
void pf_normalize_init(void);
void pf_normalize_cleanup(void);
int pf_normalize_tcp(int, struct pfi_kif *, struct mbuf *, int, int, void *,
int pf_normalize_tcp(int, struct pfi_kkif *, struct mbuf *, int, int, void *,
struct pf_pdesc *);
void pf_normalize_tcp_cleanup(struct pf_state *);
int pf_normalize_tcp_init(struct mbuf *, int, struct pf_pdesc *,
@ -1522,7 +1538,7 @@ u_int32_t
pf_state_expires(const struct pf_state *);
void pf_purge_expired_fragments(void);
void pf_purge_fragments(uint32_t);
int pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kif *,
int pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kkif *,
int);
int pf_socket_lookup(int, struct pf_pdesc *, struct mbuf *);
struct pf_state_key *pf_alloc_state_key(int);
@ -1565,19 +1581,19 @@ int pfr_ina_define(struct pfr_table *, struct pfr_addr *, int, int *,
int *, u_int32_t, int);
MALLOC_DECLARE(PFI_MTYPE);
VNET_DECLARE(struct pfi_kif *, pfi_all);
VNET_DECLARE(struct pfi_kkif *, pfi_all);
#define V_pfi_all VNET(pfi_all)
void pfi_initialize(void);
void pfi_initialize_vnet(void);
void pfi_cleanup(void);
void pfi_cleanup_vnet(void);
void pfi_kif_ref(struct pfi_kif *);
void pfi_kif_unref(struct pfi_kif *);
struct pfi_kif *pfi_kif_find(const char *);
struct pfi_kif *pfi_kif_attach(struct pfi_kif *, const char *);
int pfi_kif_match(struct pfi_kif *, struct pfi_kif *);
void pfi_kif_purge(void);
void pfi_kkif_ref(struct pfi_kkif *);
void pfi_kkif_unref(struct pfi_kkif *);
struct pfi_kkif *pfi_kkif_find(const char *);
struct pfi_kkif *pfi_kkif_attach(struct pfi_kkif *, const char *);
int pfi_kkif_match(struct pfi_kkif *, struct pfi_kkif *);
void pfi_kkif_purge(void);
int pfi_match_addr(struct pfi_dynaddr *, struct pf_addr *,
sa_family_t);
int pfi_dynaddr_setup(struct pf_addr_wrap *, sa_family_t);
@ -1651,7 +1667,7 @@ int pf_map_addr(u_int8_t, struct pf_krule *,
struct pf_addr *, struct pf_addr *,
struct pf_addr *, struct pf_ksrc_node **);
struct pf_krule *pf_get_translation(struct pf_pdesc *, struct mbuf *,
int, int, struct pfi_kif *, struct pf_ksrc_node **,
int, int, struct pfi_kkif *, struct pf_ksrc_node **,
struct pf_state_key **, struct pf_state_key **,
struct pf_addr *, struct pf_addr *,
uint16_t, uint16_t, struct pf_kanchor_stackframe *);

2
sys/netpfil/pf/if_pflog.c
View File

@ -201,7 +201,7 @@ pflogioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
}
static int
pflog_packet(struct pfi_kif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir,
pflog_packet(struct pfi_kkif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir,
u_int8_t reason, struct pf_krule *rm, struct pf_krule *am,
struct pf_kruleset *ruleset, struct pf_pdesc *pd, int lookupsafe)
{

6
sys/netpfil/pf/if_pfsync.c
View File

@ -464,7 +464,7 @@ pfsync_state_import(struct pfsync_state *sp, u_int8_t flags)
struct pf_state *st = NULL;
struct pf_state_key *skw = NULL, *sks = NULL;
struct pf_krule *r = NULL;
struct pfi_kif *kif;
struct pfi_kkif *kif;
int error;
PF_RULES_RASSERT();
@ -476,7 +476,7 @@ pfsync_state_import(struct pfsync_state *sp, u_int8_t flags)
return (EINVAL);
}
if ((kif = pfi_kif_find(sp->ifname)) == NULL) {
if ((kif = pfi_kkif_find(sp->ifname)) == NULL) {
if (V_pf_status.debug >= PF_DEBUG_MISC)
printf("%s: unknown interface: %s\n", __func__,
sp->ifname);
@ -764,7 +764,7 @@ pfsync_in_clr(struct pfsync_pkt *pkt, struct mbuf *m, int offset, int count)
creatorid = clr[i].creatorid;
if (clr[i].ifname[0] != '\0' &&
pfi_kif_find(clr[i].ifname) == NULL)
pfi_kkif_find(clr[i].ifname) == NULL)
continue;
for (int i = 0; i <= pf_hashmask; i++) {

62
sys/netpfil/pf/pf.c
View File

@ -118,7 +118,7 @@ __FBSDID("$FreeBSD$");
/* state tables */
VNET_DEFINE(struct pf_altqqueue, pf_altqs[4]);
VNET_DEFINE(struct pf_palist, pf_pabuf);
VNET_DEFINE(struct pf_kpalist, pf_pabuf);
VNET_DEFINE(struct pf_altqqueue *, pf_altqs_active);
VNET_DEFINE(struct pf_altqqueue *, pf_altq_ifs_active);
VNET_DEFINE(struct pf_altqqueue *, pf_altqs_inactive);
@ -244,38 +244,38 @@ static void pf_state_key_detach(struct pf_state *, int);
static int pf_state_key_ctor(void *, int, void *, int);
static u_int32_t pf_tcp_iss(struct pf_pdesc *);
static int pf_test_rule(struct pf_krule **, struct pf_state **,
int, struct pfi_kif *, struct mbuf *, int,
int, struct pfi_kkif *, struct mbuf *, int,
struct pf_pdesc *, struct pf_krule **,
struct pf_kruleset **, struct inpcb *);
static int pf_create_state(struct pf_krule *, struct pf_krule *,
struct pf_krule *, struct pf_pdesc *,
struct pf_ksrc_node *, struct pf_state_key *,
struct pf_state_key *, struct mbuf *, int,
u_int16_t, u_int16_t, int *, struct pfi_kif *,
u_int16_t, u_int16_t, int *, struct pfi_kkif *,
struct pf_state **, int, u_int16_t, u_int16_t,
int);
static int pf_test_fragment(struct pf_krule **, int,
struct pfi_kif *, struct mbuf *, void *,
struct pfi_kkif *, struct mbuf *, void *,
struct pf_pdesc *, struct pf_krule **,
struct pf_kruleset **);
static int pf_tcp_track_full(struct pf_state_peer *,
struct pf_state_peer *, struct pf_state **,
struct pfi_kif *, struct mbuf *, int,
struct pfi_kkif *, struct mbuf *, int,
struct pf_pdesc *, u_short *, int *);
static int pf_tcp_track_sloppy(struct pf_state_peer *,
struct pf_state_peer *, struct pf_state **,
struct pf_pdesc *, u_short *);
static int pf_test_state_tcp(struct pf_state **, int,
struct pfi_kif *, struct mbuf *, int,
struct pfi_kkif *, struct mbuf *, int,
void *, struct pf_pdesc *, u_short *);
static int pf_test_state_udp(struct pf_state **, int,
struct pfi_kif *, struct mbuf *, int,
struct pfi_kkif *, struct mbuf *, int,
void *, struct pf_pdesc *);
static int pf_test_state_icmp(struct pf_state **, int,
struct pfi_kif *, struct mbuf *, int,
struct pfi_kkif *, struct mbuf *, int,
void *, struct pf_pdesc *, u_short *);
static int pf_test_state_other(struct pf_state **, int,
struct pfi_kif *, struct mbuf *, struct pf_pdesc *);
struct pfi_kkif *, struct mbuf *, struct pf_pdesc *);
static u_int8_t pf_get_wscale(struct mbuf *, int, u_int16_t,
sa_family_t);
static u_int16_t pf_get_mss(struct mbuf *, int, u_int16_t,
@ -290,7 +290,7 @@ static int pf_addr_wrap_neq(struct pf_addr_wrap *,
struct pf_addr_wrap *);
static void pf_patch_8(struct mbuf *, u_int16_t *, u_int8_t *, u_int8_t,
bool, u_int8_t);
static struct pf_state *pf_find_state(struct pfi_kif *,
static struct pf_state *pf_find_state(struct pfi_kkif *,
struct pf_state_key_cmp *, u_int);
static int pf_src_connlimit(struct pf_state **);
static void pf_overload_task(void *v, int pending);
@ -1255,7 +1255,7 @@ pf_state_key_clone(struct pf_state_key *orig)
}
int
pf_state_insert(struct pfi_kif *kif, struct pf_state_key *skw,
pf_state_insert(struct pfi_kkif *kif, struct pf_state_key *skw,
struct pf_state_key *sks, struct pf_state *s)
{
struct pf_idhash *ih;
@ -1341,7 +1341,7 @@ pf_find_state_byid(uint64_t id, uint32_t creatorid)
* Returns with ID hash slot locked on success.
*/
static struct pf_state *
pf_find_state(struct pfi_kif *kif, struct pf_state_key_cmp *key, u_int dir)
pf_find_state(struct pfi_kkif *kif, struct pf_state_key_cmp *key, u_int dir)
{
struct pf_keyhash *kh;
struct pf_state_key *sk;
@ -1538,7 +1538,7 @@ pf_purge_thread(void *unused __unused)
pf_purge_expired_fragments();
pf_purge_expired_src_nodes();
pf_purge_unlinked_rules();
pfi_kif_purge();
pfi_kkif_purge();
}
CURVNET_RESTORE();
}
@ -1561,7 +1561,7 @@ pf_unload_vnet_purge(void)
* raise them, and then second run frees.
*/
pf_purge_unlinked_rules();
pfi_kif_purge();
pfi_kkif_purge();
/*
* Now purge everything.
@ -1575,7 +1575,7 @@ pf_unload_vnet_purge(void)
* thus should be successfully freed.
*/
pf_purge_unlinked_rules();
pfi_kif_purge();
pfi_kkif_purge();
}
u_int32_t
@ -2602,7 +2602,7 @@ pf_send_tcp(struct mbuf *replyto, const struct pf_krule *r, sa_family_t af,
static void
pf_return(struct pf_krule *r, struct pf_krule *nr, struct pf_pdesc *pd,
struct pf_state_key *sk, int off, struct mbuf *m, struct tcphdr *th,
struct pfi_kif *kif, u_int16_t bproto_sum, u_int16_t bip_sum, int hdrlen,
struct pfi_kkif *kif, u_int16_t bproto_sum, u_int16_t bip_sum, int hdrlen,
u_short *reason)
{
struct pf_addr * const saddr = pd->src;
@ -3325,7 +3325,7 @@ pf_tcp_iss(struct pf_pdesc *pd)
static int
pf_test_rule(struct pf_krule **rm, struct pf_state **sm, int direction,
struct pfi_kif *kif, struct mbuf *m, int off, struct pf_pdesc *pd,
struct pfi_kkif *kif, struct mbuf *m, int off, struct pf_pdesc *pd,
struct pf_krule **am, struct pf_kruleset **rsm, struct inpcb *inp)
{
struct pf_krule *nr = NULL;
@ -3538,7 +3538,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_state **sm, int direction,
while (r != NULL) {
counter_u64_add(r->evaluations, 1);
if (pfi_kif_match(r->kif, kif) == r->ifnot)
if (pfi_kkif_match(r->kif, kif) == r->ifnot)
r = r->skip[PF_SKIP_IFP].ptr;
else if (r->direction && r->direction != direction)
r = r->skip[PF_SKIP_DIR].ptr;
@ -3701,7 +3701,7 @@ static int
pf_create_state(struct pf_krule *r, struct pf_krule *nr, struct pf_krule *a,
struct pf_pdesc *pd, struct pf_ksrc_node *nsn, struct pf_state_key *nk,
struct pf_state_key *sk, struct mbuf *m, int off, u_int16_t sport,
u_int16_t dport, int *rewrite, struct pfi_kif *kif, struct pf_state **sm,
u_int16_t dport, int *rewrite, struct pfi_kkif *kif, struct pf_state **sm,
int tag, u_int16_t bproto_sum, u_int16_t bip_sum, int hdrlen)
{
struct pf_state *s = NULL;
@ -3960,7 +3960,7 @@ pf_create_state(struct pf_krule *r, struct pf_krule *nr, struct pf_krule *a,
}
static int
pf_test_fragment(struct pf_krule **rm, int direction, struct pfi_kif *kif,
pf_test_fragment(struct pf_krule **rm, int direction, struct pfi_kkif *kif,
struct mbuf *m, void *h, struct pf_pdesc *pd, struct pf_krule **am,
struct pf_kruleset **rsm)
{
@ -3978,7 +3978,7 @@ pf_test_fragment(struct pf_krule **rm, int direction, struct pfi_kif *kif,
r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
while (r != NULL) {
counter_u64_add(r->evaluations, 1);
if (pfi_kif_match(r->kif, kif) == r->ifnot)
if (pfi_kkif_match(r->kif, kif) == r->ifnot)
r = r->skip[PF_SKIP_IFP].ptr;
else if (r->direction && r->direction != direction)
r = r->skip[PF_SKIP_DIR].ptr;
@ -4056,7 +4056,7 @@ pf_test_fragment(struct pf_krule **rm, int direction, struct pfi_kif *kif,
static int
pf_tcp_track_full(struct pf_state_peer *src, struct pf_state_peer *dst,
struct pf_state **state, struct pfi_kif *kif, struct mbuf *m, int off,
struct pf_state **state, struct pfi_kkif *kif, struct mbuf *m, int off,
struct pf_pdesc *pd, u_short *reason, int *copyback)
{
struct tcphdr *th = pd->hdr.tcp;
@ -4453,7 +4453,7 @@ pf_tcp_track_sloppy(struct pf_state_peer *src, struct pf_state_peer *dst,
}
static int
pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif,
pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kkif *kif,
struct mbuf *m, int off, void *h, struct pf_pdesc *pd,
u_short *reason)
{
@ -4621,7 +4621,7 @@ pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif,
}
static int
pf_test_state_udp(struct pf_state **state, int direction, struct pfi_kif *kif,
pf_test_state_udp(struct pf_state **state, int direction, struct pfi_kkif *kif,
struct mbuf *m, int off, void *h, struct pf_pdesc *pd)
{
struct pf_state_peer *src, *dst;
@ -4688,7 +4688,7 @@ pf_test_state_udp(struct pf_state **state, int direction, struct pfi_kif *kif,
}
static int
pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif,
pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kkif *kif,
struct mbuf *m, int off, void *h, struct pf_pdesc *pd, u_short *reason)
{
struct pf_addr *saddr = pd->src, *daddr = pd->dst;
@ -5292,7 +5292,7 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif,
}
static int
pf_test_state_other(struct pf_state **state, int direction, struct pfi_kif *kif,
pf_test_state_other(struct pf_state **state, int direction, struct pfi_kkif *kif,
struct mbuf *m, struct pf_pdesc *pd)
{
struct pf_state_peer *src, *dst;
@ -5424,7 +5424,7 @@ pf_pull_hdr(struct mbuf *m, int off, void *p, int len,
}
int
pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kif *kif,
pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kkif *kif,
int rtableid)
{
struct ifnet *ifp;
@ -5888,7 +5888,7 @@ pf_check_proto_cksum(struct mbuf *m, int off, int len, u_int8_t p, sa_family_t a
int
pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp)
{
struct pfi_kif *kif;
struct pfi_kkif *kif;
u_short action, reason = 0, log = 0;
struct mbuf *m = *m0;
struct ip *h = NULL;
@ -5908,7 +5908,7 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb *
memset(&pd, 0, sizeof(pd));
kif = (struct pfi_kif *)ifp->if_pf_kif;
kif = (struct pfi_kkif *)ifp->if_pf_kif;
if (kif == NULL) {
DPFPRINTF(PF_DEBUG_URGENT,
@ -6280,7 +6280,7 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb *
int
pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp)
{
struct pfi_kif *kif;
struct pfi_kkif *kif;
u_short action, reason = 0, log = 0;
struct mbuf *m = *m0, *n = NULL;
struct m_tag *mtag;
@ -6303,7 +6303,7 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb
if (pd.pf_mtag && pd.pf_mtag->flags & PF_TAG_GENERATED)
return (PF_PASS);
kif = (struct pfi_kif *)ifp->if_pf_kif;
kif = (struct pfi_kkif *)ifp->if_pf_kif;
if (kif == NULL) {
DPFPRINTF(PF_DEBUG_URGENT,
("pf_test6: kif == NULL, if_xname %s\n", ifp->if_xname));

23
sys/netpfil/pf/pf.h
View File

@ -189,6 +189,29 @@ enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL,
struct pf_rule;
/* keep synced with pfi_kif, used in RB_FIND */
struct pfi_kif_cmp {
char pfik_name[IFNAMSIZ];
};
struct pfi_kif {
char pfik_name[IFNAMSIZ];
union {
RB_ENTRY(pfi_kif) _pfik_tree;
LIST_ENTRY(pfi_kif) _pfik_list;
} _pfik_glue;
#define pfik_tree _pfik_glue._pfik_tree
#define pfik_list _pfik_glue._pfik_list
u_int64_t pfik_packets[2][2][2];
u_int64_t pfik_bytes[2][2][2];
u_int32_t pfik_tzero;
u_int pfik_flags;
struct ifnet *pfik_ifp;
struct ifg_group *pfik_group;
u_int pfik_rulerefs;
TAILQ_HEAD(, pfi_dynaddr) pfik_dynaddrs;
};
struct pf_status {
uint64_t counters[PFRES_MAX];
uint64_t lcounters[LCNT_MAX];

146
sys/netpfil/pf/pf_if.c
View File

@ -54,7 +54,7 @@ __FBSDID("$FreeBSD$");
#include <net/pfvar.h>
#include <net/route.h>
VNET_DEFINE(struct pfi_kif *, pfi_all);
VNET_DEFINE(struct pfi_kkif *, pfi_all);
VNET_DEFINE_STATIC(long, pfi_update);
#define V_pfi_update VNET(pfi_update)
#define PFI_BUFFER_MAX 0x10000
@ -76,17 +76,17 @@ eventhandler_tag pfi_change_group_cookie;
eventhandler_tag pfi_detach_group_cookie;
eventhandler_tag pfi_ifaddr_event_cookie;
static void pfi_attach_ifnet(struct ifnet *, struct pfi_kif *);
static void pfi_attach_ifgroup(struct ifg_group *, struct pfi_kif *);
static void pfi_attach_ifnet(struct ifnet *, struct pfi_kkif *);
static void pfi_attach_ifgroup(struct ifg_group *, struct pfi_kkif *);
static void pfi_kif_update(struct pfi_kif *);
static void pfi_kkif_update(struct pfi_kkif *);
static void pfi_dynaddr_update(struct pfi_dynaddr *dyn);
static void pfi_table_update(struct pfr_ktable *, struct pfi_kif *, int,
static void pfi_table_update(struct pfr_ktable *, struct pfi_kkif *, int,
int);
static void pfi_instance_add(struct ifnet *, int, int);
static void pfi_address_add(struct sockaddr *, int, int);
static int pfi_if_compare(struct pfi_kif *, struct pfi_kif *);
static int pfi_skip_if(const char *, struct pfi_kif *);
static int pfi_kkif_compare(struct pfi_kkif *, struct pfi_kkif *);
static int pfi_skip_if(const char *, struct pfi_kkif *);
static int pfi_unmask(void *);
static void pfi_attach_ifnet_event(void * __unused, struct ifnet *);
static void pfi_detach_ifnet_event(void * __unused, struct ifnet *);
@ -95,16 +95,16 @@ static void pfi_change_group_event(void * __unused, char *);
static void pfi_detach_group_event(void * __unused, struct ifg_group *);
static void pfi_ifaddr_event(void * __unused, struct ifnet *);
RB_HEAD(pfi_ifhead, pfi_kif);
static RB_PROTOTYPE(pfi_ifhead, pfi_kif, pfik_tree, pfi_if_compare);
static RB_GENERATE(pfi_ifhead, pfi_kif, pfik_tree, pfi_if_compare);
RB_HEAD(pfi_ifhead, pfi_kkif);
static RB_PROTOTYPE(pfi_ifhead, pfi_kkif, pfik_tree, pfi_kkif_compare);
static RB_GENERATE(pfi_ifhead, pfi_kkif, pfik_tree, pfi_kkif_compare);
VNET_DEFINE_STATIC(struct pfi_ifhead, pfi_ifs);
#define V_pfi_ifs VNET(pfi_ifs)
#define PFI_BUFFER_MAX 0x10000
MALLOC_DEFINE(PFI_MTYPE, "pf_ifnet", "pf(4) interface database");
LIST_HEAD(pfi_list, pfi_kif);
LIST_HEAD(pfi_list, pfi_kkif);
VNET_DEFINE_STATIC(struct pfi_list, pfi_unlinked_kifs);
#define V_pfi_unlinked_kifs VNET(pfi_unlinked_kifs)
static struct mtx pfi_unlnkdkifs_mtx;
@ -116,7 +116,7 @@ pfi_initialize_vnet(void)
{
struct pfi_list kifs = LIST_HEAD_INITIALIZER();
struct epoch_tracker et;
struct pfi_kif *kif;
struct pfi_kkif *kif;
struct ifg_group *ifg;
struct ifnet *ifp;
int nkifs;
@ -141,7 +141,7 @@ pfi_initialize_vnet(void)
PF_RULES_WLOCK();
kif = LIST_FIRST(&kifs);
LIST_REMOVE(kif, pfik_list);
V_pfi_all = pfi_kif_attach(kif, IFG_ALL);
V_pfi_all = pfi_kkif_attach(kif, IFG_ALL);
CK_STAILQ_FOREACH(ifg, &V_ifg_head, ifg_next) {
kif = LIST_FIRST(&kifs);
LIST_REMOVE(kif, pfik_list);
@ -180,7 +180,7 @@ pfi_initialize(void)
void
pfi_cleanup_vnet(void)
{
struct pfi_kif *kif;
struct pfi_kkif *kif;
PF_RULES_WASSERT();
@ -218,8 +218,8 @@ pfi_cleanup(void)
EVENTHANDLER_DEREGISTER(ifaddr_event, pfi_ifaddr_event_cookie);
}
struct pfi_kif *
pfi_kif_find(const char *kif_name)
struct pfi_kkif *
pfi_kkif_find(const char *kif_name)
{
struct pfi_kif_cmp s;
@ -228,18 +228,18 @@ pfi_kif_find(const char *kif_name)
bzero(&s, sizeof(s));
strlcpy(s.pfik_name, kif_name, sizeof(s.pfik_name));
return (RB_FIND(pfi_ifhead, &V_pfi_ifs, (struct pfi_kif *)&s));
return (RB_FIND(pfi_ifhead, &V_pfi_ifs, (struct pfi_kkif *)&s));
}
struct pfi_kif *
pfi_kif_attach(struct pfi_kif *kif, const char *kif_name)
struct pfi_kkif *
pfi_kkif_attach(struct pfi_kkif *kif, const char *kif_name)
{
struct pfi_kif *kif1;
struct pfi_kkif *kif1;
PF_RULES_WASSERT();
KASSERT(kif != NULL, ("%s: null kif", __func__));
kif1 = pfi_kif_find(kif_name);
kif1 = pfi_kkif_find(kif_name);
if (kif1 != NULL) {
free(kif, PFI_MTYPE);
return (kif1);
@ -263,7 +263,7 @@ pfi_kif_attach(struct pfi_kif *kif, const char *kif_name)
}
void
pfi_kif_ref(struct pfi_kif *kif)
pfi_kkif_ref(struct pfi_kkif *kif)
{
PF_RULES_WASSERT();
@ -271,7 +271,7 @@ pfi_kif_ref(struct pfi_kif *kif)
}
void
pfi_kif_unref(struct pfi_kif *kif)
pfi_kkif_unref(struct pfi_kkif *kif)
{
PF_RULES_WASSERT();
@ -298,9 +298,9 @@ pfi_kif_unref(struct pfi_kif *kif)
}
void
pfi_kif_purge(void)
pfi_kkif_purge(void)
{
struct pfi_kif *kif, *kif1;
struct pfi_kkif *kif, *kif1;
/*
* Do naive mark-and-sweep garbage collecting of old kifs.
@ -318,7 +318,7 @@ pfi_kif_purge(void)
}
int
pfi_kif_match(struct pfi_kif *rule_kif, struct pfi_kif *packet_kif)
pfi_kkif_match(struct pfi_kkif *rule_kif, struct pfi_kkif *packet_kif)
{
struct ifg_list *p;
@ -337,27 +337,27 @@ pfi_kif_match(struct pfi_kif *rule_kif, struct pfi_kif *packet_kif)
}
static void
pfi_attach_ifnet(struct ifnet *ifp, struct pfi_kif *kif)
pfi_attach_ifnet(struct ifnet *ifp, struct pfi_kkif *kif)
{
PF_RULES_WASSERT();
V_pfi_update++;
kif = pfi_kif_attach(kif, ifp->if_xname);
kif = pfi_kkif_attach(kif, ifp->if_xname);
if_ref(ifp);
kif->pfik_ifp = ifp;
ifp->if_pf_kif = kif;
pfi_kif_update(kif);
pfi_kkif_update(kif);
}
static void
pfi_attach_ifgroup(struct ifg_group *ifg, struct pfi_kif *kif)
pfi_attach_ifgroup(struct ifg_group *ifg, struct pfi_kkif *kif)
{
PF_RULES_WASSERT();
V_pfi_update++;
kif = pfi_kif_attach(kif, ifg->ifg_group);
kif = pfi_kkif_attach(kif, ifg->ifg_group);
kif->pfik_group = ifg;
ifg->ifg_pf_kif = kif;
}
@ -404,7 +404,7 @@ pfi_dynaddr_setup(struct pf_addr_wrap *aw, sa_family_t af)
struct pfi_dynaddr *dyn;
char tblname[PF_TABLE_NAME_SIZE];
struct pf_kruleset *ruleset = NULL;
struct pfi_kif *kif;
struct pfi_kkif *kif;
int rv = 0;
PF_RULES_WASSERT();
@ -421,10 +421,10 @@ pfi_dynaddr_setup(struct pf_addr_wrap *aw, sa_family_t af)
}
if (!strcmp(aw->v.ifname, "self"))
dyn->pfid_kif = pfi_kif_attach(kif, IFG_ALL);
dyn->pfid_kif = pfi_kkif_attach(kif, IFG_ALL);
else
dyn->pfid_kif = pfi_kif_attach(kif, aw->v.ifname);
pfi_kif_ref(dyn->pfid_kif);
dyn->pfid_kif = pfi_kkif_attach(kif, aw->v.ifname);
pfi_kkif_ref(dyn->pfid_kif);
dyn->pfid_net = pfi_unmask(&aw->v.a.mask);
if (af == AF_INET && dyn->pfid_net == 32)
@ -458,7 +458,7 @@ pfi_dynaddr_setup(struct pf_addr_wrap *aw, sa_family_t af)
TAILQ_INSERT_TAIL(&dyn->pfid_kif->pfik_dynaddrs, dyn, entry);
aw->p.dyn = dyn;
NET_EPOCH_ENTER(et);
pfi_kif_update(dyn->pfid_kif);
pfi_kkif_update(dyn->pfid_kif);
NET_EPOCH_EXIT(et);
return (0);
@ -469,19 +469,19 @@ pfi_dynaddr_setup(struct pf_addr_wrap *aw, sa_family_t af)
if (ruleset != NULL)
pf_remove_if_empty_kruleset(ruleset);
if (dyn->pfid_kif != NULL)
pfi_kif_unref(dyn->pfid_kif);
pfi_kkif_unref(dyn->pfid_kif);
free(dyn, PFI_MTYPE);
return (rv);
}
static void
pfi_kif_update(struct pfi_kif *kif)
pfi_kkif_update(struct pfi_kkif *kif)
{
struct ifg_list *ifgl;
struct ifg_member *ifgm;
struct pfi_dynaddr *p;
struct pfi_kif *tmpkif;
struct pfi_kkif *tmpkif;
NET_EPOCH_ASSERT();
PF_RULES_WASSERT();
@ -494,7 +494,7 @@ pfi_kif_update(struct pfi_kif *kif)
if (kif->pfik_group != NULL) {
CK_STAILQ_FOREACH(ifgm, &kif->pfik_group->ifg_members,
ifgm_next) {
tmpkif = (struct pfi_kif *)ifgm->ifgm_ifp->if_pf_kif;
tmpkif = (struct pfi_kkif *)ifgm->ifgm_ifp->if_pf_kif;
if (tmpkif == NULL)
continue;
@ -505,7 +505,7 @@ pfi_kif_update(struct pfi_kif *kif)
/* again for all groups kif is member of */
if (kif->pfik_ifp != NULL) {
CK_STAILQ_FOREACH(ifgl, &kif->pfik_ifp->if_groups, ifgl_next)
pfi_kif_update((struct pfi_kif *)
pfi_kkif_update((struct pfi_kkif *)
ifgl->ifgl_group->ifg_pf_kif);
}
}
@ -513,7 +513,7 @@ pfi_kif_update(struct pfi_kif *kif)
static void
pfi_dynaddr_update(struct pfi_dynaddr *dyn)
{
struct pfi_kif *kif;
struct pfi_kkif *kif;
struct pfr_ktable *kt;
PF_RULES_WASSERT();
@ -532,7 +532,7 @@ pfi_dynaddr_update(struct pfi_dynaddr *dyn)
}
static void
pfi_table_update(struct pfr_ktable *kt, struct pfi_kif *kif, int net, int flags)
pfi_table_update(struct pfr_ktable *kt, struct pfi_kkif *kif, int net, int flags)
{
int e, size2 = 0;
struct ifg_member *ifgm;
@ -677,7 +677,7 @@ pfi_dynaddr_remove(struct pfi_dynaddr *dyn)
KASSERT(dyn->pfid_kt != NULL, ("%s: null pfid_kt", __func__));
TAILQ_REMOVE(&dyn->pfid_kif->pfik_dynaddrs, dyn, entry);
pfi_kif_unref(dyn->pfid_kif);
pfi_kkif_unref(dyn->pfid_kif);
pfr_detach_table(dyn->pfid_kt);
free(dyn, PFI_MTYPE);
}
@ -695,7 +695,7 @@ pfi_dynaddr_copyout(struct pf_addr_wrap *aw)
}
static int
pfi_if_compare(struct pfi_kif *p, struct pfi_kif *q)
pfi_kkif_compare(struct pfi_kkif *p, struct pfi_kkif *q)
{
return (strncmp(p->pfik_name, q->pfik_name, IFNAMSIZ));
}
@ -703,14 +703,14 @@ pfi_if_compare(struct pfi_kif *p, struct pfi_kif *q)
void
pfi_update_status(const char *name, struct pf_status *pfs)
{
struct pfi_kif *p;
struct pfi_kkif *p;
struct pfi_kif_cmp key;
struct ifg_member p_member, *ifgm;
CK_STAILQ_HEAD(, ifg_member) ifg_members;
int i, j, k;
strlcpy(key.pfik_name, name, sizeof(key.pfik_name));
p = RB_FIND(pfi_ifhead, &V_pfi_ifs, (struct pfi_kif *)&key);
p = RB_FIND(pfi_ifhead, &V_pfi_ifs, (struct pfi_kkif *)&key);
if (p == NULL)
return;
@ -731,7 +731,7 @@ pfi_update_status(const char *name, struct pf_status *pfs)
CK_STAILQ_FOREACH(ifgm, &ifg_members, ifgm_next) {
if (ifgm->ifgm_ifp == NULL || ifgm->ifgm_ifp->if_pf_kif == NULL)
continue;
p = (struct pfi_kif *)ifgm->ifgm_ifp->if_pf_kif;
p = (struct pfi_kkif *)ifgm->ifgm_ifp->if_pf_kif;
/* just clear statistics */
if (pfs == NULL) {
@ -751,11 +751,31 @@ pfi_update_status(const char *name, struct pf_status *pfs)
}
}
static void
pf_kkif_to_kif(const struct pfi_kkif *kkif, struct pfi_kif *kif)
{
bzero(kif, sizeof(*kif));
strlcpy(kif->pfik_name, kkif->pfik_name, sizeof(kif->pfik_name));
for (int i = 0; i < 2; i++) {
for (int j = 0; j < 2; j++) {
for (int k = 0; k < 2; k++) {
kif->pfik_packets[i][j][k] =
kkif->pfik_packets[i][j][k];
kif->pfik_bytes[i][j][k] =
kkif->pfik_bytes[i][j][k];
}
}
}
kif->pfik_tzero = kkif->pfik_tzero;
kif->pfik_rulerefs = kkif->pfik_rulerefs;
}
void
pfi_get_ifaces(const char *name, struct pfi_kif *buf, int *size)
{
struct epoch_tracker et;
struct pfi_kif *p, *nextp;
struct pfi_kkif *p, *nextp;
int n = 0;
NET_EPOCH_ENTER(et);
@ -767,7 +787,7 @@ pfi_get_ifaces(const char *name, struct pfi_kif *buf, int *size)
break;
if (!p->pfik_tzero)
p->pfik_tzero = time_second;
bcopy(p, buf++, sizeof(*buf));
pf_kkif_to_kif(p, buf++);
nextp = RB_NEXT(pfi_ifhead, &V_pfi_ifs, p);
}
*size = n;
@ -775,7 +795,7 @@ pfi_get_ifaces(const char *name, struct pfi_kif *buf, int *size)
}
static int
pfi_skip_if(const char *filter, struct pfi_kif *p)
pfi_skip_if(const char *filter, struct pfi_kkif *p)
{
struct ifg_list *i;
int n;
@ -803,7 +823,7 @@ int
pfi_set_flags(const char *name, int flags)
{
struct epoch_tracker et;
struct pfi_kif *p, *kif;
struct pfi_kkif *p, *kif;
kif = malloc(sizeof(*kif), PFI_MTYPE, M_NOWAIT);
if (kif == NULL)
@ -811,7 +831,7 @@ pfi_set_flags(const char *name, int flags)
NET_EPOCH_ENTER(et);
kif = pfi_kif_attach(kif, name);
kif = pfi_kkif_attach(kif, name);
RB_FOREACH(p, pfi_ifhead, &V_pfi_ifs) {
if (pfi_skip_if(name, p))
@ -826,7 +846,7 @@ int
pfi_clear_flags(const char *name, int flags)
{
struct epoch_tracker et;
struct pfi_kif *p, *tmp;
struct pfi_kkif *p, *tmp;
NET_EPOCH_ENTER(et);
RB_FOREACH_SAFE(p, pfi_ifhead, &V_pfi_ifs, tmp) {
@ -869,7 +889,7 @@ static void
pfi_attach_ifnet_event(void *arg __unused, struct ifnet *ifp)
{
struct epoch_tracker et;
struct pfi_kif *kif;
struct pfi_kkif *kif;
if (V_pf_vnet_active == 0) {
/* Avoid teardown race in the least expensive way. */
@ -890,7 +910,7 @@ static void
pfi_detach_ifnet_event(void *arg __unused, struct ifnet *ifp)
{
struct epoch_tracker et;
struct pfi_kif *kif = (struct pfi_kif *)ifp->if_pf_kif;
struct pfi_kkif *kif = (struct pfi_kkif *)ifp->if_pf_kif;
if (pfsync_detach_ifnet_ptr)
pfsync_detach_ifnet_ptr(ifp);
@ -906,7 +926,7 @@ pfi_detach_ifnet_event(void *arg __unused, struct ifnet *ifp)
NET_EPOCH_ENTER(et);
PF_RULES_WLOCK();
V_pfi_update++;
pfi_kif_update(kif);
pfi_kkif_update(kif);
if (kif->pfik_ifp)
if_rele(kif->pfik_ifp);
@ -924,7 +944,7 @@ static void
pfi_attach_group_event(void *arg __unused, struct ifg_group *ifg)
{
struct epoch_tracker et;
struct pfi_kif *kif;
struct pfi_kkif *kif;
if (V_pf_vnet_active == 0) {
/* Avoid teardown race in the least expensive way. */
@ -942,7 +962,7 @@ static void
pfi_change_group_event(void *arg __unused, char *gname)
{
struct epoch_tracker et;
struct pfi_kif *kif;
struct pfi_kkif *kif;
if (V_pf_vnet_active == 0) {
/* Avoid teardown race in the least expensive way. */
@ -953,8 +973,8 @@ pfi_change_group_event(void *arg __unused, char *gname)
NET_EPOCH_ENTER(et);
PF_RULES_WLOCK();
V_pfi_update++;
kif = pfi_kif_attach(kif, gname);
pfi_kif_update(kif);
kif = pfi_kkif_attach(kif, gname);
pfi_kkif_update(kif);
PF_RULES_WUNLOCK();
NET_EPOCH_EXIT(et);
}
@ -962,7 +982,7 @@ pfi_change_group_event(void *arg __unused, char *gname)
static void
pfi_detach_group_event(void *arg __unused, struct ifg_group *ifg)
{
struct pfi_kif *kif = (struct pfi_kif *)ifg->ifg_pf_kif;
struct pfi_kkif *kif = (struct pfi_kkif *)ifg->ifg_pf_kif;
if (kif == NULL)
return;
@ -998,7 +1018,7 @@ pfi_ifaddr_event(void *arg __unused, struct ifnet *ifp)
V_pfi_update++;
NET_EPOCH_ENTER(et);
pfi_kif_update(ifp->if_pf_kif);
pfi_kkif_update(ifp->if_pf_kif);
NET_EPOCH_EXIT(et);
}
PF_RULES_WUNLOCK();

112
sys/netpfil/pf/pf_ioctl.c
View File

@ -91,11 +91,11 @@ __FBSDID("$FreeBSD$");
#include <net/altq/altq.h>
#endif
static struct pf_pool *pf_get_pool(char *, u_int32_t, u_int8_t, u_int32_t,
static struct pf_kpool *pf_get_kpool(char *, u_int32_t, u_int8_t, u_int32_t,
u_int8_t, u_int8_t, u_int8_t);
static void pf_mv_pool(struct pf_palist *, struct pf_palist *);
static void pf_empty_pool(struct pf_palist *);
static void pf_mv_kpool(struct pf_kpalist *, struct pf_kpalist *);
static void pf_empty_kpool(struct pf_kpalist *);
static int pfioctl(struct cdev *, u_long, caddr_t, int,
struct thread *);
#ifdef ALTQ
@ -337,8 +337,8 @@ pfattach_vnet(void)
return;
}
static struct pf_pool *
pf_get_pool(char *anchor, u_int32_t ticket, u_int8_t rule_action,
static struct pf_kpool *
pf_get_kpool(char *anchor, u_int32_t ticket, u_int8_t rule_action,
u_int32_t rule_number, u_int8_t r_last, u_int8_t active,
u_int8_t check_ticket)
{
@ -382,9 +382,9 @@ pf_get_pool(char *anchor, u_int32_t ticket, u_int8_t rule_action,
}
static void
pf_mv_pool(struct pf_palist *poola, struct pf_palist *poolb)
pf_mv_kpool(struct pf_kpalist *poola, struct pf_kpalist *poolb)
{
struct pf_pooladdr *mv_pool_pa;
struct pf_kpooladdr *mv_pool_pa;
while ((mv_pool_pa = TAILQ_FIRST(poola)) != NULL) {
TAILQ_REMOVE(poola, mv_pool_pa, entries);
@ -393,9 +393,9 @@ pf_mv_pool(struct pf_palist *poola, struct pf_palist *poolb)
}
static void
pf_empty_pool(struct pf_palist *poola)
pf_empty_kpool(struct pf_kpalist *poola)
{
struct pf_pooladdr *pa;
struct pf_kpooladdr *pa;
while ((pa = TAILQ_FIRST(poola)) != NULL) {
switch (pa->addr.type) {
@ -409,7 +409,7 @@ pf_empty_pool(struct pf_palist *poola)
break;
}
if (pa->kif)
pfi_kif_unref(pa->kif);
pfi_kkif_unref(pa->kif);
TAILQ_REMOVE(poola, pa, entries);
free(pa, M_PFRULE);
}
@ -463,9 +463,9 @@ pf_free_rule(struct pf_krule *rule)
if (rule->overload_tbl)
pfr_detach_table(rule->overload_tbl);
if (rule->kif)
pfi_kif_unref(rule->kif);
pfi_kkif_unref(rule->kif);
pf_kanchor_remove(rule);
pf_empty_pool(&rule->rpool.list);
pf_empty_kpool(&rule->rpool.list);
counter_u64_free(rule->evaluations);
for (int i = 0; i < 2; i++) {
counter_u64_free(rule->packets[i]);
@ -1435,6 +1435,26 @@ pf_altq_get_nth_active(u_int32_t n)
}
#endif /* ALTQ */
static void
pf_kpooladdr_to_pooladdr(const struct pf_kpooladdr *kpool,
struct pf_pooladdr *pool)
{
bzero(pool, sizeof(*pool));
bcopy(&kpool->addr, &pool->addr, sizeof(pool->addr));
strlcpy(pool->ifname, kpool->ifname, sizeof(pool->ifname));
}
static void
pf_pooladdr_to_kpooladdr(const struct pf_pooladdr *pool,
struct pf_kpooladdr *kpool)
{
bzero(kpool, sizeof(*kpool));
bcopy(&pool->addr, &kpool->addr, sizeof(kpool->addr));
strlcpy(kpool->ifname, pool->ifname, sizeof(kpool->ifname));
}
static void
pf_krule_to_rule(const struct pf_krule *krule, struct pf_rule *rule)
{
@ -1787,8 +1807,8 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
struct pfioc_rule *pr = (struct pfioc_rule *)addr;
struct pf_kruleset *ruleset;
struct pf_krule *rule, *tail;
struct pf_pooladdr *pa;
struct pfi_kif *kif = NULL;
struct pf_kpooladdr *pa;
struct pfi_kkif *kif = NULL;
int rs_num;
if (pr->rule.return_icmp >> 8 > ICMP_MAXTYPE) {
@ -1859,8 +1879,8 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
else
rule->nr = 0;
if (rule->ifname[0]) {
rule->kif = pfi_kif_attach(kif, rule->ifname);
pfi_kif_ref(rule->kif);
rule->kif = pfi_kkif_attach(kif, rule->ifname);
pfi_kkif_ref(rule->kif);
} else
rule->kif = NULL;
@ -1921,7 +1941,7 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
PFR_TFLAG_ACTIVE;
}
pf_mv_pool(&V_pf_pabuf, &rule->rpool.list);
pf_mv_kpool(&V_pf_pabuf, &rule->rpool.list);
if (((((rule->action == PF_NAT) || (rule->action == PF_RDR) ||
(rule->action == PF_BINAT)) && rule->anchor == NULL) ||
(rule->rt > PF_NOPFROUTE)) &&
@ -2054,8 +2074,8 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
struct pfioc_rule *pcr = (struct pfioc_rule *)addr;
struct pf_kruleset *ruleset;
struct pf_krule *oldrule = NULL, *newrule = NULL;
struct pfi_kif *kif = NULL;
struct pf_pooladdr *pa;
struct pfi_kkif *kif = NULL;
struct pf_kpooladdr *pa;
u_int32_t nr = 0;
int rs_num;
@ -2126,9 +2146,9 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
if (pcr->action != PF_CHANGE_REMOVE) {
if (newrule->ifname[0]) {
newrule->kif = pfi_kif_attach(kif,
newrule->kif = pfi_kkif_attach(kif,
newrule->ifname);
pfi_kif_ref(newrule->kif);
pfi_kkif_ref(newrule->kif);
} else
newrule->kif = NULL;
@ -2190,7 +2210,7 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
PFR_TFLAG_ACTIVE;
}
pf_mv_pool(&V_pf_pabuf, &newrule->rpool.list);
pf_mv_kpool(&V_pf_pabuf, &newrule->rpool.list);
if (((((newrule->action == PF_NAT) ||
(newrule->action == PF_RDR) ||
(newrule->action == PF_BINAT) ||
@ -2207,7 +2227,7 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
newrule->rpool.cur = TAILQ_FIRST(&newrule->rpool.list);
}
pf_empty_pool(&V_pf_pabuf);
pf_empty_kpool(&V_pf_pabuf);
if (pcr->action == PF_CHANGE_ADD_HEAD)
oldrule = TAILQ_FIRST(
@ -2876,7 +2896,7 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr;
PF_RULES_WLOCK();
pf_empty_pool(&V_pf_pabuf);
pf_empty_kpool(&V_pf_pabuf);
pp->ticket = ++V_ticket_pabuf;
PF_RULES_WUNLOCK();
break;
@ -2884,8 +2904,8 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
case DIOCADDADDR: {
struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr;
struct pf_pooladdr *pa;
struct pfi_kif *kif = NULL;
struct pf_kpooladdr *pa;
struct pfi_kkif *kif = NULL;
#ifndef INET
if (pp->af == AF_INET) {
@ -2910,7 +2930,7 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
break;
}
pa = malloc(sizeof(*pa), M_PFRULE, M_WAITOK);
bcopy(&pp->addr, pa, sizeof(struct pf_pooladdr));
pf_pooladdr_to_kpooladdr(&pp->addr, pa);
if (pa->ifname[0])
kif = malloc(sizeof(*kif), PFI_MTYPE, M_WAITOK);
PF_RULES_WLOCK();
@ -2923,14 +2943,14 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
break;
}
if (pa->ifname[0]) {
pa->kif = pfi_kif_attach(kif, pa->ifname);
pfi_kif_ref(pa->kif);
pa->kif = pfi_kkif_attach(kif, pa->ifname);
pfi_kkif_ref(pa->kif);
} else
pa->kif = NULL;
if (pa->addr.type == PF_ADDR_DYNIFTL && ((error =
pfi_dynaddr_setup(&pa->addr, pp->af)) != 0)) {
if (pa->ifname[0])
pfi_kif_unref(pa->kif);
pfi_kkif_unref(pa->kif);
PF_RULES_WUNLOCK();
free(pa, M_PFRULE);
break;
@ -2942,12 +2962,12 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
case DIOCGETADDRS: {
struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr;
struct pf_pool *pool;
struct pf_pooladdr *pa;
struct pf_kpool *pool;
struct pf_kpooladdr *pa;
PF_RULES_RLOCK();
pp->nr = 0;
pool = pf_get_pool(pp->anchor, pp->ticket, pp->r_action,
pool = pf_get_kpool(pp->anchor, pp->ticket, pp->r_action,
pp->r_num, 0, 1, 0);
if (pool == NULL) {
PF_RULES_RUNLOCK();
@ -2962,12 +2982,12 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
case DIOCGETADDR: {
struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr;
struct pf_pool *pool;
struct pf_pooladdr *pa;
struct pf_kpool *pool;
struct pf_kpooladdr *pa;
u_int32_t nr = 0;
PF_RULES_RLOCK();
pool = pf_get_pool(pp->anchor, pp->ticket, pp->r_action,
pool = pf_get_kpool(pp->anchor, pp->ticket, pp->r_action,
pp->r_num, 0, 1, 1);
if (pool == NULL) {
PF_RULES_RUNLOCK();
@ -2984,7 +3004,7 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
error = EBUSY;
break;
}
bcopy(pa, &pp->addr, sizeof(struct pf_pooladdr));
pf_kpooladdr_to_pooladdr(pa, &pp->addr);
pf_addr_copyout(&pp->addr.addr);
PF_RULES_RUNLOCK();
break;
@ -2992,10 +3012,10 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
case DIOCCHANGEADDR: {
struct pfioc_pooladdr *pca = (struct pfioc_pooladdr *)addr;
struct pf_pool *pool;
struct pf_pooladdr *oldpa = NULL, *newpa = NULL;
struct pf_kpool *pool;
struct pf_kpooladdr *oldpa = NULL, *newpa = NULL;
struct pf_kruleset *ruleset;
struct pfi_kif *kif = NULL;
struct pfi_kkif *kif = NULL;
if (pca->action < PF_CHANGE_ADD_HEAD ||
pca->action > PF_CHANGE_REMOVE) {
@ -3038,15 +3058,15 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
if (ruleset == NULL)
ERROUT(EBUSY);
pool = pf_get_pool(pca->anchor, pca->ticket, pca->r_action,
pool = pf_get_kpool(pca->anchor, pca->ticket, pca->r_action,
pca->r_num, pca->r_last, 1, 1);
if (pool == NULL)
ERROUT(EBUSY);
if (pca->action != PF_CHANGE_REMOVE) {
if (newpa->ifname[0]) {
newpa->kif = pfi_kif_attach(kif, newpa->ifname);
pfi_kif_ref(newpa->kif);
newpa->kif = pfi_kkif_attach(kif, newpa->ifname);
pfi_kkif_ref(newpa->kif);
kif = NULL;
}
@ -3071,7 +3091,7 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
oldpa = TAILQ_FIRST(&pool->list);
break;
case PF_CHANGE_ADD_TAIL:
oldpa = TAILQ_LAST(&pool->list, pf_palist);
oldpa = TAILQ_LAST(&pool->list, pf_kpalist);
break;
default:
oldpa = TAILQ_FIRST(&pool->list);
@ -3093,7 +3113,7 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
break;
}
if (oldpa->kif)
pfi_kif_unref(oldpa->kif);
pfi_kkif_unref(oldpa->kif);
free(oldpa, M_PFRULE);
} else {
if (oldpa == NULL)
@ -3115,7 +3135,7 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
DIOCCHANGEADDR_error:
if (newpa != NULL) {
if (newpa->kif)
pfi_kif_unref(newpa->kif);
pfi_kkif_unref(newpa->kif);
free(newpa, M_PFRULE);
}
PF_RULES_WUNLOCK();

12
sys/netpfil/pf/pf_lb.c
View File

@ -59,7 +59,7 @@ __FBSDID("$FreeBSD$");
static void pf_hash(struct pf_addr *, struct pf_addr *,
struct pf_poolhashkey *, sa_family_t);
static struct pf_krule *pf_match_translation(struct pf_pdesc *, struct mbuf *,
int, int, struct pfi_kif *,
int, int, struct pfi_kkif *,
struct pf_addr *, u_int16_t, struct pf_addr *,
uint16_t, int, struct pf_kanchor_stackframe *);
static int pf_get_sport(sa_family_t, uint8_t, struct pf_krule *,
@ -125,7 +125,7 @@ pf_hash(struct pf_addr *inaddr, struct pf_addr *hash,
static struct pf_krule *
pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off,
int direction, struct pfi_kif *kif, struct pf_addr *saddr, u_int16_t sport,
int direction, struct pfi_kkif *kif, struct pf_addr *saddr, u_int16_t sport,
struct pf_addr *daddr, uint16_t dport, int rs_num,
struct pf_kanchor_stackframe *anchor_stack)
{
@ -150,7 +150,7 @@ pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off,
}
counter_u64_add(r->evaluations, 1);
if (pfi_kif_match(r->kif, kif) == r->ifnot)
if (pfi_kkif_match(r->kif, kif) == r->ifnot)
r = r->skip[PF_SKIP_IFP].ptr;
else if (r->direction && r->direction != direction)
r = r->skip[PF_SKIP_DIR].ptr;
@ -314,7 +314,7 @@ int
pf_map_addr(sa_family_t af, struct pf_krule *r, struct pf_addr *saddr,
struct pf_addr *naddr, struct pf_addr *init_addr, struct pf_ksrc_node **sn)
{
struct pf_pool *rpool = &r->rpool;
struct pf_kpool *rpool = &r->rpool;
struct pf_addr *raddr = NULL, *rmask = NULL;
/* Try to find a src_node if none was given and this
@ -436,7 +436,7 @@ pf_map_addr(sa_family_t af, struct pf_krule *r, struct pf_addr *saddr,
}
case PF_POOL_ROUNDROBIN:
{
struct pf_pooladdr *acur = rpool->cur;
struct pf_kpooladdr *acur = rpool->cur;
/*
* XXXGL: in the round-robin case we need to store
@ -522,7 +522,7 @@ pf_map_addr(sa_family_t af, struct pf_krule *r, struct pf_addr *saddr,
struct pf_krule *
pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction,
struct pfi_kif *kif, struct pf_ksrc_node **sn,
struct pfi_kkif *kif, struct pf_ksrc_node **sn,
struct pf_state_key **skp, struct pf_state_key **nkp,
struct pf_addr *saddr, struct pf_addr *daddr,
uint16_t sport, uint16_t dport, struct pf_kanchor_stackframe *anchor_stack)

12
sys/netpfil/pf/pf_norm.c
View File

@ -993,7 +993,7 @@ pf_refragment6(struct ifnet *ifp, struct mbuf **m0, struct m_tag *mtag)
#ifdef INET
int
pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kif *kif, u_short *reason,
pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kkif *kif, u_short *reason,
struct pf_pdesc *pd)
{
struct mbuf *m = *m0;
@ -1013,7 +1013,7 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kif *kif, u_short *reason,
r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr);
while (r != NULL) {
counter_u64_add(r->evaluations, 1);
if (pfi_kif_match(r->kif, kif) == r->ifnot)
if (pfi_kkif_match(r->kif, kif) == r->ifnot)
r = r->skip[PF_SKIP_IFP].ptr;
else if (r->direction && r->direction != dir)
r = r->skip[PF_SKIP_DIR].ptr;
@ -1134,7 +1134,7 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kif *kif, u_short *reason,
#ifdef INET6
int
pf_normalize_ip6(struct mbuf **m0, int dir, struct pfi_kif *kif,
pf_normalize_ip6(struct mbuf **m0, int dir, struct pfi_kkif *kif,
u_short *reason, struct pf_pdesc *pd)
{
struct mbuf *m = *m0;
@ -1156,7 +1156,7 @@ pf_normalize_ip6(struct mbuf **m0, int dir, struct pfi_kif *kif,
r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr);
while (r != NULL) {
counter_u64_add(r->evaluations, 1);
if (pfi_kif_match(r->kif, kif) == r->ifnot)
if (pfi_kkif_match(r->kif, kif) == r->ifnot)
r = r->skip[PF_SKIP_IFP].ptr;
else if (r->direction && r->direction != dir)
r = r->skip[PF_SKIP_DIR].ptr;
@ -1295,7 +1295,7 @@ pf_normalize_ip6(struct mbuf **m0, int dir, struct pfi_kif *kif,
#endif /* INET6 */
int
pf_normalize_tcp(int dir, struct pfi_kif *kif, struct mbuf *m, int ipoff,
pf_normalize_tcp(int dir, struct pfi_kkif *kif, struct mbuf *m, int ipoff,
int off, void *h, struct pf_pdesc *pd)
{
struct pf_krule *r, *rm = NULL;
@ -1310,7 +1310,7 @@ pf_normalize_tcp(int dir, struct pfi_kif *kif, struct mbuf *m, int ipoff,
r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr);
while (r != NULL) {
counter_u64_add(r->evaluations, 1);
if (pfi_kif_match(r->kif, kif) == r->ifnot)
if (pfi_kkif_match(r->kif, kif) == r->ifnot)
r = r->skip[PF_SKIP_IFP].ptr;
else if (r->direction && r->direction != dir)
r = r->skip[PF_SKIP_DIR].ptr;