1 /* $FreeBSD: src/sys/contrib/pf/net/pf_ioctl.c,v 1.12 2004/08/12 14:15:42 mlaier Exp $ */
2 /* $OpenBSD: pf_ioctl.c,v 1.112.2.2 2004/07/24 18:28:12 brad Exp $ */
3 /* $DragonFly: src/sys/net/pf/pf_ioctl.c,v 1.2 2004/09/19 23:54:02 dillon Exp $ */
6 * Copyright (c) 2004 The DragonFly Project. All rights reserved.
8 * Copyright (c) 2001 Daniel Hartmeier
9 * Copyright (c) 2002,2003 Henning Brauer
10 * All rights reserved.
12 * Redistribution and use in source and binary forms, with or without
13 * modification, are permitted provided that the following conditions
16 * - Redistributions of source code must retain the above copyright
17 * notice, this list of conditions and the following disclaimer.
18 * - Redistributions in binary form must reproduce the above
19 * copyright notice, this list of conditions and the following
20 * disclaimer in the documentation and/or other materials provided
21 * with the distribution.
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
26 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
27 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
28 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
29 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
30 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
31 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
33 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
34 * POSSIBILITY OF SUCH DAMAGE.
36 * Effort sponsored in part by the Defense Advanced Research Projects
37 * Agency (DARPA) and Air Force Research Laboratory, Air Force
38 * Materiel Command, USAF, under agreement number F30602-01-2-0537.
43 #include "opt_inet6.h"
44 #include "use_pfsync.h"
46 #include <sys/param.h>
47 #include <sys/systm.h>
49 #include <sys/filio.h>
50 #include <sys/fcntl.h>
51 #include <sys/socket.h>
52 #include <sys/socketvar.h>
53 #include <sys/kernel.h>
55 #include <sys/malloc.h>
56 #include <sys/module.h>
58 #include <vm/vm_zone.h>
61 #include <net/if_types.h>
62 #include <net/route.h>
64 #include <netinet/in.h>
65 #include <netinet/in_var.h>
66 #include <netinet/in_systm.h>
67 #include <netinet/ip.h>
68 #include <netinet/ip_var.h>
69 #include <netinet/ip_icmp.h>
71 #include <net/pf/pfvar.h>
74 #include <net/pf/if_pfsync.h>
75 #endif /* NPFSYNC > 0 */
78 #include <netinet/ip6.h>
79 #include <netinet/in_pcb.h>
83 #include <altq/altq.h>
86 #include <machine/limits.h>
88 void init_zone_var(void);
89 void cleanup_pf_zone(void);
91 int pfopen(dev_t, int, int, struct thread *);
92 int pfclose(dev_t, int, int, struct thread *);
93 struct pf_pool *pf_get_pool(char *, char *, u_int32_t,
94 u_int8_t, u_int32_t, u_int8_t, u_int8_t, u_int8_t);
95 int pf_get_ruleset_number(u_int8_t);
96 void pf_init_ruleset(struct pf_ruleset *);
97 void pf_mv_pool(struct pf_palist *, struct pf_palist *);
98 void pf_empty_pool(struct pf_palist *);
99 int pfioctl(dev_t, u_long, caddr_t, int, struct thread *);
101 int pf_begin_altq(u_int32_t *);
102 int pf_rollback_altq(u_int32_t);
103 int pf_commit_altq(u_int32_t);
105 int pf_begin_rules(u_int32_t *, int, char *, char *);
106 int pf_rollback_rules(u_int32_t, int, char *, char *);
107 int pf_commit_rules(u_int32_t, int, char *, char *);
109 extern struct callout pf_expire_to;
111 struct pf_rule pf_default_rule;
113 #define TAGID_MAX 50000
114 TAILQ_HEAD(pf_tags, pf_tagname) pf_tags = TAILQ_HEAD_INITIALIZER(pf_tags),
115 pf_qids = TAILQ_HEAD_INITIALIZER(pf_qids);
117 #if (PF_QNAME_SIZE != PF_TAG_NAME_SIZE)
118 #error PF_QNAME_SIZE must be equal to PF_TAG_NAME_SIZE
120 static u_int16_t tagname2tag(struct pf_tags *, char *);
121 static void tag2tagname(struct pf_tags *, u_int16_t, char *);
122 static void tag_unref(struct pf_tags *, u_int16_t);
124 #define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x
129 * XXX - These are new and need to be checked when moveing to a new version
131 static void pf_clear_states(void);
132 static int pf_clear_tables(void);
133 static void pf_clear_srcnodes(void);
135 * XXX - These are new and need to be checked when moveing to a new version
139 * Wrapper functions for pfil(9) hooks
141 static int pf_check_in(void *arg, struct mbuf **m, struct ifnet *ifp,
143 static int pf_check_out(void *arg, struct mbuf **m, struct ifnet *ifp,
146 static int pf_check6_in(void *arg, struct mbuf **m, struct ifnet *ifp,
148 static int pf_check6_out(void *arg, struct mbuf **m, struct ifnet *ifp,
152 static int hook_pf(void);
153 static int dehook_pf(void);
154 static int shutdown_pf(void);
155 static int pf_load(void);
156 static int pf_unload(void);
158 static struct cdevsw pf_cdevsw = { /* XXX convert to port model */
160 .d_maj = 73, /* XXX */
162 .old_close = pfclose,
166 static volatile int pf_pfil_hooked = 0;
171 pf_src_tree_pl = pf_rule_pl = NULL;
172 pf_state_pl = pf_altq_pl = pf_pooladdr_pl = NULL;
173 pf_frent_pl = pf_frag_pl = pf_cache_pl = pf_cent_pl = NULL;
174 pf_state_scrub_pl = NULL;
175 pfr_ktable_pl = pfr_kentry_pl = NULL;
179 cleanup_pf_zone(void)
181 ZONE_DESTROY(pf_src_tree_pl);
182 ZONE_DESTROY(pf_rule_pl);
183 ZONE_DESTROY(pf_state_pl);
184 ZONE_DESTROY(pf_altq_pl);
185 ZONE_DESTROY(pf_pooladdr_pl);
186 ZONE_DESTROY(pf_frent_pl);
187 ZONE_DESTROY(pf_frag_pl);
188 ZONE_DESTROY(pf_cache_pl);
189 ZONE_DESTROY(pf_cent_pl);
190 ZONE_DESTROY(pfr_ktable_pl);
191 ZONE_DESTROY(pfr_kentry_pl);
192 ZONE_DESTROY(pf_state_scrub_pl);
193 ZONE_DESTROY(pfi_addr_pl);
199 u_int32_t *my_timeout = pf_default_rule.timeout;
203 ZONE_CREATE(pf_src_tree_pl,struct pf_src_node, "pfsrctrpl");
204 ZONE_CREATE(pf_rule_pl, struct pf_rule, "pfrulepl");
205 ZONE_CREATE(pf_state_pl, struct pf_state, "pfstatepl");
206 ZONE_CREATE(pf_altq_pl, struct pf_altq, "pfaltqpl");
207 ZONE_CREATE(pf_pooladdr_pl,struct pf_pooladdr, "pfpooladdrpl");
208 ZONE_CREATE(pfr_ktable_pl, struct pfr_ktable, "pfrktable");
209 ZONE_CREATE(pfr_kentry_pl, struct pfr_kentry, "pfrkentry");
210 ZONE_CREATE(pf_frent_pl, struct pf_frent, "pffrent");
211 ZONE_CREATE(pf_frag_pl, struct pf_fragment, "pffrag");
212 ZONE_CREATE(pf_cache_pl, struct pf_fragment, "pffrcache");
213 ZONE_CREATE(pf_cent_pl, struct pf_frcache, "pffrcent");
214 ZONE_CREATE(pf_state_scrub_pl, struct pf_state_scrub,
216 ZONE_CREATE(pfi_addr_pl, struct pfi_dynaddr, "pfiaddrpl");
225 error = pf_osfp_initialize();
232 pf_pool_limits[PF_LIMIT_STATES].pp = pf_state_pl;
233 pf_pool_limits[PF_LIMIT_STATES].limit = PFSTATE_HIWAT;
234 pf_pool_limits[PF_LIMIT_FRAGS].pp = pf_frent_pl;
235 pf_pool_limits[PF_LIMIT_FRAGS].limit = PFFRAG_FRENT_HIWAT;
236 /* XXX uma_zone_set_max(pf_pool_limits[PF_LIMIT_STATES].pp,
237 pf_pool_limits[PF_LIMIT_STATES].limit);
240 RB_INIT(&tree_src_tracking);
241 TAILQ_INIT(&pf_anchors);
242 pf_init_ruleset(&pf_main_ruleset);
243 TAILQ_INIT(&pf_altqs[0]);
244 TAILQ_INIT(&pf_altqs[1]);
245 TAILQ_INIT(&pf_pabuf);
246 pf_altqs_active = &pf_altqs[0];
247 pf_altqs_inactive = &pf_altqs[1];
248 TAILQ_INIT(&state_updates);
250 /* default rule should never be garbage collected */
251 pf_default_rule.entries.tqe_prev = &pf_default_rule.entries.tqe_next;
252 pf_default_rule.action = PF_PASS;
253 pf_default_rule.nr = -1;
255 /* initialize default timeouts */
256 my_timeout[PFTM_TCP_FIRST_PACKET] = 120; /* First TCP packet */
257 my_timeout[PFTM_TCP_OPENING] = 30; /* No response yet */
258 my_timeout[PFTM_TCP_ESTABLISHED] = 24*60*60; /* Established */
259 my_timeout[PFTM_TCP_CLOSING] = 15 * 60; /* Half closed */
260 my_timeout[PFTM_TCP_FIN_WAIT] = 45; /* Got both FINs */
261 my_timeout[PFTM_TCP_CLOSED] = 90; /* Got a RST */
262 my_timeout[PFTM_UDP_FIRST_PACKET] = 60; /* First UDP packet */
263 my_timeout[PFTM_UDP_SINGLE] = 30; /* Unidirectional */
264 my_timeout[PFTM_UDP_MULTIPLE] = 60; /* Bidirectional */
265 my_timeout[PFTM_ICMP_FIRST_PACKET] = 20; /* First ICMP packet */
266 my_timeout[PFTM_ICMP_ERROR_REPLY] = 10; /* Got error response */
267 my_timeout[PFTM_OTHER_FIRST_PACKET] = 60; /* First packet */
268 my_timeout[PFTM_OTHER_SINGLE] = 30; /* Unidirectional */
269 my_timeout[PFTM_OTHER_MULTIPLE] = 60; /* Bidirectional */
270 my_timeout[PFTM_FRAG] = 30; /* Fragment expire */
271 my_timeout[PFTM_INTERVAL] = 10; /* Expire interval */
273 callout_init(&pf_expire_to);
274 callout_reset(&pf_expire_to, my_timeout[PFTM_INTERVAL] * hz,
275 pf_purge_timeout, &pf_expire_to);
278 bzero(&pf_status, sizeof(pf_status));
279 pf_status.debug = PF_DEBUG_URGENT;
282 /* XXX do our best to avoid a conflict */
283 pf_status.hostid = arc4random();
289 pfopen(dev_t dev, int flags, int devtype, struct thread *td)
297 pfclose(dev_t dev, int flags, int fmt, struct thread *td)
305 pf_get_pool(char *anchorname, char *rulesetname, u_int32_t ticket,
306 u_int8_t rule_action, u_int32_t rule_number, u_int8_t r_last,
307 u_int8_t active, u_int8_t check_ticket)
309 struct pf_ruleset *ruleset;
310 struct pf_rule *rule;
313 ruleset = pf_find_ruleset(anchorname, rulesetname);
316 rs_num = pf_get_ruleset_number(rule_action);
317 if (rs_num >= PF_RULESET_MAX)
320 if (check_ticket && ticket !=
321 ruleset->rules[rs_num].active.ticket)
324 rule = TAILQ_LAST(ruleset->rules[rs_num].active.ptr,
327 rule = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr);
329 if (check_ticket && ticket !=
330 ruleset->rules[rs_num].inactive.ticket)
333 rule = TAILQ_LAST(ruleset->rules[rs_num].inactive.ptr,
336 rule = TAILQ_FIRST(ruleset->rules[rs_num].inactive.ptr);
339 while ((rule != NULL) && (rule->nr != rule_number))
340 rule = TAILQ_NEXT(rule, entries);
345 return (&rule->rpool);
349 pf_get_ruleset_number(u_int8_t action)
353 return (PF_RULESET_SCRUB);
357 return (PF_RULESET_FILTER);
361 return (PF_RULESET_NAT);
365 return (PF_RULESET_BINAT);
369 return (PF_RULESET_RDR);
372 return (PF_RULESET_MAX);
378 pf_init_ruleset(struct pf_ruleset *ruleset)
382 memset(ruleset, 0, sizeof(struct pf_ruleset));
383 for (i = 0; i < PF_RULESET_MAX; i++) {
384 TAILQ_INIT(&ruleset->rules[i].queues[0]);
385 TAILQ_INIT(&ruleset->rules[i].queues[1]);
386 ruleset->rules[i].active.ptr = &ruleset->rules[i].queues[0];
387 ruleset->rules[i].inactive.ptr = &ruleset->rules[i].queues[1];
392 pf_find_anchor(const char *anchorname)
394 struct pf_anchor *anchor;
397 anchor = TAILQ_FIRST(&pf_anchors);
398 while (anchor != NULL && (n = strcmp(anchor->name, anchorname)) < 0)
399 anchor = TAILQ_NEXT(anchor, entries);
407 pf_find_ruleset(char *anchorname, char *rulesetname)
409 struct pf_anchor *anchor;
410 struct pf_ruleset *ruleset;
412 if (!anchorname[0] && !rulesetname[0])
413 return (&pf_main_ruleset);
414 if (!anchorname[0] || !rulesetname[0])
416 anchorname[PF_ANCHOR_NAME_SIZE-1] = 0;
417 rulesetname[PF_RULESET_NAME_SIZE-1] = 0;
418 anchor = pf_find_anchor(anchorname);
421 ruleset = TAILQ_FIRST(&anchor->rulesets);
422 while (ruleset != NULL && strcmp(ruleset->name, rulesetname) < 0)
423 ruleset = TAILQ_NEXT(ruleset, entries);
424 if (ruleset != NULL && !strcmp(ruleset->name, rulesetname))
431 pf_find_or_create_ruleset(char anchorname[PF_ANCHOR_NAME_SIZE],
432 char rulesetname[PF_RULESET_NAME_SIZE])
434 struct pf_anchor *anchor, *a;
435 struct pf_ruleset *ruleset, *r;
437 if (!anchorname[0] && !rulesetname[0])
438 return (&pf_main_ruleset);
439 if (!anchorname[0] || !rulesetname[0])
441 anchorname[PF_ANCHOR_NAME_SIZE-1] = 0;
442 rulesetname[PF_RULESET_NAME_SIZE-1] = 0;
443 a = TAILQ_FIRST(&pf_anchors);
444 while (a != NULL && strcmp(a->name, anchorname) < 0)
445 a = TAILQ_NEXT(a, entries);
446 if (a != NULL && !strcmp(a->name, anchorname))
449 anchor = (struct pf_anchor *)malloc(sizeof(struct pf_anchor),
453 memset(anchor, 0, sizeof(struct pf_anchor));
454 bcopy(anchorname, anchor->name, sizeof(anchor->name));
455 TAILQ_INIT(&anchor->rulesets);
457 TAILQ_INSERT_BEFORE(a, anchor, entries);
459 TAILQ_INSERT_TAIL(&pf_anchors, anchor, entries);
461 r = TAILQ_FIRST(&anchor->rulesets);
462 while (r != NULL && strcmp(r->name, rulesetname) < 0)
463 r = TAILQ_NEXT(r, entries);
464 if (r != NULL && !strcmp(r->name, rulesetname))
466 ruleset = (struct pf_ruleset *)malloc(sizeof(struct pf_ruleset),
468 if (ruleset != NULL) {
469 pf_init_ruleset(ruleset);
470 bcopy(rulesetname, ruleset->name, sizeof(ruleset->name));
471 ruleset->anchor = anchor;
473 TAILQ_INSERT_BEFORE(r, ruleset, entries);
475 TAILQ_INSERT_TAIL(&anchor->rulesets, ruleset, entries);
481 pf_remove_if_empty_ruleset(struct pf_ruleset *ruleset)
483 struct pf_anchor *anchor;
486 if (ruleset == NULL || ruleset->anchor == NULL || ruleset->tables > 0 ||
489 for (i = 0; i < PF_RULESET_MAX; ++i)
490 if (!TAILQ_EMPTY(ruleset->rules[i].active.ptr) ||
491 !TAILQ_EMPTY(ruleset->rules[i].inactive.ptr) ||
492 ruleset->rules[i].inactive.open)
495 anchor = ruleset->anchor;
496 TAILQ_REMOVE(&anchor->rulesets, ruleset, entries);
497 free(ruleset, M_TEMP);
499 if (TAILQ_EMPTY(&anchor->rulesets)) {
500 TAILQ_REMOVE(&pf_anchors, anchor, entries);
501 free(anchor, M_TEMP);
502 pf_update_anchor_rules();
507 pf_mv_pool(struct pf_palist *poola, struct pf_palist *poolb)
509 struct pf_pooladdr *mv_pool_pa;
511 while ((mv_pool_pa = TAILQ_FIRST(poola)) != NULL) {
512 TAILQ_REMOVE(poola, mv_pool_pa, entries);
513 TAILQ_INSERT_TAIL(poolb, mv_pool_pa, entries);
518 pf_empty_pool(struct pf_palist *poola)
520 struct pf_pooladdr *empty_pool_pa;
522 while ((empty_pool_pa = TAILQ_FIRST(poola)) != NULL) {
523 pfi_dynaddr_remove(&empty_pool_pa->addr);
524 pf_tbladdr_remove(&empty_pool_pa->addr);
525 pfi_detach_rule(empty_pool_pa->kif);
526 TAILQ_REMOVE(poola, empty_pool_pa, entries);
527 pool_put(&pf_pooladdr_pl, empty_pool_pa);
532 pf_rm_rule(struct pf_rulequeue *rulequeue, struct pf_rule *rule)
534 if (rulequeue != NULL) {
535 if (rule->states <= 0) {
537 * XXX - we need to remove the table *before* detaching
538 * the rule to make sure the table code does not delete
539 * the anchor under our feet.
541 pf_tbladdr_remove(&rule->src.addr);
542 pf_tbladdr_remove(&rule->dst.addr);
544 TAILQ_REMOVE(rulequeue, rule, entries);
545 rule->entries.tqe_prev = NULL;
549 if (rule->states > 0 || rule->src_nodes > 0 ||
550 rule->entries.tqe_prev != NULL)
552 pf_tag_unref(rule->tag);
553 pf_tag_unref(rule->match_tag);
555 if (rule->pqid != rule->qid)
556 pf_qid_unref(rule->pqid);
557 pf_qid_unref(rule->qid);
559 pfi_dynaddr_remove(&rule->src.addr);
560 pfi_dynaddr_remove(&rule->dst.addr);
561 if (rulequeue == NULL) {
562 pf_tbladdr_remove(&rule->src.addr);
563 pf_tbladdr_remove(&rule->dst.addr);
565 pfi_detach_rule(rule->kif);
566 pf_empty_pool(&rule->rpool.list);
567 pool_put(&pf_rule_pl, rule);
571 tagname2tag(struct pf_tags *head, char *tagname)
573 struct pf_tagname *tag, *p = NULL;
574 u_int16_t new_tagid = 1;
576 TAILQ_FOREACH(tag, head, entries)
577 if (strcmp(tagname, tag->name) == 0) {
583 * to avoid fragmentation, we do a linear search from the beginning
584 * and take the first free slot we find. if there is none or the list
585 * is empty, append a new entry at the end.
589 if (!TAILQ_EMPTY(head))
590 for (p = TAILQ_FIRST(head); p != NULL &&
591 p->tag == new_tagid; p = TAILQ_NEXT(p, entries))
592 new_tagid = p->tag + 1;
594 if (new_tagid > TAGID_MAX)
597 /* allocate and fill new struct pf_tagname */
598 tag = (struct pf_tagname *)malloc(sizeof(struct pf_tagname),
602 bzero(tag, sizeof(struct pf_tagname));
603 strlcpy(tag->name, tagname, sizeof(tag->name));
604 tag->tag = new_tagid;
607 if (p != NULL) /* insert new entry before p */
608 TAILQ_INSERT_BEFORE(p, tag, entries);
609 else /* either list empty or no free slot in between */
610 TAILQ_INSERT_TAIL(head, tag, entries);
616 tag2tagname(struct pf_tags *head, u_int16_t tagid, char *p)
618 struct pf_tagname *tag;
620 TAILQ_FOREACH(tag, head, entries)
621 if (tag->tag == tagid) {
622 strlcpy(p, tag->name, PF_TAG_NAME_SIZE);
628 tag_unref(struct pf_tags *head, u_int16_t tag)
630 struct pf_tagname *p, *next;
635 for (p = TAILQ_FIRST(head); p != NULL; p = next) {
636 next = TAILQ_NEXT(p, entries);
639 TAILQ_REMOVE(head, p, entries);
648 pf_tagname2tag(char *tagname)
650 return (tagname2tag(&pf_tags, tagname));
654 pf_tag2tagname(u_int16_t tagid, char *p)
656 return (tag2tagname(&pf_tags, tagid, p));
660 pf_tag_unref(u_int16_t tag)
662 return (tag_unref(&pf_tags, tag));
667 pf_qname2qid(char *qname)
669 return ((u_int32_t)tagname2tag(&pf_qids, qname));
673 pf_qid2qname(u_int32_t qid, char *p)
675 return (tag2tagname(&pf_qids, (u_int16_t)qid, p));
679 pf_qid_unref(u_int32_t qid)
681 return (tag_unref(&pf_qids, (u_int16_t)qid));
685 pf_begin_altq(u_int32_t *ticket)
687 struct pf_altq *altq;
690 /* Purge the old altq list */
691 while ((altq = TAILQ_FIRST(pf_altqs_inactive)) != NULL) {
692 TAILQ_REMOVE(pf_altqs_inactive, altq, entries);
693 if (altq->qname[0] == 0) {
694 /* detach and destroy the discipline */
695 error = altq_remove(altq);
697 pf_qid_unref(altq->qid);
698 pool_put(&pf_altq_pl, altq);
702 *ticket = ++ticket_altqs_inactive;
703 altqs_inactive_open = 1;
708 pf_rollback_altq(u_int32_t ticket)
710 struct pf_altq *altq;
713 if (!altqs_inactive_open || ticket != ticket_altqs_inactive)
715 /* Purge the old altq list */
716 while ((altq = TAILQ_FIRST(pf_altqs_inactive)) != NULL) {
717 TAILQ_REMOVE(pf_altqs_inactive, altq, entries);
718 if (altq->qname[0] == 0) {
719 /* detach and destroy the discipline */
720 error = altq_remove(altq);
722 pf_qid_unref(altq->qid);
723 pool_put(&pf_altq_pl, altq);
725 altqs_inactive_open = 0;
730 pf_commit_altq(u_int32_t ticket)
732 struct pf_altqqueue *old_altqs;
733 struct pf_altq *altq;
734 int s, err, error = 0;
736 if (!altqs_inactive_open || ticket != ticket_altqs_inactive)
739 /* swap altqs, keep the old. */
741 old_altqs = pf_altqs_active;
742 pf_altqs_active = pf_altqs_inactive;
743 pf_altqs_inactive = old_altqs;
744 ticket_altqs_active = ticket_altqs_inactive;
746 /* Attach new disciplines */
747 TAILQ_FOREACH(altq, pf_altqs_active, entries) {
748 if (altq->qname[0] == 0) {
749 /* attach the discipline */
750 error = altq_pfattach(altq);
758 /* Purge the old altq list */
759 while ((altq = TAILQ_FIRST(pf_altqs_inactive)) != NULL) {
760 TAILQ_REMOVE(pf_altqs_inactive, altq, entries);
761 if (altq->qname[0] == 0) {
762 /* detach and destroy the discipline */
763 err = altq_pfdetach(altq);
764 if (err != 0 && error == 0)
766 err = altq_remove(altq);
767 if (err != 0 && error == 0)
770 pf_qid_unref(altq->qid);
771 pool_put(&pf_altq_pl, altq);
775 altqs_inactive_open = 0;
781 pf_begin_rules(u_int32_t *ticket, int rs_num, char *anchor, char *ruleset)
783 struct pf_ruleset *rs;
784 struct pf_rule *rule;
786 if (rs_num < 0 || rs_num >= PF_RULESET_MAX)
788 rs = pf_find_or_create_ruleset(anchor, ruleset);
791 while ((rule = TAILQ_FIRST(rs->rules[rs_num].inactive.ptr)) != NULL)
792 pf_rm_rule(rs->rules[rs_num].inactive.ptr, rule);
793 *ticket = ++rs->rules[rs_num].inactive.ticket;
794 rs->rules[rs_num].inactive.open = 1;
799 pf_rollback_rules(u_int32_t ticket, int rs_num, char *anchor, char *ruleset)
801 struct pf_ruleset *rs;
802 struct pf_rule *rule;
804 if (rs_num < 0 || rs_num >= PF_RULESET_MAX)
806 rs = pf_find_ruleset(anchor, ruleset);
807 if (rs == NULL || !rs->rules[rs_num].inactive.open ||
808 rs->rules[rs_num].inactive.ticket != ticket)
810 while ((rule = TAILQ_FIRST(rs->rules[rs_num].inactive.ptr)) != NULL)
811 pf_rm_rule(rs->rules[rs_num].inactive.ptr, rule);
812 rs->rules[rs_num].inactive.open = 0;
817 pf_commit_rules(u_int32_t ticket, int rs_num, char *anchor, char *ruleset)
819 struct pf_ruleset *rs;
820 struct pf_rule *rule;
821 struct pf_rulequeue *old_rules;
824 if (rs_num < 0 || rs_num >= PF_RULESET_MAX)
826 rs = pf_find_ruleset(anchor, ruleset);
827 if (rs == NULL || !rs->rules[rs_num].inactive.open ||
828 ticket != rs->rules[rs_num].inactive.ticket)
831 /* Swap rules, keep the old. */
833 old_rules = rs->rules[rs_num].active.ptr;
834 rs->rules[rs_num].active.ptr =
835 rs->rules[rs_num].inactive.ptr;
836 rs->rules[rs_num].inactive.ptr = old_rules;
837 rs->rules[rs_num].active.ticket =
838 rs->rules[rs_num].inactive.ticket;
839 pf_calc_skip_steps(rs->rules[rs_num].active.ptr);
841 /* Purge the old rule list. */
842 while ((rule = TAILQ_FIRST(old_rules)) != NULL)
843 pf_rm_rule(old_rules, rule);
844 rs->rules[rs_num].inactive.open = 0;
845 pf_remove_if_empty_ruleset(rs);
846 pf_update_anchor_rules();
852 pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct thread *td)
854 struct pf_pooladdr *pa = NULL;
855 struct pf_pool *pool = NULL;
859 /* XXX keep in sync with switch() below */
867 case DIOCSETSTATUSIF:
874 case DIOCCLRRULECTRS:
881 case DIOCGETRULESETS:
895 case DIOCGETSRCNODES:
896 case DIOCCLRSRCNODES:
905 if (((struct pfioc_table *)addr)->pfrio_flags &
907 break; /* dummy operation ok */
913 if (!(flags & FWRITE))
929 case DIOCGETRULESETS:
937 case DIOCGETSRCNODES:
950 if (((struct pfioc_table *)addr)->pfrio_flags &
952 break; /* dummy operation ok */
961 if (pf_status.running)
966 DPFPRINTF(PF_DEBUG_MISC,
967 ("pf: pfil registeration fail\n"));
970 pf_status.running = 1;
971 pf_status.since = time_second;
972 if (pf_status.stateid == 0) {
973 pf_status.stateid = time_second;
974 pf_status.stateid = pf_status.stateid << 32;
976 DPFPRINTF(PF_DEBUG_MISC, ("pf: started\n"));
981 if (!pf_status.running)
984 pf_status.running = 0;
987 pf_status.running = 1;
988 DPFPRINTF(PF_DEBUG_MISC,
989 ("pf: pfil unregisteration failed\n"));
991 pf_status.since = time_second;
992 DPFPRINTF(PF_DEBUG_MISC, ("pf: stopped\n"));
996 case DIOCBEGINRULES: {
997 struct pfioc_rule *pr = (struct pfioc_rule *)addr;
999 error = pf_begin_rules(&pr->ticket, pf_get_ruleset_number(
1000 pr->rule.action), pr->anchor, pr->ruleset);
1005 struct pfioc_rule *pr = (struct pfioc_rule *)addr;
1006 struct pf_ruleset *ruleset;
1007 struct pf_rule *rule, *tail;
1008 struct pf_pooladdr *pa;
1011 ruleset = pf_find_ruleset(pr->anchor, pr->ruleset);
1012 if (ruleset == NULL) {
1016 rs_num = pf_get_ruleset_number(pr->rule.action);
1017 if (rs_num >= PF_RULESET_MAX) {
1021 if (pr->rule.anchorname[0] && ruleset != &pf_main_ruleset) {
1025 if (pr->rule.return_icmp >> 8 > ICMP_MAXTYPE) {
1029 if (pr->ticket != ruleset->rules[rs_num].inactive.ticket) {
1033 if (pr->pool_ticket != ticket_pabuf) {
1037 rule = pool_get(&pf_rule_pl, PR_NOWAIT);
1042 bcopy(&pr->rule, rule, sizeof(struct pf_rule));
1043 rule->anchor = NULL;
1045 TAILQ_INIT(&rule->rpool.list);
1046 /* initialize refcounting */
1048 rule->src_nodes = 0;
1049 rule->entries.tqe_prev = NULL;
1051 if (rule->af == AF_INET) {
1052 pool_put(&pf_rule_pl, rule);
1053 error = EAFNOSUPPORT;
1058 if (rule->af == AF_INET6) {
1059 pool_put(&pf_rule_pl, rule);
1060 error = EAFNOSUPPORT;
1064 tail = TAILQ_LAST(ruleset->rules[rs_num].inactive.ptr,
1067 rule->nr = tail->nr + 1;
1070 if (rule->ifname[0]) {
1071 rule->kif = pfi_attach_rule(rule->ifname);
1072 if (rule->kif == NULL) {
1073 pool_put(&pf_rule_pl, rule);
1081 if (rule->qname[0] != 0) {
1082 if ((rule->qid = pf_qname2qid(rule->qname)) == 0)
1084 else if (rule->pqname[0] != 0) {
1086 pf_qname2qid(rule->pqname)) == 0)
1089 rule->pqid = rule->qid;
1092 if (rule->tagname[0])
1093 if ((rule->tag = pf_tagname2tag(rule->tagname)) == 0)
1095 if (rule->match_tagname[0])
1096 if ((rule->match_tag =
1097 pf_tagname2tag(rule->match_tagname)) == 0)
1099 if (rule->rt && !rule->direction)
1101 if (pfi_dynaddr_setup(&rule->src.addr, rule->af))
1103 if (pfi_dynaddr_setup(&rule->dst.addr, rule->af))
1105 if (pf_tbladdr_setup(ruleset, &rule->src.addr))
1107 if (pf_tbladdr_setup(ruleset, &rule->dst.addr))
1109 TAILQ_FOREACH(pa, &pf_pabuf, entries)
1110 if (pf_tbladdr_setup(ruleset, &pa->addr))
1113 pf_mv_pool(&pf_pabuf, &rule->rpool.list);
1114 if (((((rule->action == PF_NAT) || (rule->action == PF_RDR) ||
1115 (rule->action == PF_BINAT)) && !rule->anchorname[0]) ||
1116 (rule->rt > PF_FASTROUTE)) &&
1117 (TAILQ_FIRST(&rule->rpool.list) == NULL))
1121 pf_rm_rule(NULL, rule);
1124 rule->rpool.cur = TAILQ_FIRST(&rule->rpool.list);
1125 rule->evaluations = rule->packets = rule->bytes = 0;
1126 TAILQ_INSERT_TAIL(ruleset->rules[rs_num].inactive.ptr,
1131 case DIOCCOMMITRULES: {
1132 struct pfioc_rule *pr = (struct pfioc_rule *)addr;
1134 error = pf_commit_rules(pr->ticket, pf_get_ruleset_number(
1135 pr->rule.action), pr->anchor, pr->ruleset);
1139 case DIOCGETRULES: {
1140 struct pfioc_rule *pr = (struct pfioc_rule *)addr;
1141 struct pf_ruleset *ruleset;
1142 struct pf_rule *tail;
1145 ruleset = pf_find_ruleset(pr->anchor, pr->ruleset);
1146 if (ruleset == NULL) {
1150 rs_num = pf_get_ruleset_number(pr->rule.action);
1151 if (rs_num >= PF_RULESET_MAX) {
1156 tail = TAILQ_LAST(ruleset->rules[rs_num].active.ptr,
1159 pr->nr = tail->nr + 1;
1162 pr->ticket = ruleset->rules[rs_num].active.ticket;
1168 struct pfioc_rule *pr = (struct pfioc_rule *)addr;
1169 struct pf_ruleset *ruleset;
1170 struct pf_rule *rule;
1173 ruleset = pf_find_ruleset(pr->anchor, pr->ruleset);
1174 if (ruleset == NULL) {
1178 rs_num = pf_get_ruleset_number(pr->rule.action);
1179 if (rs_num >= PF_RULESET_MAX) {
1183 if (pr->ticket != ruleset->rules[rs_num].active.ticket) {
1188 rule = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr);
1189 while ((rule != NULL) && (rule->nr != pr->nr))
1190 rule = TAILQ_NEXT(rule, entries);
1196 bcopy(rule, &pr->rule, sizeof(struct pf_rule));
1197 pfi_dynaddr_copyout(&pr->rule.src.addr);
1198 pfi_dynaddr_copyout(&pr->rule.dst.addr);
1199 pf_tbladdr_copyout(&pr->rule.src.addr);
1200 pf_tbladdr_copyout(&pr->rule.dst.addr);
1201 for (i = 0; i < PF_SKIP_COUNT; ++i)
1202 if (rule->skip[i].ptr == NULL)
1203 pr->rule.skip[i].nr = -1;
1205 pr->rule.skip[i].nr =
1206 rule->skip[i].ptr->nr;
1211 case DIOCCHANGERULE: {
1212 struct pfioc_rule *pcr = (struct pfioc_rule *)addr;
1213 struct pf_ruleset *ruleset;
1214 struct pf_rule *oldrule = NULL, *newrule = NULL;
1218 if (!(pcr->action == PF_CHANGE_REMOVE ||
1219 pcr->action == PF_CHANGE_GET_TICKET) &&
1220 pcr->pool_ticket != ticket_pabuf) {
1225 if (pcr->action < PF_CHANGE_ADD_HEAD ||
1226 pcr->action > PF_CHANGE_GET_TICKET) {
1230 ruleset = pf_find_ruleset(pcr->anchor, pcr->ruleset);
1231 if (ruleset == NULL) {
1235 rs_num = pf_get_ruleset_number(pcr->rule.action);
1236 if (rs_num >= PF_RULESET_MAX) {
1241 if (pcr->action == PF_CHANGE_GET_TICKET) {
1242 pcr->ticket = ++ruleset->rules[rs_num].active.ticket;
1246 ruleset->rules[rs_num].active.ticket) {
1250 if (pcr->rule.return_icmp >> 8 > ICMP_MAXTYPE) {
1256 if (pcr->action != PF_CHANGE_REMOVE) {
1257 newrule = pool_get(&pf_rule_pl, PR_NOWAIT);
1258 if (newrule == NULL) {
1262 bcopy(&pcr->rule, newrule, sizeof(struct pf_rule));
1263 TAILQ_INIT(&newrule->rpool.list);
1264 /* initialize refcounting */
1265 newrule->states = 0;
1266 newrule->entries.tqe_prev = NULL;
1268 if (newrule->af == AF_INET) {
1269 pool_put(&pf_rule_pl, newrule);
1270 error = EAFNOSUPPORT;
1275 if (newrule->af == AF_INET6) {
1276 pool_put(&pf_rule_pl, newrule);
1277 error = EAFNOSUPPORT;
1281 if (newrule->ifname[0]) {
1282 newrule->kif = pfi_attach_rule(newrule->ifname);
1283 if (newrule->kif == NULL) {
1284 pool_put(&pf_rule_pl, newrule);
1289 newrule->kif = NULL;
1293 if (newrule->qname[0] != 0) {
1295 pf_qname2qid(newrule->qname)) == 0)
1297 else if (newrule->pqname[0] != 0) {
1298 if ((newrule->pqid =
1299 pf_qname2qid(newrule->pqname)) == 0)
1302 newrule->pqid = newrule->qid;
1305 if (newrule->tagname[0])
1307 pf_tagname2tag(newrule->tagname)) == 0)
1309 if (newrule->match_tagname[0])
1310 if ((newrule->match_tag = pf_tagname2tag(
1311 newrule->match_tagname)) == 0)
1314 if (newrule->rt && !newrule->direction)
1316 if (pfi_dynaddr_setup(&newrule->src.addr, newrule->af))
1318 if (pfi_dynaddr_setup(&newrule->dst.addr, newrule->af))
1320 if (pf_tbladdr_setup(ruleset, &newrule->src.addr))
1322 if (pf_tbladdr_setup(ruleset, &newrule->dst.addr))
1325 pf_mv_pool(&pf_pabuf, &newrule->rpool.list);
1326 if (((((newrule->action == PF_NAT) ||
1327 (newrule->action == PF_RDR) ||
1328 (newrule->action == PF_BINAT) ||
1329 (newrule->rt > PF_FASTROUTE)) &&
1330 !newrule->anchorname[0])) &&
1331 (TAILQ_FIRST(&newrule->rpool.list) == NULL))
1335 pf_rm_rule(NULL, newrule);
1338 newrule->rpool.cur = TAILQ_FIRST(&newrule->rpool.list);
1339 newrule->evaluations = newrule->packets = 0;
1342 pf_empty_pool(&pf_pabuf);
1346 if (pcr->action == PF_CHANGE_ADD_HEAD)
1347 oldrule = TAILQ_FIRST(
1348 ruleset->rules[rs_num].active.ptr);
1349 else if (pcr->action == PF_CHANGE_ADD_TAIL)
1350 oldrule = TAILQ_LAST(
1351 ruleset->rules[rs_num].active.ptr, pf_rulequeue);
1353 oldrule = TAILQ_FIRST(
1354 ruleset->rules[rs_num].active.ptr);
1355 while ((oldrule != NULL) && (oldrule->nr != pcr->nr))
1356 oldrule = TAILQ_NEXT(oldrule, entries);
1357 if (oldrule == NULL) {
1358 pf_rm_rule(NULL, newrule);
1365 if (pcr->action == PF_CHANGE_REMOVE)
1366 pf_rm_rule(ruleset->rules[rs_num].active.ptr, oldrule);
1368 if (oldrule == NULL)
1370 ruleset->rules[rs_num].active.ptr,
1372 else if (pcr->action == PF_CHANGE_ADD_HEAD ||
1373 pcr->action == PF_CHANGE_ADD_BEFORE)
1374 TAILQ_INSERT_BEFORE(oldrule, newrule, entries);
1377 ruleset->rules[rs_num].active.ptr,
1378 oldrule, newrule, entries);
1382 TAILQ_FOREACH(oldrule,
1383 ruleset->rules[rs_num].active.ptr, entries)
1386 pf_calc_skip_steps(ruleset->rules[rs_num].active.ptr);
1387 pf_remove_if_empty_ruleset(ruleset);
1388 pf_update_anchor_rules();
1390 ruleset->rules[rs_num].active.ticket++;
1395 case DIOCCLRSTATES: {
1396 struct pf_state *state;
1397 struct pfioc_state_kill *psk = (struct pfioc_state_kill *)addr;
1401 RB_FOREACH(state, pf_state_tree_id, &tree_id) {
1402 if (!psk->psk_ifname[0] || !strcmp(psk->psk_ifname,
1403 state->u.s.kif->pfik_name)) {
1404 state->timeout = PFTM_PURGE;
1406 /* don't send out individual delete messages */
1407 state->sync_flags = PFSTATE_NOSYNC;
1412 pf_purge_expired_states();
1413 pf_status.states = 0;
1414 psk->psk_af = killed;
1416 pfsync_clear_states(pf_status.hostid, psk->psk_ifname);
1422 case DIOCKILLSTATES: {
1423 struct pf_state *state;
1424 struct pfioc_state_kill *psk = (struct pfioc_state_kill *)addr;
1428 RB_FOREACH(state, pf_state_tree_id, &tree_id) {
1429 if ((!psk->psk_af || state->af == psk->psk_af)
1430 && (!psk->psk_proto || psk->psk_proto ==
1432 PF_MATCHA(psk->psk_src.not,
1433 &psk->psk_src.addr.v.a.addr,
1434 &psk->psk_src.addr.v.a.mask,
1435 &state->lan.addr, state->af) &&
1436 PF_MATCHA(psk->psk_dst.not,
1437 &psk->psk_dst.addr.v.a.addr,
1438 &psk->psk_dst.addr.v.a.mask,
1439 &state->ext.addr, state->af) &&
1440 (psk->psk_src.port_op == 0 ||
1441 pf_match_port(psk->psk_src.port_op,
1442 psk->psk_src.port[0], psk->psk_src.port[1],
1443 state->lan.port)) &&
1444 (psk->psk_dst.port_op == 0 ||
1445 pf_match_port(psk->psk_dst.port_op,
1446 psk->psk_dst.port[0], psk->psk_dst.port[1],
1447 state->ext.port)) &&
1448 (!psk->psk_ifname[0] || !strcmp(psk->psk_ifname,
1449 state->u.s.kif->pfik_name))) {
1450 state->timeout = PFTM_PURGE;
1454 pf_purge_expired_states();
1456 psk->psk_af = killed;
1460 case DIOCADDSTATE: {
1461 struct pfioc_state *ps = (struct pfioc_state *)addr;
1462 struct pf_state *state;
1463 struct pfi_kif *kif;
1465 if (ps->state.timeout >= PFTM_MAX &&
1466 ps->state.timeout != PFTM_UNTIL_PACKET) {
1470 state = pool_get(&pf_state_pl, PR_NOWAIT);
1471 if (state == NULL) {
1476 kif = pfi_lookup_create(ps->state.u.ifname);
1478 pool_put(&pf_state_pl, state);
1483 bcopy(&ps->state, state, sizeof(struct pf_state));
1484 bzero(&state->u, sizeof(state->u));
1485 state->rule.ptr = &pf_default_rule;
1486 state->nat_rule.ptr = NULL;
1487 state->anchor.ptr = NULL;
1488 state->rt_kif = NULL;
1489 state->creation = time_second;
1490 state->pfsync_time = 0;
1491 state->packets[0] = state->packets[1] = 0;
1492 state->bytes[0] = state->bytes[1] = 0;
1494 if (pf_insert_state(kif, state)) {
1495 pfi_maybe_destroy(kif);
1496 pool_put(&pf_state_pl, state);
1503 case DIOCGETSTATE: {
1504 struct pfioc_state *ps = (struct pfioc_state *)addr;
1505 struct pf_state *state;
1510 RB_FOREACH(state, pf_state_tree_id, &tree_id) {
1515 if (state == NULL) {
1520 bcopy(state, &ps->state, sizeof(struct pf_state));
1521 ps->state.rule.nr = state->rule.ptr->nr;
1522 ps->state.nat_rule.nr = (state->nat_rule.ptr == NULL) ?
1523 -1 : state->nat_rule.ptr->nr;
1524 ps->state.anchor.nr = (state->anchor.ptr == NULL) ?
1525 -1 : state->anchor.ptr->nr;
1527 ps->state.expire = pf_state_expires(state);
1528 if (ps->state.expire > time_second)
1529 ps->state.expire -= time_second;
1531 ps->state.expire = 0;
1535 case DIOCGETSTATES: {
1536 struct pfioc_states *ps = (struct pfioc_states *)addr;
1537 struct pf_state *state;
1538 struct pf_state *p, pstore;
1539 struct pfi_kif *kif;
1541 int space = ps->ps_len;
1545 TAILQ_FOREACH(kif, &pfi_statehead, pfik_w_states)
1546 nr += kif->pfik_states;
1548 ps->ps_len = sizeof(struct pf_state) * nr;
1554 TAILQ_FOREACH(kif, &pfi_statehead, pfik_w_states)
1555 RB_FOREACH(state, pf_state_tree_ext_gwy,
1556 &kif->pfik_ext_gwy) {
1557 int secs = time_second;
1559 if ((nr+1) * sizeof(*p) > (unsigned)ps->ps_len)
1562 bcopy(state, &pstore, sizeof(pstore));
1563 strlcpy(pstore.u.ifname, kif->pfik_name,
1564 sizeof(pstore.u.ifname));
1565 pstore.rule.nr = state->rule.ptr->nr;
1566 pstore.nat_rule.nr = (state->nat_rule.ptr ==
1567 NULL) ? -1 : state->nat_rule.ptr->nr;
1568 pstore.anchor.nr = (state->anchor.ptr ==
1569 NULL) ? -1 : state->anchor.ptr->nr;
1570 pstore.creation = secs - pstore.creation;
1571 pstore.expire = pf_state_expires(state);
1572 if (pstore.expire > secs)
1573 pstore.expire -= secs;
1576 error = copyout(&pstore, p, sizeof(*p));
1584 ps->ps_len = sizeof(struct pf_state) * nr;
1589 case DIOCGETSTATUS: {
1590 struct pf_status *s = (struct pf_status *)addr;
1591 bcopy(&pf_status, s, sizeof(struct pf_status));
1592 pfi_fill_oldstatus(s);
1596 case DIOCSETSTATUSIF: {
1597 struct pfioc_if *pi = (struct pfioc_if *)addr;
1599 if (pi->ifname[0] == 0) {
1600 bzero(pf_status.ifname, IFNAMSIZ);
1603 if (ifunit(pi->ifname) == NULL) {
1607 strlcpy(pf_status.ifname, pi->ifname, IFNAMSIZ);
1611 case DIOCCLRSTATUS: {
1612 bzero(pf_status.counters, sizeof(pf_status.counters));
1613 bzero(pf_status.fcounters, sizeof(pf_status.fcounters));
1614 bzero(pf_status.scounters, sizeof(pf_status.scounters));
1615 if (*pf_status.ifname)
1616 pfi_clr_istats(pf_status.ifname, NULL,
1622 struct pfioc_natlook *pnl = (struct pfioc_natlook *)addr;
1623 struct pf_state *state;
1624 struct pf_state key;
1625 int m = 0, direction = pnl->direction;
1628 key.proto = pnl->proto;
1631 PF_AZERO(&pnl->saddr, pnl->af) ||
1632 PF_AZERO(&pnl->daddr, pnl->af) ||
1633 !pnl->dport || !pnl->sport)
1639 * userland gives us source and dest of connection,
1640 * reverse the lookup so we ask for what happens with
1641 * the return traffic, enabling us to find it in the
1644 if (direction == PF_IN) {
1645 PF_ACPY(&key.ext.addr, &pnl->daddr, pnl->af);
1646 key.ext.port = pnl->dport;
1647 PF_ACPY(&key.gwy.addr, &pnl->saddr, pnl->af);
1648 key.gwy.port = pnl->sport;
1649 state = pf_find_state_all(&key, PF_EXT_GWY, &m);
1651 PF_ACPY(&key.lan.addr, &pnl->daddr, pnl->af);
1652 key.lan.port = pnl->dport;
1653 PF_ACPY(&key.ext.addr, &pnl->saddr, pnl->af);
1654 key.ext.port = pnl->sport;
1655 state = pf_find_state_all(&key, PF_LAN_EXT, &m);
1658 error = E2BIG; /* more than one state */
1659 else if (state != NULL) {
1660 if (direction == PF_IN) {
1661 PF_ACPY(&pnl->rsaddr, &state->lan.addr,
1663 pnl->rsport = state->lan.port;
1664 PF_ACPY(&pnl->rdaddr, &pnl->daddr,
1666 pnl->rdport = pnl->dport;
1668 PF_ACPY(&pnl->rdaddr, &state->gwy.addr,
1670 pnl->rdport = state->gwy.port;
1671 PF_ACPY(&pnl->rsaddr, &pnl->saddr,
1673 pnl->rsport = pnl->sport;
1682 case DIOCSETTIMEOUT: {
1683 struct pfioc_tm *pt = (struct pfioc_tm *)addr;
1686 if (pt->timeout < 0 || pt->timeout >= PFTM_MAX ||
1691 old = pf_default_rule.timeout[pt->timeout];
1692 pf_default_rule.timeout[pt->timeout] = pt->seconds;
1697 case DIOCGETTIMEOUT: {
1698 struct pfioc_tm *pt = (struct pfioc_tm *)addr;
1700 if (pt->timeout < 0 || pt->timeout >= PFTM_MAX) {
1704 pt->seconds = pf_default_rule.timeout[pt->timeout];
1708 case DIOCGETLIMIT: {
1709 struct pfioc_limit *pl = (struct pfioc_limit *)addr;
1711 if (pl->index < 0 || pl->index >= PF_LIMIT_MAX) {
1715 pl->limit = pf_pool_limits[pl->index].limit;
1719 case DIOCSETLIMIT: {
1720 struct pfioc_limit *pl = (struct pfioc_limit *)addr;
1723 if (pl->index < 0 || pl->index >= PF_LIMIT_MAX ||
1724 pf_pool_limits[pl->index].pp == NULL) {
1729 /* XXX Get an API to set limits on the zone/pool */
1730 old_limit = pf_pool_limits[pl->index].limit;
1731 pf_pool_limits[pl->index].limit = pl->limit;
1732 pl->limit = old_limit;
1736 case DIOCSETDEBUG: {
1737 u_int32_t *level = (u_int32_t *)addr;
1739 pf_status.debug = *level;
1743 case DIOCCLRRULECTRS: {
1744 struct pf_ruleset *ruleset = &pf_main_ruleset;
1745 struct pf_rule *rule;
1749 ruleset->rules[PF_RULESET_FILTER].active.ptr, entries)
1750 rule->evaluations = rule->packets =
1756 case DIOCGIFSPEED: {
1757 struct pf_ifspeed *psp = (struct pf_ifspeed *)addr;
1758 struct pf_ifspeed ps;
1761 if (psp->ifname[0] != 0) {
1762 /* Can we completely trust user-land? */
1763 strlcpy(ps.ifname, psp->ifname, IFNAMSIZ);
1764 ifp = ifunit(ps.ifname);
1766 psp->baudrate = ifp->if_baudrate;
1774 case DIOCSTARTALTQ: {
1775 struct pf_altq *altq;
1777 struct tb_profile tb;
1779 /* enable all altq interfaces on active list */
1781 TAILQ_FOREACH(altq, pf_altqs_active, entries) {
1782 if (altq->qname[0] == 0) {
1783 if ((ifp = ifunit(altq->ifname)) == NULL) {
1787 if (ifp->if_snd.altq_type != ALTQT_NONE)
1788 error = altq_enable(&ifp->if_snd);
1791 /* set tokenbucket regulator */
1792 tb.rate = altq->ifbandwidth;
1793 tb.depth = altq->tbrsize;
1794 error = tbr_set(&ifp->if_snd, &tb);
1800 DPFPRINTF(PF_DEBUG_MISC, ("altq: started\n"));
1804 case DIOCSTOPALTQ: {
1805 struct pf_altq *altq;
1807 struct tb_profile tb;
1810 /* disable all altq interfaces on active list */
1812 TAILQ_FOREACH(altq, pf_altqs_active, entries) {
1813 if (altq->qname[0] == 0) {
1814 if ((ifp = ifunit(altq->ifname)) == NULL) {
1818 if (ifp->if_snd.altq_type != ALTQT_NONE) {
1819 err = altq_disable(&ifp->if_snd);
1820 if (err != 0 && error == 0)
1823 /* clear tokenbucket regulator */
1825 err = tbr_set(&ifp->if_snd, &tb);
1826 if (err != 0 && error == 0)
1831 DPFPRINTF(PF_DEBUG_MISC, ("altq: stopped\n"));
1835 case DIOCBEGINALTQS: {
1836 u_int32_t *ticket = (u_int32_t *)addr;
1838 error = pf_begin_altq(ticket);
1843 struct pfioc_altq *pa = (struct pfioc_altq *)addr;
1844 struct pf_altq *altq, *a;
1846 if (pa->ticket != ticket_altqs_inactive) {
1850 altq = pool_get(&pf_altq_pl, PR_NOWAIT);
1855 bcopy(&pa->altq, altq, sizeof(struct pf_altq));
1858 * if this is for a queue, find the discipline and
1859 * copy the necessary fields
1861 if (altq->qname[0] != 0) {
1862 if ((altq->qid = pf_qname2qid(altq->qname)) == 0) {
1864 pool_put(&pf_altq_pl, altq);
1867 TAILQ_FOREACH(a, pf_altqs_inactive, entries) {
1868 if (strncmp(a->ifname, altq->ifname,
1869 IFNAMSIZ) == 0 && a->qname[0] == 0) {
1870 altq->altq_disc = a->altq_disc;
1876 error = altq_add(altq);
1878 pool_put(&pf_altq_pl, altq);
1882 TAILQ_INSERT_TAIL(pf_altqs_inactive, altq, entries);
1883 bcopy(altq, &pa->altq, sizeof(struct pf_altq));
1887 case DIOCCOMMITALTQS: {
1888 u_int32_t ticket = *(u_int32_t *)addr;
1890 error = pf_commit_altq(ticket);
1894 case DIOCGETALTQS: {
1895 struct pfioc_altq *pa = (struct pfioc_altq *)addr;
1896 struct pf_altq *altq;
1900 TAILQ_FOREACH(altq, pf_altqs_active, entries)
1902 pa->ticket = ticket_altqs_active;
1908 struct pfioc_altq *pa = (struct pfioc_altq *)addr;
1909 struct pf_altq *altq;
1912 if (pa->ticket != ticket_altqs_active) {
1918 altq = TAILQ_FIRST(pf_altqs_active);
1919 while ((altq != NULL) && (nr < pa->nr)) {
1920 altq = TAILQ_NEXT(altq, entries);
1928 bcopy(altq, &pa->altq, sizeof(struct pf_altq));
1933 case DIOCCHANGEALTQ:
1934 /* CHANGEALTQ not supported yet! */
1938 case DIOCGETQSTATS: {
1939 struct pfioc_qstats *pq = (struct pfioc_qstats *)addr;
1940 struct pf_altq *altq;
1944 if (pq->ticket != ticket_altqs_active) {
1948 nbytes = pq->nbytes;
1951 altq = TAILQ_FIRST(pf_altqs_active);
1952 while ((altq != NULL) && (nr < pq->nr)) {
1953 altq = TAILQ_NEXT(altq, entries);
1961 error = altq_getqstats(altq, pq->buf, &nbytes);
1964 pq->scheduler = altq->scheduler;
1965 pq->nbytes = nbytes;
1971 case DIOCBEGINADDRS: {
1972 struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr;
1974 pf_empty_pool(&pf_pabuf);
1975 pp->ticket = ++ticket_pabuf;
1980 struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr;
1983 if (pp->af == AF_INET) {
1984 error = EAFNOSUPPORT;
1989 if (pp->af == AF_INET6) {
1990 error = EAFNOSUPPORT;
1994 if (pp->addr.addr.type != PF_ADDR_ADDRMASK &&
1995 pp->addr.addr.type != PF_ADDR_DYNIFTL &&
1996 pp->addr.addr.type != PF_ADDR_TABLE) {
2000 pa = pool_get(&pf_pooladdr_pl, PR_NOWAIT);
2005 bcopy(&pp->addr, pa, sizeof(struct pf_pooladdr));
2006 if (pa->ifname[0]) {
2007 pa->kif = pfi_attach_rule(pa->ifname);
2008 if (pa->kif == NULL) {
2009 pool_put(&pf_pooladdr_pl, pa);
2014 if (pfi_dynaddr_setup(&pa->addr, pp->af)) {
2015 pfi_dynaddr_remove(&pa->addr);
2016 pfi_detach_rule(pa->kif);
2017 pool_put(&pf_pooladdr_pl, pa);
2021 TAILQ_INSERT_TAIL(&pf_pabuf, pa, entries);
2025 case DIOCGETADDRS: {
2026 struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr;
2030 pool = pf_get_pool(pp->anchor, pp->ruleset, pp->ticket,
2031 pp->r_action, pp->r_num, 0, 1, 0);
2037 TAILQ_FOREACH(pa, &pool->list, entries)
2044 struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr;
2048 pool = pf_get_pool(pp->anchor, pp->ruleset, pp->ticket,
2049 pp->r_action, pp->r_num, 0, 1, 1);
2055 pa = TAILQ_FIRST(&pool->list);
2056 while ((pa != NULL) && (nr < pp->nr)) {
2057 pa = TAILQ_NEXT(pa, entries);
2065 bcopy(pa, &pp->addr, sizeof(struct pf_pooladdr));
2066 pfi_dynaddr_copyout(&pp->addr.addr);
2067 pf_tbladdr_copyout(&pp->addr.addr);
2072 case DIOCCHANGEADDR: {
2073 struct pfioc_pooladdr *pca = (struct pfioc_pooladdr *)addr;
2074 struct pf_pooladdr *oldpa = NULL, *newpa = NULL;
2075 struct pf_ruleset *ruleset;
2077 if (pca->action < PF_CHANGE_ADD_HEAD ||
2078 pca->action > PF_CHANGE_REMOVE) {
2082 if (pca->addr.addr.type != PF_ADDR_ADDRMASK &&
2083 pca->addr.addr.type != PF_ADDR_DYNIFTL &&
2084 pca->addr.addr.type != PF_ADDR_TABLE) {
2089 ruleset = pf_find_ruleset(pca->anchor, pca->ruleset);
2090 if (ruleset == NULL) {
2094 pool = pf_get_pool(pca->anchor, pca->ruleset, pca->ticket,
2095 pca->r_action, pca->r_num, pca->r_last, 1, 1);
2100 if (pca->action != PF_CHANGE_REMOVE) {
2101 newpa = pool_get(&pf_pooladdr_pl, PR_NOWAIT);
2102 if (newpa == NULL) {
2106 bcopy(&pca->addr, newpa, sizeof(struct pf_pooladdr));
2108 if (pca->af == AF_INET) {
2109 pool_put(&pf_pooladdr_pl, newpa);
2110 error = EAFNOSUPPORT;
2115 if (pca->af == AF_INET6) {
2116 pool_put(&pf_pooladdr_pl, newpa);
2117 error = EAFNOSUPPORT;
2121 if (newpa->ifname[0]) {
2122 newpa->kif = pfi_attach_rule(newpa->ifname);
2123 if (newpa->kif == NULL) {
2124 pool_put(&pf_pooladdr_pl, newpa);
2130 if (pfi_dynaddr_setup(&newpa->addr, pca->af) ||
2131 pf_tbladdr_setup(ruleset, &newpa->addr)) {
2132 pfi_dynaddr_remove(&newpa->addr);
2133 pfi_detach_rule(newpa->kif);
2134 pool_put(&pf_pooladdr_pl, newpa);
2142 if (pca->action == PF_CHANGE_ADD_HEAD)
2143 oldpa = TAILQ_FIRST(&pool->list);
2144 else if (pca->action == PF_CHANGE_ADD_TAIL)
2145 oldpa = TAILQ_LAST(&pool->list, pf_palist);
2149 oldpa = TAILQ_FIRST(&pool->list);
2150 while ((oldpa != NULL) && (i < pca->nr)) {
2151 oldpa = TAILQ_NEXT(oldpa, entries);
2154 if (oldpa == NULL) {
2161 if (pca->action == PF_CHANGE_REMOVE) {
2162 TAILQ_REMOVE(&pool->list, oldpa, entries);
2163 pfi_dynaddr_remove(&oldpa->addr);
2164 pf_tbladdr_remove(&oldpa->addr);
2165 pfi_detach_rule(oldpa->kif);
2166 pool_put(&pf_pooladdr_pl, oldpa);
2169 TAILQ_INSERT_TAIL(&pool->list, newpa, entries);
2170 else if (pca->action == PF_CHANGE_ADD_HEAD ||
2171 pca->action == PF_CHANGE_ADD_BEFORE)
2172 TAILQ_INSERT_BEFORE(oldpa, newpa, entries);
2174 TAILQ_INSERT_AFTER(&pool->list, oldpa,
2178 pool->cur = TAILQ_FIRST(&pool->list);
2179 PF_ACPY(&pool->counter, &pool->cur->addr.v.a.addr,
2185 case DIOCGETANCHORS: {
2186 struct pfioc_anchor *pa = (struct pfioc_anchor *)addr;
2187 struct pf_anchor *anchor;
2190 TAILQ_FOREACH(anchor, &pf_anchors, entries)
2195 case DIOCGETANCHOR: {
2196 struct pfioc_anchor *pa = (struct pfioc_anchor *)addr;
2197 struct pf_anchor *anchor;
2200 anchor = TAILQ_FIRST(&pf_anchors);
2201 while (anchor != NULL && nr < pa->nr) {
2202 anchor = TAILQ_NEXT(anchor, entries);
2208 bcopy(anchor->name, pa->name, sizeof(pa->name));
2212 case DIOCGETRULESETS: {
2213 struct pfioc_ruleset *pr = (struct pfioc_ruleset *)addr;
2214 struct pf_anchor *anchor;
2215 struct pf_ruleset *ruleset;
2217 pr->anchor[PF_ANCHOR_NAME_SIZE-1] = 0;
2218 if ((anchor = pf_find_anchor(pr->anchor)) == NULL) {
2223 TAILQ_FOREACH(ruleset, &anchor->rulesets, entries)
2228 case DIOCGETRULESET: {
2229 struct pfioc_ruleset *pr = (struct pfioc_ruleset *)addr;
2230 struct pf_anchor *anchor;
2231 struct pf_ruleset *ruleset;
2234 if ((anchor = pf_find_anchor(pr->anchor)) == NULL) {
2238 ruleset = TAILQ_FIRST(&anchor->rulesets);
2239 while (ruleset != NULL && nr < pr->nr) {
2240 ruleset = TAILQ_NEXT(ruleset, entries);
2243 if (ruleset == NULL)
2246 bcopy(ruleset->name, pr->name, sizeof(pr->name));
2250 case DIOCRCLRTABLES: {
2251 struct pfioc_table *io = (struct pfioc_table *)addr;
2253 if (io->pfrio_esize != 0) {
2257 error = pfr_clr_tables(&io->pfrio_table, &io->pfrio_ndel,
2258 io->pfrio_flags | PFR_FLAG_USERIOCTL);
2262 case DIOCRADDTABLES: {
2263 struct pfioc_table *io = (struct pfioc_table *)addr;
2265 if (io->pfrio_esize != sizeof(struct pfr_table)) {
2269 error = pfr_add_tables(io->pfrio_buffer, io->pfrio_size,
2270 &io->pfrio_nadd, io->pfrio_flags | PFR_FLAG_USERIOCTL);
2274 case DIOCRDELTABLES: {
2275 struct pfioc_table *io = (struct pfioc_table *)addr;
2277 if (io->pfrio_esize != sizeof(struct pfr_table)) {
2281 error = pfr_del_tables(io->pfrio_buffer, io->pfrio_size,
2282 &io->pfrio_ndel, io->pfrio_flags | PFR_FLAG_USERIOCTL);
2286 case DIOCRGETTABLES: {
2287 struct pfioc_table *io = (struct pfioc_table *)addr;
2289 if (io->pfrio_esize != sizeof(struct pfr_table)) {
2293 error = pfr_get_tables(&io->pfrio_table, io->pfrio_buffer,
2294 &io->pfrio_size, io->pfrio_flags | PFR_FLAG_USERIOCTL);
2298 case DIOCRGETTSTATS: {
2299 struct pfioc_table *io = (struct pfioc_table *)addr;
2301 if (io->pfrio_esize != sizeof(struct pfr_tstats)) {
2305 error = pfr_get_tstats(&io->pfrio_table, io->pfrio_buffer,
2306 &io->pfrio_size, io->pfrio_flags | PFR_FLAG_USERIOCTL);
2310 case DIOCRCLRTSTATS: {
2311 struct pfioc_table *io = (struct pfioc_table *)addr;
2313 if (io->pfrio_esize != sizeof(struct pfr_table)) {
2317 error = pfr_clr_tstats(io->pfrio_buffer, io->pfrio_size,
2318 &io->pfrio_nzero, io->pfrio_flags | PFR_FLAG_USERIOCTL);
2322 case DIOCRSETTFLAGS: {
2323 struct pfioc_table *io = (struct pfioc_table *)addr;
2325 if (io->pfrio_esize != sizeof(struct pfr_table)) {
2329 error = pfr_set_tflags(io->pfrio_buffer, io->pfrio_size,
2330 io->pfrio_setflag, io->pfrio_clrflag, &io->pfrio_nchange,
2331 &io->pfrio_ndel, io->pfrio_flags | PFR_FLAG_USERIOCTL);
2335 case DIOCRCLRADDRS: {
2336 struct pfioc_table *io = (struct pfioc_table *)addr;
2338 if (io->pfrio_esize != 0) {
2342 error = pfr_clr_addrs(&io->pfrio_table, &io->pfrio_ndel,
2343 io->pfrio_flags | PFR_FLAG_USERIOCTL);
2347 case DIOCRADDADDRS: {
2348 struct pfioc_table *io = (struct pfioc_table *)addr;
2350 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
2354 error = pfr_add_addrs(&io->pfrio_table, io->pfrio_buffer,
2355 io->pfrio_size, &io->pfrio_nadd, io->pfrio_flags |
2356 PFR_FLAG_USERIOCTL);
2360 case DIOCRDELADDRS: {
2361 struct pfioc_table *io = (struct pfioc_table *)addr;
2363 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
2367 error = pfr_del_addrs(&io->pfrio_table, io->pfrio_buffer,
2368 io->pfrio_size, &io->pfrio_ndel, io->pfrio_flags |
2369 PFR_FLAG_USERIOCTL);
2373 case DIOCRSETADDRS: {
2374 struct pfioc_table *io = (struct pfioc_table *)addr;
2376 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
2380 error = pfr_set_addrs(&io->pfrio_table, io->pfrio_buffer,
2381 io->pfrio_size, &io->pfrio_size2, &io->pfrio_nadd,
2382 &io->pfrio_ndel, &io->pfrio_nchange, io->pfrio_flags |
2383 PFR_FLAG_USERIOCTL);
2387 case DIOCRGETADDRS: {
2388 struct pfioc_table *io = (struct pfioc_table *)addr;
2390 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
2394 error = pfr_get_addrs(&io->pfrio_table, io->pfrio_buffer,
2395 &io->pfrio_size, io->pfrio_flags | PFR_FLAG_USERIOCTL);
2399 case DIOCRGETASTATS: {
2400 struct pfioc_table *io = (struct pfioc_table *)addr;
2402 if (io->pfrio_esize != sizeof(struct pfr_astats)) {
2406 error = pfr_get_astats(&io->pfrio_table, io->pfrio_buffer,
2407 &io->pfrio_size, io->pfrio_flags | PFR_FLAG_USERIOCTL);
2411 case DIOCRCLRASTATS: {
2412 struct pfioc_table *io = (struct pfioc_table *)addr;
2414 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
2418 error = pfr_clr_astats(&io->pfrio_table, io->pfrio_buffer,
2419 io->pfrio_size, &io->pfrio_nzero, io->pfrio_flags |
2420 PFR_FLAG_USERIOCTL);
2424 case DIOCRTSTADDRS: {
2425 struct pfioc_table *io = (struct pfioc_table *)addr;
2427 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
2431 error = pfr_tst_addrs(&io->pfrio_table, io->pfrio_buffer,
2432 io->pfrio_size, &io->pfrio_nmatch, io->pfrio_flags |
2433 PFR_FLAG_USERIOCTL);
2437 case DIOCRINABEGIN: {
2438 struct pfioc_table *io = (struct pfioc_table *)addr;
2440 if (io->pfrio_esize != 0) {
2444 error = pfr_ina_begin(&io->pfrio_table, &io->pfrio_ticket,
2445 &io->pfrio_ndel, io->pfrio_flags | PFR_FLAG_USERIOCTL);
2449 case DIOCRINACOMMIT: {
2450 struct pfioc_table *io = (struct pfioc_table *)addr;
2452 if (io->pfrio_esize != 0) {
2456 error = pfr_ina_commit(&io->pfrio_table, io->pfrio_ticket,
2457 &io->pfrio_nadd, &io->pfrio_nchange, io->pfrio_flags |
2458 PFR_FLAG_USERIOCTL);
2462 case DIOCRINADEFINE: {
2463 struct pfioc_table *io = (struct pfioc_table *)addr;
2465 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
2469 error = pfr_ina_define(&io->pfrio_table, io->pfrio_buffer,
2470 io->pfrio_size, &io->pfrio_nadd, &io->pfrio_naddr,
2471 io->pfrio_ticket, io->pfrio_flags | PFR_FLAG_USERIOCTL);
2476 struct pf_osfp_ioctl *io = (struct pf_osfp_ioctl *)addr;
2478 error = pf_osfp_add(io);
2484 struct pf_osfp_ioctl *io = (struct pf_osfp_ioctl *)addr;
2486 error = pf_osfp_get(io);
2492 struct pfioc_trans *io = (struct pfioc_trans *)addr;
2493 struct pfioc_trans_e ioe;
2494 struct pfr_table table;
2497 if (io->esize != sizeof(ioe)) {
2501 for (i = 0; i < io->size; i++) {
2502 if (copyin(io->array+i, &ioe, sizeof(ioe))) {
2506 switch (ioe.rs_num) {
2508 case PF_RULESET_ALTQ:
2509 if (ioe.anchor[0] || ioe.ruleset[0]) {
2513 if ((error = pf_begin_altq(&ioe.ticket)))
2517 case PF_RULESET_TABLE:
2518 bzero(&table, sizeof(table));
2519 strlcpy(table.pfrt_anchor, ioe.anchor,
2520 sizeof(table.pfrt_anchor));
2521 strlcpy(table.pfrt_ruleset, ioe.ruleset,
2522 sizeof(table.pfrt_ruleset));
2523 if ((error = pfr_ina_begin(&table,
2524 &ioe.ticket, NULL, 0)))
2528 if ((error = pf_begin_rules(&ioe.ticket,
2529 ioe.rs_num, ioe.anchor, ioe.ruleset)))
2533 if (copyout(&ioe, io->array+i, sizeof(io->array[i]))) {
2541 case DIOCXROLLBACK: {
2542 struct pfioc_trans *io = (struct pfioc_trans *)addr;
2543 struct pfioc_trans_e ioe;
2544 struct pfr_table table;
2547 if (io->esize != sizeof(ioe)) {
2551 for (i = 0; i < io->size; i++) {
2552 if (copyin(io->array+i, &ioe, sizeof(ioe))) {
2556 switch (ioe.rs_num) {
2558 case PF_RULESET_ALTQ:
2559 if (ioe.anchor[0] || ioe.ruleset[0]) {
2563 if ((error = pf_rollback_altq(ioe.ticket)))
2564 goto fail; /* really bad */
2567 case PF_RULESET_TABLE:
2568 bzero(&table, sizeof(table));
2569 strlcpy(table.pfrt_anchor, ioe.anchor,
2570 sizeof(table.pfrt_anchor));
2571 strlcpy(table.pfrt_ruleset, ioe.ruleset,
2572 sizeof(table.pfrt_ruleset));
2573 if ((error = pfr_ina_rollback(&table,
2574 ioe.ticket, NULL, 0)))
2575 goto fail; /* really bad */
2578 if ((error = pf_rollback_rules(ioe.ticket,
2579 ioe.rs_num, ioe.anchor, ioe.ruleset)))
2580 goto fail; /* really bad */
2588 struct pfioc_trans *io = (struct pfioc_trans *)addr;
2589 struct pfioc_trans_e ioe;
2590 struct pfr_table table;
2591 struct pf_ruleset *rs;
2594 if (io->esize != sizeof(ioe)) {
2598 /* first makes sure everything will succeed */
2599 for (i = 0; i < io->size; i++) {
2600 if (copyin(io->array+i, &ioe, sizeof(ioe))) {
2604 switch (ioe.rs_num) {
2606 case PF_RULESET_ALTQ:
2607 if (ioe.anchor[0] || ioe.ruleset[0]) {
2611 if (!altqs_inactive_open || ioe.ticket !=
2612 ticket_altqs_inactive) {
2618 case PF_RULESET_TABLE:
2619 rs = pf_find_ruleset(ioe.anchor, ioe.ruleset);
2620 if (rs == NULL || !rs->topen || ioe.ticket !=
2627 if (ioe.rs_num < 0 || ioe.rs_num >=
2632 rs = pf_find_ruleset(ioe.anchor, ioe.ruleset);
2634 !rs->rules[ioe.rs_num].inactive.open ||
2635 rs->rules[ioe.rs_num].inactive.ticket !=
2643 /* now do the commit - no errors should happen here */
2644 for (i = 0; i < io->size; i++) {
2645 if (copyin(io->array+i, &ioe, sizeof(ioe))) {
2649 switch (ioe.rs_num) {
2651 case PF_RULESET_ALTQ:
2652 if ((error = pf_commit_altq(ioe.ticket)))
2653 goto fail; /* really bad */
2656 case PF_RULESET_TABLE:
2657 bzero(&table, sizeof(table));
2658 strlcpy(table.pfrt_anchor, ioe.anchor,
2659 sizeof(table.pfrt_anchor));
2660 strlcpy(table.pfrt_ruleset, ioe.ruleset,
2661 sizeof(table.pfrt_ruleset));
2662 if ((error = pfr_ina_commit(&table, ioe.ticket,
2664 goto fail; /* really bad */
2667 if ((error = pf_commit_rules(ioe.ticket,
2668 ioe.rs_num, ioe.anchor, ioe.ruleset)))
2669 goto fail; /* really bad */
2676 case DIOCGETSRCNODES: {
2677 struct pfioc_src_nodes *psn = (struct pfioc_src_nodes *)addr;
2678 struct pf_src_node *n;
2679 struct pf_src_node *p, pstore;
2681 int space = psn->psn_len;
2685 RB_FOREACH(n, pf_src_tree, &tree_src_tracking)
2688 psn->psn_len = sizeof(struct pf_src_node) * nr;
2693 p = psn->psn_src_nodes;
2694 RB_FOREACH(n, pf_src_tree, &tree_src_tracking) {
2695 int secs = time_second;
2697 if ((nr + 1) * sizeof(*p) > (unsigned)psn->psn_len)
2700 bcopy(n, &pstore, sizeof(pstore));
2701 if (n->rule.ptr != NULL)
2702 pstore.rule.nr = n->rule.ptr->nr;
2703 pstore.creation = secs - pstore.creation;
2704 if (pstore.expire > secs)
2705 pstore.expire -= secs;
2708 error = copyout(&pstore, p, sizeof(*p));
2716 psn->psn_len = sizeof(struct pf_src_node) * nr;
2721 case DIOCCLRSRCNODES: {
2722 struct pf_src_node *n;
2723 struct pf_state *state;
2726 RB_FOREACH(state, pf_state_tree_id, &tree_id) {
2727 state->src_node = NULL;
2728 state->nat_src_node = NULL;
2730 RB_FOREACH(n, pf_src_tree, &tree_src_tracking) {
2734 pf_purge_expired_src_nodes();
2735 pf_status.src_nodes = 0;
2740 case DIOCSETHOSTID: {
2741 u_int32_t *hostid = (u_int32_t *)addr;
2747 pf_status.hostid = *hostid;
2757 case DIOCIGETIFACES: {
2758 struct pfioc_iface *io = (struct pfioc_iface *)addr;
2760 if (io->pfiio_esize != sizeof(struct pfi_if)) {
2764 error = pfi_get_ifaces(io->pfiio_name, io->pfiio_buffer,
2765 &io->pfiio_size, io->pfiio_flags);
2769 case DIOCICLRISTATS: {
2770 struct pfioc_iface *io = (struct pfioc_iface *)addr;
2772 error = pfi_clr_istats(io->pfiio_name, &io->pfiio_nzero,
2786 * XXX - Check for version missmatch!!!
2789 pf_clear_states(void)
2791 struct pf_state *state;
2793 RB_FOREACH(state, pf_state_tree_id, &tree_id) {
2794 state->timeout = PFTM_PURGE;
2796 /* don't send out individual delete messages */
2797 state->sync_flags = PFSTATE_NOSYNC;
2800 pf_purge_expired_states();
2801 pf_status.states = 0;
2804 * XXX This is called on module unload, we do not want to sync that over? */
2806 pfsync_clear_states(pf_status.hostid, psk->psk_ifname);
2811 pf_clear_tables(void)
2813 struct pfioc_table io;
2816 bzero(&io, sizeof(io));
2818 error = pfr_clr_tables(&io.pfrio_table, &io.pfrio_ndel,
2825 pf_clear_srcnodes(void)
2827 struct pf_src_node *n;
2828 struct pf_state *state;
2830 RB_FOREACH(state, pf_state_tree_id, &tree_id) {
2831 state->src_node = NULL;
2832 state->nat_src_node = NULL;
2834 RB_FOREACH(n, pf_src_tree, &tree_src_tracking) {
2838 pf_purge_expired_src_nodes();
2839 pf_status.src_nodes = 0;
2842 * XXX - Check for version missmatch!!!
2846 * Duplicate pfctl -Fa operation to get rid of as much as we can.
2855 callout_stop(&pf_expire_to);
2857 pf_status.running = 0;
2859 if ((error = pf_begin_rules(&t[0], PF_RULESET_SCRUB, &nn,
2861 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: SCRUB\n"));
2864 if ((error = pf_begin_rules(&t[1], PF_RULESET_FILTER, &nn,
2866 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: FILTER\n"));
2867 break; /* XXX: rollback? */
2869 if ((error = pf_begin_rules(&t[2], PF_RULESET_NAT, &nn, &nn))
2871 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: NAT\n"));
2872 break; /* XXX: rollback? */
2874 if ((error = pf_begin_rules(&t[3], PF_RULESET_BINAT, &nn, &nn))
2876 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: BINAT\n"));
2877 break; /* XXX: rollback? */
2879 if ((error = pf_begin_rules(&t[4], PF_RULESET_RDR, &nn, &nn))
2881 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: RDR\n"));
2882 break; /* XXX: rollback? */
2885 /* XXX: these should always succeed here */
2886 pf_commit_rules(t[0], PF_RULESET_SCRUB, &nn, &nn);
2887 pf_commit_rules(t[1], PF_RULESET_FILTER, &nn, &nn);
2888 pf_commit_rules(t[2], PF_RULESET_NAT, &nn, &nn);
2889 pf_commit_rules(t[3], PF_RULESET_BINAT, &nn, &nn);
2890 pf_commit_rules(t[4], PF_RULESET_RDR, &nn, &nn);
2892 if ((error = pf_clear_tables()) != 0)
2896 if ((error = pf_begin_altq(&t[0])) != 0) {
2897 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: ALTQ\n"));
2900 pf_commit_altq(t[0]);
2905 pf_clear_srcnodes();
2907 /* status does not use malloced mem so no need to cleanup */
2908 /* fingerprints and interfaces have their own cleanup code */
2915 pf_check_in(void *arg, struct mbuf **m, struct ifnet *ifp, int dir)
2918 * DragonFly's version of pf uses FreeBSD's native host byte ordering
2919 * for ip_len/ip_off. This is why we don't have to change byte order
2920 * like the FreeBSD-5 version does.
2924 chk = pf_test(PF_IN, ifp, m);
2933 pf_check_out(void *arg, struct mbuf **m, struct ifnet *ifp, int dir)
2936 * DragonFly's version of pf uses FreeBSD's native host byte ordering
2937 * for ip_len/ip_off. This is why we don't have to change byte order
2938 * like the FreeBSD-5 version does.
2942 /* We need a proper CSUM befor we start (s. OpenBSD ip_output) */
2943 if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
2944 in_delayed_cksum(*m);
2945 (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
2947 chk = pf_test(PF_OUT, ifp, m);
2957 pf_check6_in(void *arg, struct mbuf **m, struct ifnet *ifp, int dir)
2960 * IPv6 is not affected by ip_len/ip_off byte order changes.
2964 chk = pf_test6(PF_IN, ifp, m);
2973 pf_check6_out(void *arg, struct mbuf **m, struct ifnet *ifp, int dir)
2976 * IPv6 is not affected by ip_len/ip_off byte order changes.
2980 /* We need a proper CSUM befor we start (s. OpenBSD ip_output) */
2981 if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
2982 in_delayed_cksum(*m);
2983 (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
2985 chk = pf_test6(PF_OUT, ifp, m);
2997 struct pfil_head *pfh_inet;
2999 struct pfil_head *pfh_inet6;
3005 pfh_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
3006 if (pfh_inet == NULL)
3008 pfil_add_hook(pf_check_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet);
3009 pfil_add_hook(pf_check_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet);
3011 pfh_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
3012 if (pfh_inet6 == NULL) {
3013 pfil_remove_hook(pf_check_in, NULL, PFIL_IN | PFIL_WAITOK,
3015 pfil_remove_hook(pf_check_out, NULL, PFIL_OUT | PFIL_WAITOK,
3019 pfil_add_hook(pf_check6_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet6);
3020 pfil_add_hook(pf_check6_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet6);
3030 struct pfil_head *pfh_inet;
3032 struct pfil_head *pfh_inet6;
3035 if (pf_pfil_hooked == 0)
3038 pfh_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
3039 if (pfh_inet == NULL)
3041 pfil_remove_hook(pf_check_in, NULL, PFIL_IN | PFIL_WAITOK,
3043 pfil_remove_hook(pf_check_out, NULL, PFIL_OUT | PFIL_WAITOK,
3046 pfh_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
3047 if (pfh_inet6 == NULL)
3049 pfil_remove_hook(pf_check6_in, NULL, PFIL_IN | PFIL_WAITOK,
3051 pfil_remove_hook(pf_check6_out, NULL, PFIL_OUT | PFIL_WAITOK,
3065 error = cdevsw_add(&pf_cdevsw, 0, 0);
3068 pf_dev = make_dev(&pf_cdevsw, 0, 0, 0, 0600, PF_NAME);
3071 cdevsw_remove(&pf_cdevsw, 0, 0);
3082 pf_status.running = 0;
3083 error = dehook_pf();
3086 * Should not happen!
3087 * XXX Due to error code ESRCH, kldunload will show
3088 * a message like 'No such process'.
3090 printf("pfil unregisteration fail\n");
3098 cdevsw_remove(&pf_cdevsw, 0, 0);
3103 pf_modevent(module_t mod, int type, void *data)
3113 error = pf_unload();
3122 static moduledata_t pf_mod = {
3128 DECLARE_MODULE(pf, pf_mod, SI_SUB_PSEUDO, SI_ORDER_FIRST);
3129 MODULE_VERSION(pf, PF_MODVER);
projects / dragonfly.git / blob