1 /* $FreeBSD: src/sys/contrib/pf/net/pf_ioctl.c,v 1.12 2004/08/12 14:15:42 mlaier Exp $ */
2 /* $OpenBSD: pf_ioctl.c,v 1.112.2.2 2004/07/24 18:28:12 brad Exp $ */
3 /* $OpenBSD: pf_ioctl.c,v 1.175 2007/02/26 22:47:43 deraadt Exp $ */
6 * Copyright (c) 2010 The DragonFly Project. All rights reserved.
8 * Copyright (c) 2001 Daniel Hartmeier
9 * Copyright (c) 2002,2003 Henning Brauer
10 * All rights reserved.
12 * Redistribution and use in source and binary forms, with or without
13 * modification, are permitted provided that the following conditions
16 * - Redistributions of source code must retain the above copyright
17 * notice, this list of conditions and the following disclaimer.
18 * - Redistributions in binary form must reproduce the above
19 * copyright notice, this list of conditions and the following
20 * disclaimer in the documentation and/or other materials provided
21 * with the distribution.
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
26 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
27 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
28 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
29 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
30 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
31 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
33 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
34 * POSSIBILITY OF SUCH DAMAGE.
36 * Effort sponsored in part by the Defense Advanced Research Projects
37 * Agency (DARPA) and Air Force Research Laboratory, Air Force
38 * Materiel Command, USAF, under agreement number F30602-01-2-0537.
43 #include "opt_inet6.h"
44 #include "use_pfsync.h"
46 #include <sys/param.h>
47 #include <sys/systm.h>
49 #include <sys/device.h>
51 #include <sys/filio.h>
52 #include <sys/fcntl.h>
53 #include <sys/socket.h>
54 #include <sys/socketvar.h>
55 #include <sys/kernel.h>
56 #include <sys/kthread.h>
59 #include <sys/malloc.h>
60 #include <sys/module.h>
61 #include <vm/vm_zone.h>
64 #include <sys/thread2.h>
65 #include <sys/mplock2.h>
68 #include <net/if_types.h>
69 #include <net/route.h>
71 #include <netinet/in.h>
72 #include <netinet/in_var.h>
73 #include <netinet/in_systm.h>
74 #include <netinet/ip.h>
75 #include <netinet/ip_var.h>
76 #include <netinet/ip_icmp.h>
78 #include <net/pf/pfvar.h>
80 #include <net/pf/pfvar.h>
83 #include <net/pf/if_pfsync.h>
84 #endif /* NPFSYNC > 0 */
87 #include <net/if_pflog.h>
88 #endif /* NPFLOG > 0 */
91 #include <netinet/ip6.h>
92 #include <netinet/in_pcb.h>
96 #include <net/altq/altq.h>
99 #include <machine/limits.h>
100 #include <net/pfil.h>
101 #include <sys/mutex.h>
103 u_int rt_numfibs = RT_NUMFIBS;
105 void init_zone_var(void);
106 void cleanup_pf_zone(void);
108 struct pf_pool *pf_get_pool(char *, u_int32_t, u_int8_t, u_int32_t,
109 u_int8_t, u_int8_t, u_int8_t);
111 void pf_mv_pool(struct pf_palist *, struct pf_palist *);
112 void pf_empty_pool(struct pf_palist *);
114 int pf_begin_altq(u_int32_t *);
115 int pf_rollback_altq(u_int32_t);
116 int pf_commit_altq(u_int32_t);
117 int pf_enable_altq(struct pf_altq *);
118 int pf_disable_altq(struct pf_altq *);
120 int pf_begin_rules(u_int32_t *, int, const char *);
121 int pf_rollback_rules(u_int32_t, int, char *);
122 int pf_setup_pfsync_matching(struct pf_ruleset *);
123 void pf_hash_rule(MD5_CTX *, struct pf_rule *);
124 void pf_hash_rule_addr(MD5_CTX *, struct pf_rule_addr *);
125 int pf_commit_rules(u_int32_t, int, char *);
127 struct pf_rule pf_default_rule;
128 struct lock pf_consistency_lock;
130 static int pf_altq_running;
133 #define TAGID_MAX 50000
134 TAILQ_HEAD(pf_tags, pf_tagname) pf_tags = TAILQ_HEAD_INITIALIZER(pf_tags),
135 pf_qids = TAILQ_HEAD_INITIALIZER(pf_qids);
137 #if (PF_QNAME_SIZE != PF_TAG_NAME_SIZE)
138 #error PF_QNAME_SIZE must be equal to PF_TAG_NAME_SIZE
140 u_int16_t tagname2tag(struct pf_tags *, char *);
141 void tag2tagname(struct pf_tags *, u_int16_t, char *);
142 void tag_unref(struct pf_tags *, u_int16_t);
143 int pf_rtlabel_add(struct pf_addr_wrap *);
144 void pf_rtlabel_remove(struct pf_addr_wrap *);
145 void pf_rtlabel_copyout(struct pf_addr_wrap *);
147 #define DPFPRINTF(n, x) if (pf_status.debug >= (n)) kprintf x
149 static cdev_t pf_dev;
152 * XXX - These are new and need to be checked when moveing to a new version
154 static void pf_clear_states(void);
155 static int pf_clear_tables(void);
156 static void pf_clear_srcnodes(void);
158 * XXX - These are new and need to be checked when moveing to a new version
162 * Wrapper functions for pfil(9) hooks
164 static int pf_check_in(void *arg, struct mbuf **m, struct ifnet *ifp,
166 static int pf_check_out(void *arg, struct mbuf **m, struct ifnet *ifp,
169 static int pf_check6_in(void *arg, struct mbuf **m, struct ifnet *ifp,
171 static int pf_check6_out(void *arg, struct mbuf **m, struct ifnet *ifp,
175 static int hook_pf(void);
176 static int dehook_pf(void);
177 static int shutdown_pf(void);
178 static int pf_load(void);
179 static int pf_unload(void);
185 static struct dev_ops pf_ops = { /* XXX convert to port model */
192 static volatile int pf_pfil_hooked = 0;
193 int pf_end_threads = 0;
194 struct lock pf_mod_lck;
196 int debug_pfugidhack = 0;
197 SYSCTL_INT(_debug, OID_AUTO, pfugidhack, CTLFLAG_RW, &debug_pfugidhack, 0,
198 "Enable/disable pf user/group rules mpsafe hack");
203 pf_src_tree_pl = pf_rule_pl = NULL;
204 pf_state_pl = pf_altq_pl = pf_pooladdr_pl = NULL;
205 pf_frent_pl = pf_frag_pl = pf_cache_pl = pf_cent_pl = NULL;
206 pf_state_scrub_pl = NULL;
207 pfr_ktable_pl = pfr_kentry_pl = NULL;
211 cleanup_pf_zone(void)
213 ZONE_DESTROY(pf_src_tree_pl);
214 ZONE_DESTROY(pf_rule_pl);
215 ZONE_DESTROY(pf_state_pl);
216 ZONE_DESTROY(pf_altq_pl);
217 ZONE_DESTROY(pf_pooladdr_pl);
218 ZONE_DESTROY(pf_frent_pl);
219 ZONE_DESTROY(pf_frag_pl);
220 ZONE_DESTROY(pf_cache_pl);
221 ZONE_DESTROY(pf_cent_pl);
222 ZONE_DESTROY(pfr_ktable_pl);
223 ZONE_DESTROY(pfr_kentry_pl);
224 ZONE_DESTROY(pf_state_scrub_pl);
225 ZONE_DESTROY(pfi_addr_pl);
231 u_int32_t *my_timeout = pf_default_rule.timeout;
235 ZONE_CREATE(pf_src_tree_pl,struct pf_src_node, "pfsrctrpl");
236 ZONE_CREATE(pf_rule_pl, struct pf_rule, "pfrulepl");
237 ZONE_CREATE(pf_state_pl, struct pf_state, "pfstatepl");
238 ZONE_CREATE(pf_altq_pl, struct pf_altq, "pfaltqpl");
239 ZONE_CREATE(pf_pooladdr_pl,struct pf_pooladdr, "pfpooladdrpl");
240 ZONE_CREATE(pfr_ktable_pl, struct pfr_ktable, "pfrktable");
241 ZONE_CREATE(pfr_kentry_pl, struct pfr_kentry, "pfrkentry");
242 ZONE_CREATE(pf_frent_pl, struct pf_frent, "pffrent");
243 ZONE_CREATE(pf_frag_pl, struct pf_fragment, "pffrag");
244 ZONE_CREATE(pf_cache_pl, struct pf_fragment, "pffrcache");
245 ZONE_CREATE(pf_cent_pl, struct pf_frcache, "pffrcent");
246 ZONE_CREATE(pf_state_scrub_pl, struct pf_state_scrub,
248 ZONE_CREATE(pfi_addr_pl, struct pfi_dynaddr, "pfiaddrpl");
257 error = pf_osfp_initialize();
264 pf_pool_limits[PF_LIMIT_STATES].pp = pf_state_pl;
265 pf_pool_limits[PF_LIMIT_STATES].limit = PFSTATE_HIWAT;
266 pf_pool_limits[PF_LIMIT_FRAGS].pp = pf_frent_pl;
267 pf_pool_limits[PF_LIMIT_FRAGS].limit = PFFRAG_FRENT_HIWAT;
268 /* XXX uma_zone_set_max(pf_pool_limits[PF_LIMIT_STATES].pp,
269 pf_pool_limits[PF_LIMIT_STATES].limit);
271 if (ctob(physmem) <= 100*1024*1024)
272 pf_pool_limits[PF_LIMIT_TABLE_ENTRIES].limit =
273 PFR_KENTRY_HIWAT_SMALL;
274 RB_INIT(&tree_src_tracking);
275 RB_INIT(&pf_anchors);
276 pf_init_ruleset(&pf_main_ruleset);
277 TAILQ_INIT(&pf_altqs[0]);
278 TAILQ_INIT(&pf_altqs[1]);
279 TAILQ_INIT(&pf_pabuf);
280 pf_altqs_active = &pf_altqs[0];
281 pf_altqs_inactive = &pf_altqs[1];
282 TAILQ_INIT(&state_list);
284 /* default rule should never be garbage collected */
285 pf_default_rule.entries.tqe_prev = &pf_default_rule.entries.tqe_next;
286 pf_default_rule.action = PF_PASS;
287 pf_default_rule.nr = (uint32_t)(-1);
288 pf_default_rule.rtableid = -1;
290 /* initialize default timeouts */
291 my_timeout[PFTM_TCP_FIRST_PACKET] = 120; /* First TCP packet */
292 my_timeout[PFTM_TCP_OPENING] = 30; /* No response yet */
293 my_timeout[PFTM_TCP_ESTABLISHED] = 24*60*60; /* Established */
294 my_timeout[PFTM_TCP_CLOSING] = 15 * 60; /* Half closed */
295 my_timeout[PFTM_TCP_FIN_WAIT] = 45; /* Got both FINs */
296 my_timeout[PFTM_TCP_CLOSED] = 90; /* Got a RST */
297 my_timeout[PFTM_UDP_FIRST_PACKET] = 60; /* First UDP packet */
298 my_timeout[PFTM_UDP_SINGLE] = 30; /* Unidirectional */
299 my_timeout[PFTM_UDP_MULTIPLE] = 60; /* Bidirectional */
300 my_timeout[PFTM_ICMP_FIRST_PACKET] = 20; /* First ICMP packet */
301 my_timeout[PFTM_ICMP_ERROR_REPLY] = 10; /* Got error response */
302 my_timeout[PFTM_OTHER_FIRST_PACKET] = 60; /* First packet */
303 my_timeout[PFTM_OTHER_SINGLE] = 30; /* Unidirectional */
304 my_timeout[PFTM_OTHER_MULTIPLE] = 60; /* Bidirectional */
305 my_timeout[PFTM_FRAG] = 30; /* Fragment expire */
306 my_timeout[PFTM_INTERVAL] = 10; /* Expire interval */
307 my_timeout[PFTM_SRC_NODE] = 0; /* Source Tracking */
308 my_timeout[PFTM_TS_DIFF] = 30; /* Allowed TS diff */
309 my_timeout[PFTM_ADAPTIVE_START] = PFSTATE_ADAPT_START;
310 my_timeout[PFTM_ADAPTIVE_END] = PFSTATE_ADAPT_END;
313 bzero(&pf_status, sizeof(pf_status));
314 pf_status.debug = PF_DEBUG_URGENT;
316 /* XXX do our best to avoid a conflict */
317 pf_status.hostid = karc4random();
319 if (kthread_create(pf_purge_thread, NULL, NULL, "pfpurge"))
320 panic("pfpurge thread");
326 pfopen(struct dev_open_args *ap)
328 cdev_t dev = ap->a_head.a_dev;
335 pfclose(struct dev_close_args *ap)
337 cdev_t dev = ap->a_head.a_dev;
344 pf_get_pool(char *anchor, u_int32_t ticket, u_int8_t rule_action,
345 u_int32_t rule_number, u_int8_t r_last, u_int8_t active,
346 u_int8_t check_ticket)
348 struct pf_ruleset *ruleset;
349 struct pf_rule *rule;
352 ruleset = pf_find_ruleset(anchor);
355 rs_num = pf_get_ruleset_number(rule_action);
356 if (rs_num >= PF_RULESET_MAX)
359 if (check_ticket && ticket !=
360 ruleset->rules[rs_num].active.ticket)
363 rule = TAILQ_LAST(ruleset->rules[rs_num].active.ptr,
366 rule = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr);
368 if (check_ticket && ticket !=
369 ruleset->rules[rs_num].inactive.ticket)
372 rule = TAILQ_LAST(ruleset->rules[rs_num].inactive.ptr,
375 rule = TAILQ_FIRST(ruleset->rules[rs_num].inactive.ptr);
378 while ((rule != NULL) && (rule->nr != rule_number))
379 rule = TAILQ_NEXT(rule, entries);
384 return (&rule->rpool);
388 pf_mv_pool(struct pf_palist *poola, struct pf_palist *poolb)
390 struct pf_pooladdr *mv_pool_pa;
392 while ((mv_pool_pa = TAILQ_FIRST(poola)) != NULL) {
393 TAILQ_REMOVE(poola, mv_pool_pa, entries);
394 TAILQ_INSERT_TAIL(poolb, mv_pool_pa, entries);
399 pf_empty_pool(struct pf_palist *poola)
401 struct pf_pooladdr *empty_pool_pa;
403 while ((empty_pool_pa = TAILQ_FIRST(poola)) != NULL) {
404 pfi_dynaddr_remove(&empty_pool_pa->addr);
405 pf_tbladdr_remove(&empty_pool_pa->addr);
406 pfi_kif_unref(empty_pool_pa->kif, PFI_KIF_REF_RULE);
407 TAILQ_REMOVE(poola, empty_pool_pa, entries);
408 pool_put(&pf_pooladdr_pl, empty_pool_pa);
413 pf_rm_rule(struct pf_rulequeue *rulequeue, struct pf_rule *rule)
415 if (rulequeue != NULL) {
416 if (rule->states <= 0) {
418 * XXX - we need to remove the table *before* detaching
419 * the rule to make sure the table code does not delete
420 * the anchor under our feet.
422 pf_tbladdr_remove(&rule->src.addr);
423 pf_tbladdr_remove(&rule->dst.addr);
424 if (rule->overload_tbl)
425 pfr_detach_table(rule->overload_tbl);
427 TAILQ_REMOVE(rulequeue, rule, entries);
428 rule->entries.tqe_prev = NULL;
432 if (rule->states > 0 || rule->src_nodes > 0 ||
433 rule->entries.tqe_prev != NULL)
435 pf_tag_unref(rule->tag);
436 pf_tag_unref(rule->match_tag);
438 if (rule->pqid != rule->qid)
439 pf_qid_unref(rule->pqid);
440 pf_qid_unref(rule->qid);
442 pf_rtlabel_remove(&rule->src.addr);
443 pf_rtlabel_remove(&rule->dst.addr);
444 pfi_dynaddr_remove(&rule->src.addr);
445 pfi_dynaddr_remove(&rule->dst.addr);
446 if (rulequeue == NULL) {
447 pf_tbladdr_remove(&rule->src.addr);
448 pf_tbladdr_remove(&rule->dst.addr);
449 if (rule->overload_tbl)
450 pfr_detach_table(rule->overload_tbl);
452 pfi_kif_unref(rule->kif, PFI_KIF_REF_RULE);
453 pf_anchor_remove(rule);
454 pf_empty_pool(&rule->rpool.list);
455 pool_put(&pf_rule_pl, rule);
459 tagname2tag(struct pf_tags *head, char *tagname)
461 struct pf_tagname *tag, *p = NULL;
462 u_int16_t new_tagid = 1;
464 TAILQ_FOREACH(tag, head, entries)
465 if (strcmp(tagname, tag->name) == 0) {
471 * to avoid fragmentation, we do a linear search from the beginning
472 * and take the first free slot we find. if there is none or the list
473 * is empty, append a new entry at the end.
477 if (!TAILQ_EMPTY(head))
478 for (p = TAILQ_FIRST(head); p != NULL &&
479 p->tag == new_tagid; p = TAILQ_NEXT(p, entries))
480 new_tagid = p->tag + 1;
482 if (new_tagid > TAGID_MAX)
485 /* allocate and fill new struct pf_tagname */
486 tag = kmalloc(sizeof(struct pf_tagname), M_TEMP, M_WAITOK);
489 bzero(tag, sizeof(struct pf_tagname));
490 strlcpy(tag->name, tagname, sizeof(tag->name));
491 tag->tag = new_tagid;
494 if (p != NULL) /* insert new entry before p */
495 TAILQ_INSERT_BEFORE(p, tag, entries);
496 else /* either list empty or no free slot in between */
497 TAILQ_INSERT_TAIL(head, tag, entries);
503 tag2tagname(struct pf_tags *head, u_int16_t tagid, char *p)
505 struct pf_tagname *tag;
507 TAILQ_FOREACH(tag, head, entries)
508 if (tag->tag == tagid) {
509 strlcpy(p, tag->name, PF_TAG_NAME_SIZE);
515 tag_unref(struct pf_tags *head, u_int16_t tag)
517 struct pf_tagname *p, *next;
522 for (p = TAILQ_FIRST(head); p != NULL; p = next) {
523 next = TAILQ_NEXT(p, entries);
526 TAILQ_REMOVE(head, p, entries);
535 pf_tagname2tag(char *tagname)
537 return (tagname2tag(&pf_tags, tagname));
541 pf_tag2tagname(u_int16_t tagid, char *p)
543 tag2tagname(&pf_tags, tagid, p);
547 pf_tag_ref(u_int16_t tag)
549 struct pf_tagname *t;
551 TAILQ_FOREACH(t, &pf_tags, entries)
559 pf_tag_unref(u_int16_t tag)
561 tag_unref(&pf_tags, tag);
565 pf_rtlabel_add(struct pf_addr_wrap *a)
571 pf_rtlabel_remove(struct pf_addr_wrap *a)
576 pf_rtlabel_copyout(struct pf_addr_wrap *a)
578 if (a->type == PF_ADDR_RTLABEL && a->v.rtlabel)
579 strlcpy(a->v.rtlabelname, "?", sizeof(a->v.rtlabelname));
584 pf_qname2qid(char *qname)
586 return ((u_int32_t)tagname2tag(&pf_qids, qname));
590 pf_qid2qname(u_int32_t qid, char *p)
592 tag2tagname(&pf_qids, (u_int16_t)qid, p);
596 pf_qid_unref(u_int32_t qid)
598 tag_unref(&pf_qids, (u_int16_t)qid);
602 pf_begin_altq(u_int32_t *ticket)
604 struct pf_altq *altq;
607 /* Purge the old altq list */
608 while ((altq = TAILQ_FIRST(pf_altqs_inactive)) != NULL) {
609 TAILQ_REMOVE(pf_altqs_inactive, altq, entries);
610 if (altq->qname[0] == 0) {
611 /* detach and destroy the discipline */
612 error = altq_remove(altq);
614 pf_qid_unref(altq->qid);
615 pool_put(&pf_altq_pl, altq);
619 *ticket = ++ticket_altqs_inactive;
620 altqs_inactive_open = 1;
625 pf_rollback_altq(u_int32_t ticket)
627 struct pf_altq *altq;
630 if (!altqs_inactive_open || ticket != ticket_altqs_inactive)
632 /* Purge the old altq list */
633 while ((altq = TAILQ_FIRST(pf_altqs_inactive)) != NULL) {
634 TAILQ_REMOVE(pf_altqs_inactive, altq, entries);
635 if (altq->qname[0] == 0) {
636 /* detach and destroy the discipline */
637 error = altq_remove(altq);
639 pf_qid_unref(altq->qid);
640 pool_put(&pf_altq_pl, altq);
642 altqs_inactive_open = 0;
647 pf_commit_altq(u_int32_t ticket)
649 struct pf_altqqueue *old_altqs;
650 struct pf_altq *altq;
653 if (!altqs_inactive_open || ticket != ticket_altqs_inactive)
656 /* swap altqs, keep the old. */
658 old_altqs = pf_altqs_active;
659 pf_altqs_active = pf_altqs_inactive;
660 pf_altqs_inactive = old_altqs;
661 ticket_altqs_active = ticket_altqs_inactive;
663 /* Attach new disciplines */
664 TAILQ_FOREACH(altq, pf_altqs_active, entries) {
665 if (altq->qname[0] == 0) {
666 /* attach the discipline */
667 error = altq_pfattach(altq);
675 /* Purge the old altq list */
676 while ((altq = TAILQ_FIRST(pf_altqs_inactive)) != NULL) {
677 TAILQ_REMOVE(pf_altqs_inactive, altq, entries);
678 if (altq->qname[0] == 0) {
679 /* detach and destroy the discipline */
681 error = pf_disable_altq(altq);
682 err = altq_pfdetach(altq);
683 if (err != 0 && error == 0)
685 err = altq_remove(altq);
686 if (err != 0 && error == 0)
689 pf_qid_unref(altq->qid);
690 pool_put(&pf_altq_pl, altq);
694 altqs_inactive_open = 0;
699 pf_enable_altq(struct pf_altq *altq)
702 struct tb_profile tb;
705 if ((ifp = ifunit(altq->ifname)) == NULL)
708 if (ifp->if_snd.altq_type != ALTQT_NONE)
709 error = altq_enable(&ifp->if_snd);
711 /* set tokenbucket regulator */
712 if (error == 0 && ifp != NULL && ALTQ_IS_ENABLED(&ifp->if_snd)) {
713 tb.rate = altq->ifbandwidth;
714 tb.depth = altq->tbrsize;
716 error = tbr_set(&ifp->if_snd, &tb);
724 pf_disable_altq(struct pf_altq *altq)
727 struct tb_profile tb;
730 if ((ifp = ifunit(altq->ifname)) == NULL)
734 * when the discipline is no longer referenced, it was overridden
735 * by a new one. if so, just return.
737 if (altq->altq_disc != ifp->if_snd.altq_disc)
740 error = altq_disable(&ifp->if_snd);
743 /* clear tokenbucket regulator */
746 error = tbr_set(&ifp->if_snd, &tb);
755 pf_begin_rules(u_int32_t *ticket, int rs_num, const char *anchor)
757 struct pf_ruleset *rs;
758 struct pf_rule *rule;
760 if (rs_num < 0 || rs_num >= PF_RULESET_MAX)
762 rs = pf_find_or_create_ruleset(anchor);
765 while ((rule = TAILQ_FIRST(rs->rules[rs_num].inactive.ptr)) != NULL) {
766 pf_rm_rule(rs->rules[rs_num].inactive.ptr, rule);
767 rs->rules[rs_num].inactive.rcount--;
769 *ticket = ++rs->rules[rs_num].inactive.ticket;
770 rs->rules[rs_num].inactive.open = 1;
775 pf_rollback_rules(u_int32_t ticket, int rs_num, char *anchor)
777 struct pf_ruleset *rs;
778 struct pf_rule *rule;
780 if (rs_num < 0 || rs_num >= PF_RULESET_MAX)
782 rs = pf_find_ruleset(anchor);
783 if (rs == NULL || !rs->rules[rs_num].inactive.open ||
784 rs->rules[rs_num].inactive.ticket != ticket)
786 while ((rule = TAILQ_FIRST(rs->rules[rs_num].inactive.ptr)) != NULL) {
787 pf_rm_rule(rs->rules[rs_num].inactive.ptr, rule);
788 rs->rules[rs_num].inactive.rcount--;
790 rs->rules[rs_num].inactive.open = 0;
794 #define PF_MD5_UPD(st, elm) \
795 MD5Update(ctx, (u_int8_t *) &(st)->elm, sizeof((st)->elm))
797 #define PF_MD5_UPD_STR(st, elm) \
798 MD5Update(ctx, (u_int8_t *) (st)->elm, strlen((st)->elm))
800 #define PF_MD5_UPD_HTONL(st, elm, stor) do { \
801 (stor) = htonl((st)->elm); \
802 MD5Update(ctx, (u_int8_t *) &(stor), sizeof(u_int32_t));\
805 #define PF_MD5_UPD_HTONS(st, elm, stor) do { \
806 (stor) = htons((st)->elm); \
807 MD5Update(ctx, (u_int8_t *) &(stor), sizeof(u_int16_t));\
811 pf_hash_rule_addr(MD5_CTX *ctx, struct pf_rule_addr *pfr)
813 PF_MD5_UPD(pfr, addr.type);
814 switch (pfr->addr.type) {
815 case PF_ADDR_DYNIFTL:
816 PF_MD5_UPD(pfr, addr.v.ifname);
817 PF_MD5_UPD(pfr, addr.iflags);
820 PF_MD5_UPD(pfr, addr.v.tblname);
822 case PF_ADDR_ADDRMASK:
824 PF_MD5_UPD(pfr, addr.v.a.addr.addr32);
825 PF_MD5_UPD(pfr, addr.v.a.mask.addr32);
827 case PF_ADDR_RTLABEL:
828 PF_MD5_UPD(pfr, addr.v.rtlabelname);
832 PF_MD5_UPD(pfr, port[0]);
833 PF_MD5_UPD(pfr, port[1]);
834 PF_MD5_UPD(pfr, neg);
835 PF_MD5_UPD(pfr, port_op);
839 pf_hash_rule(MD5_CTX *ctx, struct pf_rule *rule)
844 pf_hash_rule_addr(ctx, &rule->src);
845 pf_hash_rule_addr(ctx, &rule->dst);
846 PF_MD5_UPD_STR(rule, label);
847 PF_MD5_UPD_STR(rule, ifname);
848 PF_MD5_UPD_STR(rule, match_tagname);
849 PF_MD5_UPD_HTONS(rule, match_tag, x); /* dup? */
850 PF_MD5_UPD_HTONL(rule, os_fingerprint, y);
851 PF_MD5_UPD_HTONL(rule, prob, y);
852 PF_MD5_UPD_HTONL(rule, uid.uid[0], y);
853 PF_MD5_UPD_HTONL(rule, uid.uid[1], y);
854 PF_MD5_UPD(rule, uid.op);
855 PF_MD5_UPD_HTONL(rule, gid.gid[0], y);
856 PF_MD5_UPD_HTONL(rule, gid.gid[1], y);
857 PF_MD5_UPD(rule, gid.op);
858 PF_MD5_UPD_HTONL(rule, rule_flag, y);
859 PF_MD5_UPD(rule, action);
860 PF_MD5_UPD(rule, direction);
861 PF_MD5_UPD(rule, af);
862 PF_MD5_UPD(rule, quick);
863 PF_MD5_UPD(rule, ifnot);
864 PF_MD5_UPD(rule, match_tag_not);
865 PF_MD5_UPD(rule, natpass);
866 PF_MD5_UPD(rule, keep_state);
867 PF_MD5_UPD(rule, proto);
868 PF_MD5_UPD(rule, type);
869 PF_MD5_UPD(rule, code);
870 PF_MD5_UPD(rule, flags);
871 PF_MD5_UPD(rule, flagset);
872 PF_MD5_UPD(rule, allow_opts);
873 PF_MD5_UPD(rule, rt);
874 PF_MD5_UPD(rule, tos);
878 pf_commit_rules(u_int32_t ticket, int rs_num, char *anchor)
880 struct pf_ruleset *rs;
881 struct pf_rule *rule, **old_array;
882 struct pf_rulequeue *old_rules;
884 u_int32_t old_rcount;
886 if (rs_num < 0 || rs_num >= PF_RULESET_MAX)
888 rs = pf_find_ruleset(anchor);
889 if (rs == NULL || !rs->rules[rs_num].inactive.open ||
890 ticket != rs->rules[rs_num].inactive.ticket)
893 /* Calculate checksum for the main ruleset */
894 if (rs == &pf_main_ruleset) {
895 error = pf_setup_pfsync_matching(rs);
900 /* Swap rules, keep the old. */
902 old_rules = rs->rules[rs_num].active.ptr;
903 old_rcount = rs->rules[rs_num].active.rcount;
904 old_array = rs->rules[rs_num].active.ptr_array;
906 rs->rules[rs_num].active.ptr =
907 rs->rules[rs_num].inactive.ptr;
908 rs->rules[rs_num].active.ptr_array =
909 rs->rules[rs_num].inactive.ptr_array;
910 rs->rules[rs_num].active.rcount =
911 rs->rules[rs_num].inactive.rcount;
912 rs->rules[rs_num].inactive.ptr = old_rules;
913 rs->rules[rs_num].inactive.ptr_array = old_array;
914 rs->rules[rs_num].inactive.rcount = old_rcount;
916 rs->rules[rs_num].active.ticket =
917 rs->rules[rs_num].inactive.ticket;
918 pf_calc_skip_steps(rs->rules[rs_num].active.ptr);
921 /* Purge the old rule list. */
922 while ((rule = TAILQ_FIRST(old_rules)) != NULL)
923 pf_rm_rule(old_rules, rule);
924 if (rs->rules[rs_num].inactive.ptr_array)
925 kfree(rs->rules[rs_num].inactive.ptr_array, M_TEMP);
926 rs->rules[rs_num].inactive.ptr_array = NULL;
927 rs->rules[rs_num].inactive.rcount = 0;
928 rs->rules[rs_num].inactive.open = 0;
929 pf_remove_if_empty_ruleset(rs);
935 pf_setup_pfsync_matching(struct pf_ruleset *rs)
938 struct pf_rule *rule;
940 u_int8_t digest[PF_MD5_DIGEST_LENGTH];
943 for (rs_cnt = 0; rs_cnt < PF_RULESET_MAX; rs_cnt++) {
944 /* XXX PF_RULESET_SCRUB as well? */
945 if (rs_cnt == PF_RULESET_SCRUB)
948 if (rs->rules[rs_cnt].inactive.ptr_array)
949 kfree(rs->rules[rs_cnt].inactive.ptr_array, M_TEMP);
950 rs->rules[rs_cnt].inactive.ptr_array = NULL;
952 if (rs->rules[rs_cnt].inactive.rcount) {
953 rs->rules[rs_cnt].inactive.ptr_array =
954 kmalloc(sizeof(caddr_t) *
955 rs->rules[rs_cnt].inactive.rcount,
958 if (!rs->rules[rs_cnt].inactive.ptr_array)
962 TAILQ_FOREACH(rule, rs->rules[rs_cnt].inactive.ptr,
964 pf_hash_rule(&ctx, rule);
965 (rs->rules[rs_cnt].inactive.ptr_array)[rule->nr] = rule;
969 MD5Final(digest, &ctx);
970 memcpy(pf_status.pf_chksum, digest, sizeof(pf_status.pf_chksum));
975 pfioctl(struct dev_ioctl_args *ap)
977 u_long cmd = ap->a_cmd;
978 caddr_t addr = ap->a_data;
979 struct pf_pooladdr *pa = NULL;
980 struct pf_pool *pool = NULL;
983 /* XXX keep in sync with switch() below */
991 case DIOCSETSTATUSIF:
998 case DIOCCLRRULECTRS:
1003 case DIOCGETRULESETS:
1004 case DIOCGETRULESET:
1005 case DIOCRGETTABLES:
1006 case DIOCRGETTSTATS:
1007 case DIOCRCLRTSTATS:
1013 case DIOCRGETASTATS:
1014 case DIOCRCLRASTATS:
1017 case DIOCGETSRCNODES:
1018 case DIOCCLRSRCNODES:
1019 case DIOCIGETIFACES:
1024 case DIOCRCLRTABLES:
1025 case DIOCRADDTABLES:
1026 case DIOCRDELTABLES:
1027 case DIOCRSETTFLAGS:
1028 if (((struct pfioc_table *)addr)->pfrio_flags &
1030 break; /* dummy operation ok */
1036 if (!(ap->a_fflag & FWRITE))
1044 case DIOCGETTIMEOUT:
1049 case DIOCGETRULESETS:
1050 case DIOCGETRULESET:
1052 case DIOCRGETTABLES:
1053 case DIOCRGETTSTATS:
1055 case DIOCRGETASTATS:
1058 case DIOCGETSRCNODES:
1059 case DIOCIGETIFACES:
1062 case DIOCRCLRTABLES:
1063 case DIOCRADDTABLES:
1064 case DIOCRDELTABLES:
1065 case DIOCRCLRTSTATS:
1070 case DIOCRSETTFLAGS:
1071 if (((struct pfioc_table *)addr)->pfrio_flags &
1073 break; /* dummy operation ok */
1076 if (((struct pfioc_rule *)addr)->action == PF_GET_CLR_CNTR)
1086 if (pf_status.running)
1091 DPFPRINTF(PF_DEBUG_MISC,
1092 ("pf: pfil registration fail\n"));
1095 pf_status.running = 1;
1096 pf_status.since = time_second;
1097 if (pf_status.stateid == 0) {
1098 pf_status.stateid = time_second;
1099 pf_status.stateid = pf_status.stateid << 32;
1101 DPFPRINTF(PF_DEBUG_MISC, ("pf: started\n"));
1106 if (!pf_status.running)
1109 pf_status.running = 0;
1110 error = dehook_pf();
1112 pf_status.running = 1;
1113 DPFPRINTF(PF_DEBUG_MISC,
1114 ("pf: pfil unregistration failed\n"));
1116 pf_status.since = time_second;
1117 DPFPRINTF(PF_DEBUG_MISC, ("pf: stopped\n"));
1122 struct pfioc_rule *pr = (struct pfioc_rule *)addr;
1123 struct pf_ruleset *ruleset;
1124 struct pf_rule *rule, *tail;
1125 struct pf_pooladdr *pa;
1128 pr->anchor[sizeof(pr->anchor) - 1] = 0;
1129 ruleset = pf_find_ruleset(pr->anchor);
1130 if (ruleset == NULL) {
1134 rs_num = pf_get_ruleset_number(pr->rule.action);
1135 if (rs_num >= PF_RULESET_MAX) {
1139 if (pr->rule.return_icmp >> 8 > ICMP_MAXTYPE) {
1143 if (pr->ticket != ruleset->rules[rs_num].inactive.ticket) {
1147 if (pr->pool_ticket != ticket_pabuf) {
1151 rule = pool_get(&pf_rule_pl, PR_NOWAIT);
1156 bcopy(&pr->rule, rule, sizeof(struct pf_rule));
1157 rule->cuid = ap->a_cred->cr_ruid;
1158 rule->cpid = (int)NULL;
1159 rule->anchor = NULL;
1161 TAILQ_INIT(&rule->rpool.list);
1162 /* initialize refcounting */
1164 rule->src_nodes = 0;
1165 rule->entries.tqe_prev = NULL;
1167 if (rule->af == AF_INET) {
1168 pool_put(&pf_rule_pl, rule);
1169 error = EAFNOSUPPORT;
1174 if (rule->af == AF_INET6) {
1175 pool_put(&pf_rule_pl, rule);
1176 error = EAFNOSUPPORT;
1180 tail = TAILQ_LAST(ruleset->rules[rs_num].inactive.ptr,
1183 rule->nr = tail->nr + 1;
1186 if (rule->ifname[0]) {
1187 rule->kif = pfi_kif_get(rule->ifname);
1188 if (rule->kif == NULL) {
1189 pool_put(&pf_rule_pl, rule);
1193 pfi_kif_ref(rule->kif, PFI_KIF_REF_RULE);
1196 if (rule->rtableid > 0 && rule->rtableid > rt_numfibs)
1201 if (rule->qname[0] != 0) {
1202 if ((rule->qid = pf_qname2qid(rule->qname)) == 0)
1204 else if (rule->pqname[0] != 0) {
1206 pf_qname2qid(rule->pqname)) == 0)
1209 rule->pqid = rule->qid;
1212 if (rule->tagname[0])
1213 if ((rule->tag = pf_tagname2tag(rule->tagname)) == 0)
1215 if (rule->match_tagname[0])
1216 if ((rule->match_tag =
1217 pf_tagname2tag(rule->match_tagname)) == 0)
1219 if (rule->rt && !rule->direction)
1222 if (rule->logif >= PFLOGIFS_MAX)
1225 if (pf_rtlabel_add(&rule->src.addr) ||
1226 pf_rtlabel_add(&rule->dst.addr))
1228 if (pfi_dynaddr_setup(&rule->src.addr, rule->af))
1230 if (pfi_dynaddr_setup(&rule->dst.addr, rule->af))
1232 if (pf_tbladdr_setup(ruleset, &rule->src.addr))
1234 if (pf_tbladdr_setup(ruleset, &rule->dst.addr))
1236 if (pf_anchor_setup(rule, ruleset, pr->anchor_call))
1238 TAILQ_FOREACH(pa, &pf_pabuf, entries)
1239 if (pf_tbladdr_setup(ruleset, &pa->addr))
1242 if (rule->overload_tblname[0]) {
1243 if ((rule->overload_tbl = pfr_attach_table(ruleset,
1244 rule->overload_tblname)) == NULL)
1247 rule->overload_tbl->pfrkt_flags |=
1251 pf_mv_pool(&pf_pabuf, &rule->rpool.list);
1252 if (((((rule->action == PF_NAT) || (rule->action == PF_RDR) ||
1253 (rule->action == PF_BINAT)) && rule->anchor == NULL) ||
1254 (rule->rt > PF_FASTROUTE)) &&
1255 (TAILQ_FIRST(&rule->rpool.list) == NULL))
1259 pf_rm_rule(NULL, rule);
1262 rule->rpool.cur = TAILQ_FIRST(&rule->rpool.list);
1263 rule->evaluations = rule->packets[0] = rule->packets[1] =
1264 rule->bytes[0] = rule->bytes[1] = 0;
1265 TAILQ_INSERT_TAIL(ruleset->rules[rs_num].inactive.ptr,
1267 ruleset->rules[rs_num].inactive.rcount++;
1271 case DIOCGETRULES: {
1272 struct pfioc_rule *pr = (struct pfioc_rule *)addr;
1273 struct pf_ruleset *ruleset;
1274 struct pf_rule *tail;
1277 pr->anchor[sizeof(pr->anchor) - 1] = 0;
1278 ruleset = pf_find_ruleset(pr->anchor);
1279 if (ruleset == NULL) {
1283 rs_num = pf_get_ruleset_number(pr->rule.action);
1284 if (rs_num >= PF_RULESET_MAX) {
1288 tail = TAILQ_LAST(ruleset->rules[rs_num].active.ptr,
1291 pr->nr = tail->nr + 1;
1294 pr->ticket = ruleset->rules[rs_num].active.ticket;
1299 struct pfioc_rule *pr = (struct pfioc_rule *)addr;
1300 struct pf_ruleset *ruleset;
1301 struct pf_rule *rule;
1304 pr->anchor[sizeof(pr->anchor) - 1] = 0;
1305 ruleset = pf_find_ruleset(pr->anchor);
1306 if (ruleset == NULL) {
1310 rs_num = pf_get_ruleset_number(pr->rule.action);
1311 if (rs_num >= PF_RULESET_MAX) {
1315 if (pr->ticket != ruleset->rules[rs_num].active.ticket) {
1319 rule = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr);
1320 while ((rule != NULL) && (rule->nr != pr->nr))
1321 rule = TAILQ_NEXT(rule, entries);
1326 bcopy(rule, &pr->rule, sizeof(struct pf_rule));
1327 if (pf_anchor_copyout(ruleset, rule, pr)) {
1331 pfi_dynaddr_copyout(&pr->rule.src.addr);
1332 pfi_dynaddr_copyout(&pr->rule.dst.addr);
1333 pf_tbladdr_copyout(&pr->rule.src.addr);
1334 pf_tbladdr_copyout(&pr->rule.dst.addr);
1335 pf_rtlabel_copyout(&pr->rule.src.addr);
1336 pf_rtlabel_copyout(&pr->rule.dst.addr);
1337 for (i = 0; i < PF_SKIP_COUNT; ++i)
1338 if (rule->skip[i].ptr == NULL)
1339 pr->rule.skip[i].nr = (uint32_t)(-1);
1341 pr->rule.skip[i].nr =
1342 rule->skip[i].ptr->nr;
1344 if (pr->action == PF_GET_CLR_CNTR) {
1345 rule->evaluations = 0;
1346 rule->packets[0] = rule->packets[1] = 0;
1347 rule->bytes[0] = rule->bytes[1] = 0;
1352 case DIOCCHANGERULE: {
1353 struct pfioc_rule *pcr = (struct pfioc_rule *)addr;
1354 struct pf_ruleset *ruleset;
1355 struct pf_rule *oldrule = NULL, *newrule = NULL;
1359 if (!(pcr->action == PF_CHANGE_REMOVE ||
1360 pcr->action == PF_CHANGE_GET_TICKET) &&
1361 pcr->pool_ticket != ticket_pabuf) {
1366 if (pcr->action < PF_CHANGE_ADD_HEAD ||
1367 pcr->action > PF_CHANGE_GET_TICKET) {
1371 ruleset = pf_find_ruleset(pcr->anchor);
1372 if (ruleset == NULL) {
1376 rs_num = pf_get_ruleset_number(pcr->rule.action);
1377 if (rs_num >= PF_RULESET_MAX) {
1382 if (pcr->action == PF_CHANGE_GET_TICKET) {
1383 pcr->ticket = ++ruleset->rules[rs_num].active.ticket;
1387 ruleset->rules[rs_num].active.ticket) {
1391 if (pcr->rule.return_icmp >> 8 > ICMP_MAXTYPE) {
1397 if (pcr->action != PF_CHANGE_REMOVE) {
1398 newrule = pool_get(&pf_rule_pl, PR_NOWAIT);
1399 if (newrule == NULL) {
1403 bcopy(&pcr->rule, newrule, sizeof(struct pf_rule));
1404 newrule->cuid = ap->a_cred->cr_ruid;
1405 newrule->cpid = (int)NULL;
1406 TAILQ_INIT(&newrule->rpool.list);
1407 /* initialize refcounting */
1408 newrule->states = 0;
1409 newrule->entries.tqe_prev = NULL;
1411 if (newrule->af == AF_INET) {
1412 pool_put(&pf_rule_pl, newrule);
1413 error = EAFNOSUPPORT;
1418 if (newrule->af == AF_INET6) {
1419 pool_put(&pf_rule_pl, newrule);
1420 error = EAFNOSUPPORT;
1424 if (newrule->ifname[0]) {
1425 newrule->kif = pfi_kif_get(newrule->ifname);
1426 if (newrule->kif == NULL) {
1427 pool_put(&pf_rule_pl, newrule);
1431 pfi_kif_ref(newrule->kif, PFI_KIF_REF_RULE);
1433 newrule->kif = NULL;
1435 if (newrule->rtableid > 0 &&
1436 newrule->rtableid > rt_numfibs)
1441 if (newrule->qname[0] != 0) {
1443 pf_qname2qid(newrule->qname)) == 0)
1445 else if (newrule->pqname[0] != 0) {
1446 if ((newrule->pqid =
1447 pf_qname2qid(newrule->pqname)) == 0)
1450 newrule->pqid = newrule->qid;
1453 if (newrule->tagname[0])
1455 pf_tagname2tag(newrule->tagname)) == 0)
1457 if (newrule->match_tagname[0])
1458 if ((newrule->match_tag = pf_tagname2tag(
1459 newrule->match_tagname)) == 0)
1461 if (newrule->rt && !newrule->direction)
1463 if (pf_rtlabel_add(&newrule->src.addr) ||
1464 pf_rtlabel_add(&newrule->dst.addr))
1466 if (pfi_dynaddr_setup(&newrule->src.addr, newrule->af))
1468 if (pfi_dynaddr_setup(&newrule->dst.addr, newrule->af))
1470 if (pf_tbladdr_setup(ruleset, &newrule->src.addr))
1472 if (pf_tbladdr_setup(ruleset, &newrule->dst.addr))
1474 if (pf_anchor_setup(newrule, ruleset, pcr->anchor_call))
1476 TAILQ_FOREACH(pa, &pf_pabuf, entries)
1477 if (pf_tbladdr_setup(ruleset, &pa->addr))
1480 if (newrule->overload_tblname[0]) {
1481 if ((newrule->overload_tbl = pfr_attach_table(
1482 ruleset, newrule->overload_tblname)) ==
1486 newrule->overload_tbl->pfrkt_flags |=
1490 pf_mv_pool(&pf_pabuf, &newrule->rpool.list);
1491 if (((((newrule->action == PF_NAT) ||
1492 (newrule->action == PF_RDR) ||
1493 (newrule->action == PF_BINAT) ||
1494 (newrule->rt > PF_FASTROUTE)) &&
1495 !newrule->anchor)) &&
1496 (TAILQ_FIRST(&newrule->rpool.list) == NULL))
1500 pf_rm_rule(NULL, newrule);
1503 newrule->rpool.cur = TAILQ_FIRST(&newrule->rpool.list);
1504 newrule->evaluations = 0;
1505 newrule->packets[0] = newrule->packets[1] = 0;
1506 newrule->bytes[0] = newrule->bytes[1] = 0;
1508 pf_empty_pool(&pf_pabuf);
1510 if (pcr->action == PF_CHANGE_ADD_HEAD)
1511 oldrule = TAILQ_FIRST(
1512 ruleset->rules[rs_num].active.ptr);
1513 else if (pcr->action == PF_CHANGE_ADD_TAIL)
1514 oldrule = TAILQ_LAST(
1515 ruleset->rules[rs_num].active.ptr, pf_rulequeue);
1517 oldrule = TAILQ_FIRST(
1518 ruleset->rules[rs_num].active.ptr);
1519 while ((oldrule != NULL) && (oldrule->nr != pcr->nr))
1520 oldrule = TAILQ_NEXT(oldrule, entries);
1521 if (oldrule == NULL) {
1522 if (newrule != NULL)
1523 pf_rm_rule(NULL, newrule);
1529 if (pcr->action == PF_CHANGE_REMOVE) {
1530 pf_rm_rule(ruleset->rules[rs_num].active.ptr, oldrule);
1531 ruleset->rules[rs_num].active.rcount--;
1533 if (oldrule == NULL)
1535 ruleset->rules[rs_num].active.ptr,
1537 else if (pcr->action == PF_CHANGE_ADD_HEAD ||
1538 pcr->action == PF_CHANGE_ADD_BEFORE)
1539 TAILQ_INSERT_BEFORE(oldrule, newrule, entries);
1542 ruleset->rules[rs_num].active.ptr,
1543 oldrule, newrule, entries);
1544 ruleset->rules[rs_num].active.rcount++;
1548 TAILQ_FOREACH(oldrule,
1549 ruleset->rules[rs_num].active.ptr, entries)
1552 ruleset->rules[rs_num].active.ticket++;
1554 pf_calc_skip_steps(ruleset->rules[rs_num].active.ptr);
1555 pf_remove_if_empty_ruleset(ruleset);
1560 case DIOCCLRSTATES: {
1561 struct pf_state *state, *nexts;
1562 struct pfioc_state_kill *psk = (struct pfioc_state_kill *)addr;
1565 for (state = RB_MIN(pf_state_tree_id, &tree_id); state;
1567 nexts = RB_NEXT(pf_state_tree_id, &tree_id, state);
1569 if (!psk->psk_ifname[0] || !strcmp(psk->psk_ifname,
1570 state->u.s.kif->pfik_name)) {
1572 /* don't send out individual delete messages */
1573 state->sync_flags = PFSTATE_NOSYNC;
1575 pf_unlink_state(state);
1579 psk->psk_af = killed;
1581 pfsync_clear_states(pf_status.hostid, psk->psk_ifname);
1586 case DIOCKILLSTATES: {
1587 struct pf_state *state, *nexts;
1588 struct pf_state_host *src, *dst;
1589 struct pfioc_state_kill *psk = (struct pfioc_state_kill *)addr;
1592 for (state = RB_MIN(pf_state_tree_id, &tree_id); state;
1594 nexts = RB_NEXT(pf_state_tree_id, &tree_id, state);
1596 if (state->direction == PF_OUT) {
1603 if ((!psk->psk_af || state->af == psk->psk_af)
1604 && (!psk->psk_proto || psk->psk_proto ==
1606 PF_MATCHA(psk->psk_src.neg,
1607 &psk->psk_src.addr.v.a.addr,
1608 &psk->psk_src.addr.v.a.mask,
1609 &src->addr, state->af) &&
1610 PF_MATCHA(psk->psk_dst.neg,
1611 &psk->psk_dst.addr.v.a.addr,
1612 &psk->psk_dst.addr.v.a.mask,
1613 &dst->addr, state->af) &&
1614 (psk->psk_src.port_op == 0 ||
1615 pf_match_port(psk->psk_src.port_op,
1616 psk->psk_src.port[0], psk->psk_src.port[1],
1618 (psk->psk_dst.port_op == 0 ||
1619 pf_match_port(psk->psk_dst.port_op,
1620 psk->psk_dst.port[0], psk->psk_dst.port[1],
1622 (!psk->psk_ifname[0] || !strcmp(psk->psk_ifname,
1623 state->u.s.kif->pfik_name))) {
1625 /* send immediate delete of state */
1626 pfsync_delete_state(state);
1627 state->sync_flags |= PFSTATE_NOSYNC;
1629 pf_unlink_state(state);
1633 psk->psk_af = killed;
1637 case DIOCADDSTATE: {
1638 struct pfioc_state *ps = (struct pfioc_state *)addr;
1639 struct pf_state *state;
1640 struct pfi_kif *kif;
1642 if (ps->state.timeout >= PFTM_MAX &&
1643 ps->state.timeout != PFTM_UNTIL_PACKET) {
1647 state = pool_get(&pf_state_pl, PR_NOWAIT);
1648 if (state == NULL) {
1652 kif = pfi_kif_get(ps->state.u.ifname);
1654 pool_put(&pf_state_pl, state);
1658 bcopy(&ps->state, state, sizeof(struct pf_state));
1659 bzero(&state->u, sizeof(state->u));
1660 state->rule.ptr = &pf_default_rule;
1661 state->nat_rule.ptr = NULL;
1662 state->anchor.ptr = NULL;
1663 state->rt_kif = NULL;
1664 state->creation = time_second;
1665 state->pfsync_time = 0;
1666 state->packets[0] = state->packets[1] = 0;
1667 state->bytes[0] = state->bytes[1] = 0;
1668 state->hash = pf_state_hash(state);
1670 if (pf_insert_state(kif, state)) {
1671 pfi_kif_unref(kif, PFI_KIF_REF_NONE);
1672 pool_put(&pf_state_pl, state);
1678 case DIOCGETSTATE: {
1679 struct pfioc_state *ps = (struct pfioc_state *)addr;
1680 struct pf_state *state;
1685 RB_FOREACH(state, pf_state_tree_id, &tree_id) {
1690 if (state == NULL) {
1695 bcopy(state, &ps->state, sizeof(ps->state));
1696 strlcpy(ps->state.u.ifname, state->u.s.kif->pfik_name,
1697 sizeof(ps->state.u.ifname));
1698 ps->state.rule.nr = state->rule.ptr->nr;
1699 ps->state.nat_rule.nr = (state->nat_rule.ptr == NULL) ?
1700 (uint32_t)(-1) : state->nat_rule.ptr->nr;
1701 ps->state.anchor.nr = (state->anchor.ptr == NULL) ?
1702 -1 : state->anchor.ptr->nr;
1703 ps->state.creation = secs - ps->state.creation;
1704 ps->state.expire = pf_state_expires(state);
1705 if (ps->state.expire > secs)
1706 ps->state.expire -= secs;
1708 ps->state.expire = 0;
1712 case DIOCGETSTATES: {
1713 struct pfioc_states *ps = (struct pfioc_states *)addr;
1714 struct pf_state *state;
1715 struct pf_state *p, *pstore;
1717 int space = ps->ps_len;
1720 nr = pf_status.states;
1721 ps->ps_len = sizeof(struct pf_state) * nr;
1725 pstore = kmalloc(sizeof(*pstore), M_TEMP, M_WAITOK);
1729 state = TAILQ_FIRST(&state_list);
1731 if (state->timeout != PFTM_UNLINKED) {
1732 int secs = time_second;
1734 if ((nr+1) * sizeof(*p) > (unsigned)ps->ps_len)
1737 bcopy(state, pstore, sizeof(*pstore));
1738 strlcpy(pstore->u.ifname,
1739 state->u.s.kif->pfik_name,
1740 sizeof(pstore->u.ifname));
1741 pstore->rule.nr = state->rule.ptr->nr;
1742 pstore->nat_rule.nr = (state->nat_rule.ptr ==
1743 NULL) ? -1 : state->nat_rule.ptr->nr;
1744 pstore->anchor.nr = (state->anchor.ptr ==
1745 NULL) ? -1 : state->anchor.ptr->nr;
1746 pstore->creation = secs - pstore->creation;
1747 pstore->expire = pf_state_expires(state);
1748 if (pstore->expire > secs)
1749 pstore->expire -= secs;
1752 error = copyout(pstore, p, sizeof(*p));
1754 kfree(pstore, M_TEMP);
1760 state = TAILQ_NEXT(state, u.s.entry_list);
1763 ps->ps_len = sizeof(struct pf_state) * nr;
1765 kfree(pstore, M_TEMP);
1769 case DIOCGETSTATUS: {
1770 struct pf_status *s = (struct pf_status *)addr;
1771 bcopy(&pf_status, s, sizeof(struct pf_status));
1772 pfi_fill_oldstatus(s);
1776 case DIOCSETSTATUSIF: {
1777 struct pfioc_if *pi = (struct pfioc_if *)addr;
1779 if (pi->ifname[0] == 0) {
1780 bzero(pf_status.ifname, IFNAMSIZ);
1783 if (ifunit(pi->ifname) == NULL) {
1787 strlcpy(pf_status.ifname, pi->ifname, IFNAMSIZ);
1791 case DIOCCLRSTATUS: {
1792 bzero(pf_status.counters, sizeof(pf_status.counters));
1793 bzero(pf_status.fcounters, sizeof(pf_status.fcounters));
1794 bzero(pf_status.scounters, sizeof(pf_status.scounters));
1795 pf_status.since = time_second;
1796 if (*pf_status.ifname)
1797 pfi_clr_istats(pf_status.ifname);
1802 struct pfioc_natlook *pnl = (struct pfioc_natlook *)addr;
1803 struct pf_state *state;
1804 struct pf_state_cmp key;
1805 int m = 0, direction = pnl->direction;
1808 key.proto = pnl->proto;
1811 PF_AZERO(&pnl->saddr, pnl->af) ||
1812 PF_AZERO(&pnl->daddr, pnl->af) ||
1813 ((pnl->proto == IPPROTO_TCP ||
1814 pnl->proto == IPPROTO_UDP) &&
1815 (!pnl->dport || !pnl->sport)))
1819 * userland gives us source and dest of connection,
1820 * reverse the lookup so we ask for what happens with
1821 * the return traffic, enabling us to find it in the
1824 if (direction == PF_IN) {
1825 PF_ACPY(&key.ext.addr, &pnl->daddr, pnl->af);
1826 key.ext.port = pnl->dport;
1827 PF_ACPY(&key.gwy.addr, &pnl->saddr, pnl->af);
1828 key.gwy.port = pnl->sport;
1829 state = pf_find_state_all(&key, PF_EXT_GWY, &m);
1831 PF_ACPY(&key.lan.addr, &pnl->daddr, pnl->af);
1832 key.lan.port = pnl->dport;
1833 PF_ACPY(&key.ext.addr, &pnl->saddr, pnl->af);
1834 key.ext.port = pnl->sport;
1835 state = pf_find_state_all(&key, PF_LAN_EXT, &m);
1838 error = E2BIG; /* more than one state */
1839 else if (state != NULL) {
1840 if (direction == PF_IN) {
1841 PF_ACPY(&pnl->rsaddr, &state->lan.addr,
1843 pnl->rsport = state->lan.port;
1844 PF_ACPY(&pnl->rdaddr, &pnl->daddr,
1846 pnl->rdport = pnl->dport;
1848 PF_ACPY(&pnl->rdaddr, &state->gwy.addr,
1850 pnl->rdport = state->gwy.port;
1851 PF_ACPY(&pnl->rsaddr, &pnl->saddr,
1853 pnl->rsport = pnl->sport;
1861 case DIOCSETTIMEOUT: {
1862 struct pfioc_tm *pt = (struct pfioc_tm *)addr;
1865 if (pt->timeout < 0 || pt->timeout >= PFTM_MAX ||
1870 old = pf_default_rule.timeout[pt->timeout];
1871 if (pt->timeout == PFTM_INTERVAL && pt->seconds == 0)
1873 pf_default_rule.timeout[pt->timeout] = pt->seconds;
1874 if (pt->timeout == PFTM_INTERVAL && pt->seconds < old)
1875 wakeup(pf_purge_thread);
1880 case DIOCGETTIMEOUT: {
1881 struct pfioc_tm *pt = (struct pfioc_tm *)addr;
1883 if (pt->timeout < 0 || pt->timeout >= PFTM_MAX) {
1887 pt->seconds = pf_default_rule.timeout[pt->timeout];
1891 case DIOCGETLIMIT: {
1892 struct pfioc_limit *pl = (struct pfioc_limit *)addr;
1894 if (pl->index < 0 || pl->index >= PF_LIMIT_MAX) {
1898 pl->limit = pf_pool_limits[pl->index].limit;
1902 case DIOCSETLIMIT: {
1903 struct pfioc_limit *pl = (struct pfioc_limit *)addr;
1906 if (pl->index < 0 || pl->index >= PF_LIMIT_MAX ||
1907 pf_pool_limits[pl->index].pp == NULL) {
1912 /* XXX Get an API to set limits on the zone/pool */
1913 old_limit = pf_pool_limits[pl->index].limit;
1914 pf_pool_limits[pl->index].limit = pl->limit;
1915 pl->limit = old_limit;
1919 case DIOCSETDEBUG: {
1920 u_int32_t *level = (u_int32_t *)addr;
1922 pf_status.debug = *level;
1926 case DIOCCLRRULECTRS: {
1927 /* obsoleted by DIOCGETRULE with action=PF_GET_CLR_CNTR */
1928 struct pf_ruleset *ruleset = &pf_main_ruleset;
1929 struct pf_rule *rule;
1932 ruleset->rules[PF_RULESET_FILTER].active.ptr, entries) {
1933 rule->evaluations = 0;
1934 rule->packets[0] = rule->packets[1] = 0;
1935 rule->bytes[0] = rule->bytes[1] = 0;
1940 case DIOCGIFSPEED: {
1941 struct pf_ifspeed *psp = (struct pf_ifspeed *)addr;
1942 struct pf_ifspeed ps;
1945 if (psp->ifname[0] != 0) {
1946 /* Can we completely trust user-land? */
1947 strlcpy(ps.ifname, psp->ifname, IFNAMSIZ);
1948 ifp = ifunit(ps.ifname);
1950 psp->baudrate = ifp->if_baudrate;
1958 case DIOCSTARTALTQ: {
1959 struct pf_altq *altq;
1961 /* enable all altq interfaces on active list */
1962 TAILQ_FOREACH(altq, pf_altqs_active, entries) {
1963 if (altq->qname[0] == 0) {
1964 error = pf_enable_altq(altq);
1970 pf_altq_running = 1;
1971 DPFPRINTF(PF_DEBUG_MISC, ("altq: started\n"));
1975 case DIOCSTOPALTQ: {
1976 struct pf_altq *altq;
1978 /* disable all altq interfaces on active list */
1979 TAILQ_FOREACH(altq, pf_altqs_active, entries) {
1980 if (altq->qname[0] == 0) {
1981 error = pf_disable_altq(altq);
1987 pf_altq_running = 0;
1988 DPFPRINTF(PF_DEBUG_MISC, ("altq: stopped\n"));
1993 struct pfioc_altq *pa = (struct pfioc_altq *)addr;
1994 struct pf_altq *altq, *a;
1996 if (pa->ticket != ticket_altqs_inactive) {
2000 altq = pool_get(&pf_altq_pl, PR_NOWAIT);
2005 bcopy(&pa->altq, altq, sizeof(struct pf_altq));
2008 * if this is for a queue, find the discipline and
2009 * copy the necessary fields
2011 if (altq->qname[0] != 0) {
2012 if ((altq->qid = pf_qname2qid(altq->qname)) == 0) {
2014 pool_put(&pf_altq_pl, altq);
2017 TAILQ_FOREACH(a, pf_altqs_inactive, entries) {
2018 if (strncmp(a->ifname, altq->ifname,
2019 IFNAMSIZ) == 0 && a->qname[0] == 0) {
2020 altq->altq_disc = a->altq_disc;
2026 error = altq_add(altq);
2028 pool_put(&pf_altq_pl, altq);
2032 TAILQ_INSERT_TAIL(pf_altqs_inactive, altq, entries);
2033 bcopy(altq, &pa->altq, sizeof(struct pf_altq));
2037 case DIOCGETALTQS: {
2038 struct pfioc_altq *pa = (struct pfioc_altq *)addr;
2039 struct pf_altq *altq;
2042 TAILQ_FOREACH(altq, pf_altqs_active, entries)
2044 pa->ticket = ticket_altqs_active;
2049 struct pfioc_altq *pa = (struct pfioc_altq *)addr;
2050 struct pf_altq *altq;
2053 if (pa->ticket != ticket_altqs_active) {
2058 altq = TAILQ_FIRST(pf_altqs_active);
2059 while ((altq != NULL) && (nr < pa->nr)) {
2060 altq = TAILQ_NEXT(altq, entries);
2067 bcopy(altq, &pa->altq, sizeof(struct pf_altq));
2071 case DIOCCHANGEALTQ:
2072 /* CHANGEALTQ not supported yet! */
2076 case DIOCGETQSTATS: {
2077 struct pfioc_qstats *pq = (struct pfioc_qstats *)addr;
2078 struct pf_altq *altq;
2082 if (pq->ticket != ticket_altqs_active) {
2086 nbytes = pq->nbytes;
2088 altq = TAILQ_FIRST(pf_altqs_active);
2089 while ((altq != NULL) && (nr < pq->nr)) {
2090 altq = TAILQ_NEXT(altq, entries);
2097 error = altq_getqstats(altq, pq->buf, &nbytes);
2099 pq->scheduler = altq->scheduler;
2100 pq->nbytes = nbytes;
2106 case DIOCBEGINADDRS: {
2107 struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr;
2109 pf_empty_pool(&pf_pabuf);
2110 pp->ticket = ++ticket_pabuf;
2115 struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr;
2117 if (pp->ticket != ticket_pabuf) {
2122 if (pp->af == AF_INET) {
2123 error = EAFNOSUPPORT;
2128 if (pp->af == AF_INET6) {
2129 error = EAFNOSUPPORT;
2133 if (pp->addr.addr.type != PF_ADDR_ADDRMASK &&
2134 pp->addr.addr.type != PF_ADDR_DYNIFTL &&
2135 pp->addr.addr.type != PF_ADDR_TABLE) {
2139 pa = pool_get(&pf_pooladdr_pl, PR_NOWAIT);
2144 bcopy(&pp->addr, pa, sizeof(struct pf_pooladdr));
2145 if (pa->ifname[0]) {
2146 pa->kif = pfi_kif_get(pa->ifname);
2147 if (pa->kif == NULL) {
2148 pool_put(&pf_pooladdr_pl, pa);
2152 pfi_kif_ref(pa->kif, PFI_KIF_REF_RULE);
2154 if (pfi_dynaddr_setup(&pa->addr, pp->af)) {
2155 pfi_dynaddr_remove(&pa->addr);
2156 pfi_kif_unref(pa->kif, PFI_KIF_REF_RULE);
2157 pool_put(&pf_pooladdr_pl, pa);
2161 TAILQ_INSERT_TAIL(&pf_pabuf, pa, entries);
2165 case DIOCGETADDRS: {
2166 struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr;
2169 pool = pf_get_pool(pp->anchor, pp->ticket, pp->r_action,
2170 pp->r_num, 0, 1, 0);
2175 TAILQ_FOREACH(pa, &pool->list, entries)
2181 struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr;
2184 pool = pf_get_pool(pp->anchor, pp->ticket, pp->r_action,
2185 pp->r_num, 0, 1, 1);
2190 pa = TAILQ_FIRST(&pool->list);
2191 while ((pa != NULL) && (nr < pp->nr)) {
2192 pa = TAILQ_NEXT(pa, entries);
2199 bcopy(pa, &pp->addr, sizeof(struct pf_pooladdr));
2200 pfi_dynaddr_copyout(&pp->addr.addr);
2201 pf_tbladdr_copyout(&pp->addr.addr);
2202 pf_rtlabel_copyout(&pp->addr.addr);
2206 case DIOCCHANGEADDR: {
2207 struct pfioc_pooladdr *pca = (struct pfioc_pooladdr *)addr;
2208 struct pf_pooladdr *oldpa = NULL, *newpa = NULL;
2209 struct pf_ruleset *ruleset;
2211 if (pca->action < PF_CHANGE_ADD_HEAD ||
2212 pca->action > PF_CHANGE_REMOVE) {
2216 if (pca->addr.addr.type != PF_ADDR_ADDRMASK &&
2217 pca->addr.addr.type != PF_ADDR_DYNIFTL &&
2218 pca->addr.addr.type != PF_ADDR_TABLE) {
2223 ruleset = pf_find_ruleset(pca->anchor);
2224 if (ruleset == NULL) {
2228 pool = pf_get_pool(pca->anchor, pca->ticket, pca->r_action,
2229 pca->r_num, pca->r_last, 1, 1);
2234 if (pca->action != PF_CHANGE_REMOVE) {
2235 newpa = pool_get(&pf_pooladdr_pl, PR_NOWAIT);
2236 if (newpa == NULL) {
2240 bcopy(&pca->addr, newpa, sizeof(struct pf_pooladdr));
2242 if (pca->af == AF_INET) {
2243 pool_put(&pf_pooladdr_pl, newpa);
2244 error = EAFNOSUPPORT;
2249 if (pca->af == AF_INET6) {
2250 pool_put(&pf_pooladdr_pl, newpa);
2251 error = EAFNOSUPPORT;
2255 if (newpa->ifname[0]) {
2256 newpa->kif = pfi_kif_get(newpa->ifname);
2257 if (newpa->kif == NULL) {
2258 pool_put(&pf_pooladdr_pl, newpa);
2262 pfi_kif_ref(newpa->kif, PFI_KIF_REF_RULE);
2265 if (pfi_dynaddr_setup(&newpa->addr, pca->af) ||
2266 pf_tbladdr_setup(ruleset, &newpa->addr)) {
2267 pfi_dynaddr_remove(&newpa->addr);
2268 pfi_kif_unref(newpa->kif, PFI_KIF_REF_RULE);
2269 pool_put(&pf_pooladdr_pl, newpa);
2275 if (pca->action == PF_CHANGE_ADD_HEAD)
2276 oldpa = TAILQ_FIRST(&pool->list);
2277 else if (pca->action == PF_CHANGE_ADD_TAIL)
2278 oldpa = TAILQ_LAST(&pool->list, pf_palist);
2282 oldpa = TAILQ_FIRST(&pool->list);
2283 while ((oldpa != NULL) && (i < pca->nr)) {
2284 oldpa = TAILQ_NEXT(oldpa, entries);
2287 if (oldpa == NULL) {
2293 if (pca->action == PF_CHANGE_REMOVE) {
2294 TAILQ_REMOVE(&pool->list, oldpa, entries);
2295 pfi_dynaddr_remove(&oldpa->addr);
2296 pf_tbladdr_remove(&oldpa->addr);
2297 pfi_kif_unref(oldpa->kif, PFI_KIF_REF_RULE);
2298 pool_put(&pf_pooladdr_pl, oldpa);
2301 TAILQ_INSERT_TAIL(&pool->list, newpa, entries);
2302 else if (pca->action == PF_CHANGE_ADD_HEAD ||
2303 pca->action == PF_CHANGE_ADD_BEFORE)
2304 TAILQ_INSERT_BEFORE(oldpa, newpa, entries);
2306 TAILQ_INSERT_AFTER(&pool->list, oldpa,
2310 pool->cur = TAILQ_FIRST(&pool->list);
2311 PF_ACPY(&pool->counter, &pool->cur->addr.v.a.addr,
2316 case DIOCGETRULESETS: {
2317 struct pfioc_ruleset *pr = (struct pfioc_ruleset *)addr;
2318 struct pf_ruleset *ruleset;
2319 struct pf_anchor *anchor;
2321 pr->path[sizeof(pr->path) - 1] = 0;
2322 if ((ruleset = pf_find_ruleset(pr->path)) == NULL) {
2327 if (ruleset->anchor == NULL) {
2328 /* XXX kludge for pf_main_ruleset */
2329 RB_FOREACH(anchor, pf_anchor_global, &pf_anchors)
2330 if (anchor->parent == NULL)
2333 RB_FOREACH(anchor, pf_anchor_node,
2334 &ruleset->anchor->children)
2340 case DIOCGETRULESET: {
2341 struct pfioc_ruleset *pr = (struct pfioc_ruleset *)addr;
2342 struct pf_ruleset *ruleset;
2343 struct pf_anchor *anchor;
2346 pr->path[sizeof(pr->path) - 1] = 0;
2347 if ((ruleset = pf_find_ruleset(pr->path)) == NULL) {
2352 if (ruleset->anchor == NULL) {
2353 /* XXX kludge for pf_main_ruleset */
2354 RB_FOREACH(anchor, pf_anchor_global, &pf_anchors)
2355 if (anchor->parent == NULL && nr++ == pr->nr) {
2356 strlcpy(pr->name, anchor->name,
2361 RB_FOREACH(anchor, pf_anchor_node,
2362 &ruleset->anchor->children)
2363 if (nr++ == pr->nr) {
2364 strlcpy(pr->name, anchor->name,
2374 case DIOCRCLRTABLES: {
2375 struct pfioc_table *io = (struct pfioc_table *)addr;
2377 if (io->pfrio_esize != 0) {
2381 error = pfr_clr_tables(&io->pfrio_table, &io->pfrio_ndel,
2382 io->pfrio_flags | PFR_FLAG_USERIOCTL);
2386 case DIOCRADDTABLES: {
2387 struct pfioc_table *io = (struct pfioc_table *)addr;
2389 if (io->pfrio_esize != sizeof(struct pfr_table)) {
2393 error = pfr_add_tables(io->pfrio_buffer, io->pfrio_size,
2394 &io->pfrio_nadd, io->pfrio_flags | PFR_FLAG_USERIOCTL);
2398 case DIOCRDELTABLES: {
2399 struct pfioc_table *io = (struct pfioc_table *)addr;
2401 if (io->pfrio_esize != sizeof(struct pfr_table)) {
2405 error = pfr_del_tables(io->pfrio_buffer, io->pfrio_size,
2406 &io->pfrio_ndel, io->pfrio_flags | PFR_FLAG_USERIOCTL);
2410 case DIOCRGETTABLES: {
2411 struct pfioc_table *io = (struct pfioc_table *)addr;
2413 if (io->pfrio_esize != sizeof(struct pfr_table)) {
2417 error = pfr_get_tables(&io->pfrio_table, io->pfrio_buffer,
2418 &io->pfrio_size, io->pfrio_flags | PFR_FLAG_USERIOCTL);
2422 case DIOCRGETTSTATS: {
2423 struct pfioc_table *io = (struct pfioc_table *)addr;
2425 if (io->pfrio_esize != sizeof(struct pfr_tstats)) {
2429 error = pfr_get_tstats(&io->pfrio_table, io->pfrio_buffer,
2430 &io->pfrio_size, io->pfrio_flags | PFR_FLAG_USERIOCTL);
2434 case DIOCRCLRTSTATS: {
2435 struct pfioc_table *io = (struct pfioc_table *)addr;
2437 if (io->pfrio_esize != sizeof(struct pfr_table)) {
2441 error = pfr_clr_tstats(io->pfrio_buffer, io->pfrio_size,
2442 &io->pfrio_nzero, io->pfrio_flags | PFR_FLAG_USERIOCTL);
2446 case DIOCRSETTFLAGS: {
2447 struct pfioc_table *io = (struct pfioc_table *)addr;
2449 if (io->pfrio_esize != sizeof(struct pfr_table)) {
2453 error = pfr_set_tflags(io->pfrio_buffer, io->pfrio_size,
2454 io->pfrio_setflag, io->pfrio_clrflag, &io->pfrio_nchange,
2455 &io->pfrio_ndel, io->pfrio_flags | PFR_FLAG_USERIOCTL);
2459 case DIOCRCLRADDRS: {
2460 struct pfioc_table *io = (struct pfioc_table *)addr;
2462 if (io->pfrio_esize != 0) {
2466 error = pfr_clr_addrs(&io->pfrio_table, &io->pfrio_ndel,
2467 io->pfrio_flags | PFR_FLAG_USERIOCTL);
2471 case DIOCRADDADDRS: {
2472 struct pfioc_table *io = (struct pfioc_table *)addr;
2474 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
2478 error = pfr_add_addrs(&io->pfrio_table, io->pfrio_buffer,
2479 io->pfrio_size, &io->pfrio_nadd, io->pfrio_flags |
2480 PFR_FLAG_USERIOCTL);
2484 case DIOCRDELADDRS: {
2485 struct pfioc_table *io = (struct pfioc_table *)addr;
2487 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
2491 error = pfr_del_addrs(&io->pfrio_table, io->pfrio_buffer,
2492 io->pfrio_size, &io->pfrio_ndel, io->pfrio_flags |
2493 PFR_FLAG_USERIOCTL);
2497 case DIOCRSETADDRS: {
2498 struct pfioc_table *io = (struct pfioc_table *)addr;
2500 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
2504 error = pfr_set_addrs(&io->pfrio_table, io->pfrio_buffer,
2505 io->pfrio_size, &io->pfrio_size2, &io->pfrio_nadd,
2506 &io->pfrio_ndel, &io->pfrio_nchange, io->pfrio_flags |
2507 PFR_FLAG_USERIOCTL, 0);
2511 case DIOCRGETADDRS: {
2512 struct pfioc_table *io = (struct pfioc_table *)addr;
2514 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
2518 error = pfr_get_addrs(&io->pfrio_table, io->pfrio_buffer,
2519 &io->pfrio_size, io->pfrio_flags | PFR_FLAG_USERIOCTL);
2523 case DIOCRGETASTATS: {
2524 struct pfioc_table *io = (struct pfioc_table *)addr;
2526 if (io->pfrio_esize != sizeof(struct pfr_astats)) {
2530 error = pfr_get_astats(&io->pfrio_table, io->pfrio_buffer,
2531 &io->pfrio_size, io->pfrio_flags | PFR_FLAG_USERIOCTL);
2535 case DIOCRCLRASTATS: {
2536 struct pfioc_table *io = (struct pfioc_table *)addr;
2538 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
2542 error = pfr_clr_astats(&io->pfrio_table, io->pfrio_buffer,
2543 io->pfrio_size, &io->pfrio_nzero, io->pfrio_flags |
2544 PFR_FLAG_USERIOCTL);
2548 case DIOCRTSTADDRS: {
2549 struct pfioc_table *io = (struct pfioc_table *)addr;
2551 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
2555 error = pfr_tst_addrs(&io->pfrio_table, io->pfrio_buffer,
2556 io->pfrio_size, &io->pfrio_nmatch, io->pfrio_flags |
2557 PFR_FLAG_USERIOCTL);
2561 case DIOCRINADEFINE: {
2562 struct pfioc_table *io = (struct pfioc_table *)addr;
2564 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
2568 error = pfr_ina_define(&io->pfrio_table, io->pfrio_buffer,
2569 io->pfrio_size, &io->pfrio_nadd, &io->pfrio_naddr,
2570 io->pfrio_ticket, io->pfrio_flags | PFR_FLAG_USERIOCTL);
2575 struct pf_osfp_ioctl *io = (struct pf_osfp_ioctl *)addr;
2576 error = pf_osfp_add(io);
2581 struct pf_osfp_ioctl *io = (struct pf_osfp_ioctl *)addr;
2582 error = pf_osfp_get(io);
2587 struct pfioc_trans *io = (struct pfioc_trans *)addr;
2588 struct pfioc_trans_e *ioe;
2589 struct pfr_table *table;
2592 if (io->esize != sizeof(*ioe)) {
2596 ioe = (struct pfioc_trans_e *)kmalloc(sizeof(*ioe),
2598 table = (struct pfr_table *)kmalloc(sizeof(*table),
2600 for (i = 0; i < io->size; i++) {
2601 if (copyin(io->array+i, ioe, sizeof(*ioe))) {
2602 kfree(table, M_TEMP);
2607 switch (ioe->rs_num) {
2609 case PF_RULESET_ALTQ:
2610 if (ioe->anchor[0]) {
2611 kfree(table, M_TEMP);
2616 if ((error = pf_begin_altq(&ioe->ticket))) {
2617 kfree(table, M_TEMP);
2623 case PF_RULESET_TABLE:
2624 bzero(table, sizeof(*table));
2625 strlcpy(table->pfrt_anchor, ioe->anchor,
2626 sizeof(table->pfrt_anchor));
2627 if ((error = pfr_ina_begin(table,
2628 &ioe->ticket, NULL, 0))) {
2629 kfree(table, M_TEMP);
2635 if ((error = pf_begin_rules(&ioe->ticket,
2636 ioe->rs_num, ioe->anchor))) {
2637 kfree(table, M_TEMP);
2643 if (copyout(ioe, io->array+i, sizeof(io->array[i]))) {
2644 kfree(table, M_TEMP);
2650 kfree(table, M_TEMP);
2655 case DIOCXROLLBACK: {
2656 struct pfioc_trans *io = (struct pfioc_trans *)addr;
2657 struct pfioc_trans_e *ioe;
2658 struct pfr_table *table;
2661 if (io->esize != sizeof(*ioe)) {
2665 ioe = (struct pfioc_trans_e *)kmalloc(sizeof(*ioe),
2667 table = (struct pfr_table *)kmalloc(sizeof(*table),
2669 for (i = 0; i < io->size; i++) {
2670 if (copyin(io->array+i, ioe, sizeof(*ioe))) {
2671 kfree(table, M_TEMP);
2676 switch (ioe->rs_num) {
2678 case PF_RULESET_ALTQ:
2679 if (ioe->anchor[0]) {
2680 kfree(table, M_TEMP);
2685 if ((error = pf_rollback_altq(ioe->ticket))) {
2686 kfree(table, M_TEMP);
2688 goto fail; /* really bad */
2692 case PF_RULESET_TABLE:
2693 bzero(table, sizeof(*table));
2694 strlcpy(table->pfrt_anchor, ioe->anchor,
2695 sizeof(table->pfrt_anchor));
2696 if ((error = pfr_ina_rollback(table,
2697 ioe->ticket, NULL, 0))) {
2698 kfree(table, M_TEMP);
2700 goto fail; /* really bad */
2704 if ((error = pf_rollback_rules(ioe->ticket,
2705 ioe->rs_num, ioe->anchor))) {
2706 kfree(table, M_TEMP);
2708 goto fail; /* really bad */
2713 kfree(table, M_TEMP);
2719 struct pfioc_trans *io = (struct pfioc_trans *)addr;
2720 struct pfioc_trans_e *ioe;
2721 struct pfr_table *table;
2722 struct pf_ruleset *rs;
2725 if (io->esize != sizeof(*ioe)) {
2729 ioe = (struct pfioc_trans_e *)kmalloc(sizeof(*ioe),
2731 table = (struct pfr_table *)kmalloc(sizeof(*table),
2733 /* first makes sure everything will succeed */
2734 for (i = 0; i < io->size; i++) {
2735 if (copyin(io->array+i, ioe, sizeof(*ioe))) {
2736 kfree(table, M_TEMP);
2741 switch (ioe->rs_num) {
2743 case PF_RULESET_ALTQ:
2744 if (ioe->anchor[0]) {
2745 kfree(table, M_TEMP);
2750 if (!altqs_inactive_open || ioe->ticket !=
2751 ticket_altqs_inactive) {
2752 kfree(table, M_TEMP);
2759 case PF_RULESET_TABLE:
2760 rs = pf_find_ruleset(ioe->anchor);
2761 if (rs == NULL || !rs->topen || ioe->ticket !=
2763 kfree(table, M_TEMP);
2770 if (ioe->rs_num < 0 || ioe->rs_num >=
2772 kfree(table, M_TEMP);
2777 rs = pf_find_ruleset(ioe->anchor);
2779 !rs->rules[ioe->rs_num].inactive.open ||
2780 rs->rules[ioe->rs_num].inactive.ticket !=
2782 kfree(table, M_TEMP);
2790 /* now do the commit - no errors should happen here */
2791 for (i = 0; i < io->size; i++) {
2792 if (copyin(io->array+i, ioe, sizeof(*ioe))) {
2793 kfree(table, M_TEMP);
2798 switch (ioe->rs_num) {
2800 case PF_RULESET_ALTQ:
2801 if ((error = pf_commit_altq(ioe->ticket))) {
2802 kfree(table, M_TEMP);
2804 goto fail; /* really bad */
2808 case PF_RULESET_TABLE:
2809 bzero(table, sizeof(*table));
2810 strlcpy(table->pfrt_anchor, ioe->anchor,
2811 sizeof(table->pfrt_anchor));
2812 if ((error = pfr_ina_commit(table, ioe->ticket,
2814 kfree(table, M_TEMP);
2816 goto fail; /* really bad */
2820 if ((error = pf_commit_rules(ioe->ticket,
2821 ioe->rs_num, ioe->anchor))) {
2822 kfree(table, M_TEMP);
2824 goto fail; /* really bad */
2829 kfree(table, M_TEMP);
2834 case DIOCGETSRCNODES: {
2835 struct pfioc_src_nodes *psn = (struct pfioc_src_nodes *)addr;
2836 struct pf_src_node *n, *p, *pstore;
2838 int space = psn->psn_len;
2841 RB_FOREACH(n, pf_src_tree, &tree_src_tracking)
2843 psn->psn_len = sizeof(struct pf_src_node) * nr;
2847 pstore = kmalloc(sizeof(*pstore), M_TEMP, M_WAITOK);
2849 p = psn->psn_src_nodes;
2850 RB_FOREACH(n, pf_src_tree, &tree_src_tracking) {
2851 int secs = time_second, diff;
2853 if ((nr + 1) * sizeof(*p) > (unsigned)psn->psn_len)
2856 bcopy(n, pstore, sizeof(*pstore));
2857 if (n->rule.ptr != NULL)
2858 pstore->rule.nr = n->rule.ptr->nr;
2859 pstore->creation = secs - pstore->creation;
2860 if (pstore->expire > secs)
2861 pstore->expire -= secs;
2865 /* adjust the connection rate estimate */
2866 diff = secs - n->conn_rate.last;
2867 if (diff >= n->conn_rate.seconds)
2868 pstore->conn_rate.count = 0;
2870 pstore->conn_rate.count -=
2871 n->conn_rate.count * diff /
2872 n->conn_rate.seconds;
2874 error = copyout(pstore, p, sizeof(*p));
2876 kfree(pstore, M_TEMP);
2882 psn->psn_len = sizeof(struct pf_src_node) * nr;
2884 kfree(pstore, M_TEMP);
2888 case DIOCCLRSRCNODES: {
2889 struct pf_src_node *n;
2890 struct pf_state *state;
2892 RB_FOREACH(state, pf_state_tree_id, &tree_id) {
2893 state->src_node = NULL;
2894 state->nat_src_node = NULL;
2896 RB_FOREACH(n, pf_src_tree, &tree_src_tracking) {
2900 pf_purge_expired_src_nodes(1);
2901 pf_status.src_nodes = 0;
2905 case DIOCKILLSRCNODES: {
2906 struct pf_src_node *sn;
2908 struct pfioc_src_node_kill *psnk = \
2909 (struct pfioc_src_node_kill *) addr;
2912 RB_FOREACH(sn, pf_src_tree, &tree_src_tracking) {
2913 if (PF_MATCHA(psnk->psnk_src.neg, \
2914 &psnk->psnk_src.addr.v.a.addr, \
2915 &psnk->psnk_src.addr.v.a.mask, \
2916 &sn->addr, sn->af) &&
2917 PF_MATCHA(psnk->psnk_dst.neg, \
2918 &psnk->psnk_dst.addr.v.a.addr, \
2919 &psnk->psnk_dst.addr.v.a.mask, \
2920 &sn->raddr, sn->af)) {
2921 /* Handle state to src_node linkage */
2922 if (sn->states != 0) {
2923 RB_FOREACH(s, pf_state_tree_id,
2925 if (s->src_node == sn)
2927 if (s->nat_src_node == sn)
2928 s->nat_src_node = NULL;
2938 pf_purge_expired_src_nodes(1);
2940 psnk->psnk_af = killed;
2944 case DIOCSETHOSTID: {
2945 u_int32_t *hostid = (u_int32_t *)addr;
2948 pf_status.hostid = karc4random();
2950 pf_status.hostid = *hostid;
2960 case DIOCIGETIFACES: {
2961 struct pfioc_iface *io = (struct pfioc_iface *)addr;
2963 if (io->pfiio_esize != sizeof(struct pfi_kif)) {
2967 error = pfi_get_ifaces(io->pfiio_name, io->pfiio_buffer,
2972 case DIOCSETIFFLAG: {
2973 struct pfioc_iface *io = (struct pfioc_iface *)addr;
2975 error = pfi_set_flags(io->pfiio_name, io->pfiio_flags);
2979 case DIOCCLRIFFLAG: {
2980 struct pfioc_iface *io = (struct pfioc_iface *)addr;
2982 error = pfi_clear_flags(io->pfiio_name, io->pfiio_flags);
2995 * XXX - Check for version missmatch!!!
2998 pf_clear_states(void)
3000 struct pf_state *state;
3002 RB_FOREACH(state, pf_state_tree_id, &tree_id) {
3003 state->timeout = PFTM_PURGE;
3005 /* don't send out individual delete messages */
3006 state->sync_flags = PFSTATE_NOSYNC;
3008 pf_unlink_state(state);
3010 pf_status.states = 0;
3013 * XXX This is called on module unload, we do not want to sync that over? */
3015 pfsync_clear_states(pf_status.hostid, psk->psk_ifname);
3020 pf_clear_tables(void)
3022 struct pfioc_table io;
3025 bzero(&io, sizeof(io));
3027 error = pfr_clr_tables(&io.pfrio_table, &io.pfrio_ndel,
3034 pf_clear_srcnodes(void)
3036 struct pf_src_node *n;
3037 struct pf_state *state;
3039 RB_FOREACH(state, pf_state_tree_id, &tree_id) {
3040 state->src_node = NULL;
3041 state->nat_src_node = NULL;
3043 RB_FOREACH(n, pf_src_tree, &tree_src_tracking) {
3047 pf_purge_expired_src_nodes(0);
3048 pf_status.src_nodes = 0;
3051 * XXX - Check for version missmatch!!!
3055 * Duplicate pfctl -Fa operation to get rid of as much as we can.
3064 pf_status.running = 0;
3066 if ((error = pf_begin_rules(&t[0], PF_RULESET_SCRUB, &nn)) != 0) {
3067 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: SCRUB\n"));
3070 if ((error = pf_begin_rules(&t[1], PF_RULESET_FILTER, &nn)) != 0) {
3071 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: FILTER\n"));
3072 break; /* XXX: rollback? */
3074 if ((error = pf_begin_rules(&t[2], PF_RULESET_NAT, &nn)) != 0) {
3075 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: NAT\n"));
3076 break; /* XXX: rollback? */
3078 if ((error = pf_begin_rules(&t[3], PF_RULESET_BINAT, &nn))
3080 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: BINAT\n"));
3081 break; /* XXX: rollback? */
3083 if ((error = pf_begin_rules(&t[4], PF_RULESET_RDR, &nn))
3085 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: RDR\n"));
3086 break; /* XXX: rollback? */
3089 /* XXX: these should always succeed here */
3090 pf_commit_rules(t[0], PF_RULESET_SCRUB, &nn);
3091 pf_commit_rules(t[1], PF_RULESET_FILTER, &nn);
3092 pf_commit_rules(t[2], PF_RULESET_NAT, &nn);
3093 pf_commit_rules(t[3], PF_RULESET_BINAT, &nn);
3094 pf_commit_rules(t[4], PF_RULESET_RDR, &nn);
3096 if ((error = pf_clear_tables()) != 0)
3100 if ((error = pf_begin_altq(&t[0])) != 0) {
3101 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: ALTQ\n"));
3104 pf_commit_altq(t[0]);
3109 pf_clear_srcnodes();
3111 /* status does not use malloced mem so no need to cleanup */
3112 /* fingerprints and interfaces have their own cleanup code */
3119 pf_check_in(void *arg, struct mbuf **m, struct ifnet *ifp, int dir)
3122 * DragonFly's version of pf uses FreeBSD's native host byte ordering
3123 * for ip_len/ip_off. This is why we don't have to change byte order
3124 * like the FreeBSD-5 version does.
3128 chk = pf_test(PF_IN, ifp, m, NULL, NULL);
3137 pf_check_out(void *arg, struct mbuf **m, struct ifnet *ifp, int dir)
3140 * DragonFly's version of pf uses FreeBSD's native host byte ordering
3141 * for ip_len/ip_off. This is why we don't have to change byte order
3142 * like the FreeBSD-5 version does.
3146 /* We need a proper CSUM befor we start (s. OpenBSD ip_output) */
3147 if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
3148 in_delayed_cksum(*m);
3149 (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
3151 chk = pf_test(PF_OUT, ifp, m, NULL, NULL);
3161 pf_check6_in(void *arg, struct mbuf **m, struct ifnet *ifp, int dir)
3164 * IPv6 is not affected by ip_len/ip_off byte order changes.
3168 chk = pf_test6(PF_IN, ifp, m, NULL, NULL);
3177 pf_check6_out(void *arg, struct mbuf **m, struct ifnet *ifp, int dir)
3180 * IPv6 is not affected by ip_len/ip_off byte order changes.
3184 /* We need a proper CSUM befor we start (s. OpenBSD ip_output) */
3185 if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
3186 in_delayed_cksum(*m);
3187 (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
3189 chk = pf_test6(PF_OUT, ifp, m, NULL, NULL);
3201 struct pfil_head *pfh_inet;
3203 struct pfil_head *pfh_inet6;
3209 pfh_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
3210 if (pfh_inet == NULL)
3212 pfil_add_hook(pf_check_in, NULL, PFIL_IN, pfh_inet);
3213 pfil_add_hook(pf_check_out, NULL, PFIL_OUT, pfh_inet);
3215 pfh_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
3216 if (pfh_inet6 == NULL) {
3217 pfil_remove_hook(pf_check_in, NULL, PFIL_IN, pfh_inet);
3218 pfil_remove_hook(pf_check_out, NULL, PFIL_OUT, pfh_inet);
3221 pfil_add_hook(pf_check6_in, NULL, PFIL_IN, pfh_inet6);
3222 pfil_add_hook(pf_check6_out, NULL, PFIL_OUT, pfh_inet6);
3232 struct pfil_head *pfh_inet;
3234 struct pfil_head *pfh_inet6;
3237 if (pf_pfil_hooked == 0)
3240 pfh_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
3241 if (pfh_inet == NULL)
3243 pfil_remove_hook(pf_check_in, NULL, PFIL_IN, pfh_inet);
3244 pfil_remove_hook(pf_check_out, NULL, PFIL_OUT, pfh_inet);
3246 pfh_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
3247 if (pfh_inet6 == NULL)
3249 pfil_remove_hook(pf_check6_in, NULL, PFIL_IN, pfh_inet6);
3250 pfil_remove_hook(pf_check6_out, NULL, PFIL_OUT, pfh_inet6);
3263 lockinit(&pf_mod_lck, "pf task lck", 0, LK_CANRECURSE);
3264 kprintf("pf_load() p1\n"); /*XXX*/
3265 pf_dev = make_dev(&pf_ops, 0, 0, 0, 0600, PF_NAME);
3266 kprintf("pf_load() p2\n"); /*XXX*/
3268 kprintf("pf_load() p3\n"); /*XXX*/
3270 dev_ops_remove_all(&pf_ops);
3271 lockuninit(&pf_mod_lck);
3274 lockinit(&pf_consistency_lock, "pfconslck", 0, LK_CANRECURSE);
3275 kprintf("pf_load() p4\n"); /*XXX*/
3284 pf_status.running = 0;
3285 error = dehook_pf();
3288 * Should not happen!
3289 * XXX Due to error code ESRCH, kldunload will show
3290 * a message like 'No such process'.
3292 kprintf("pfil unregistration fail\n");
3297 while (pf_end_threads < 2) {
3298 wakeup_one(pf_purge_thread);
3299 lksleep(pf_purge_thread, &pf_mod_lck, 0, "pftmo", hz);
3306 dev_ops_remove_all(&pf_ops);
3307 lockuninit(&pf_consistency_lock);
3308 lockuninit(&pf_mod_lck);
3313 pf_modevent(module_t mod, int type, void *data)
3323 error = pf_unload();
3332 static moduledata_t pf_mod = {
3337 DECLARE_MODULE(pf, pf_mod, SI_SUB_PSEUDO, SI_ORDER_FIRST);
3338 MODULE_VERSION(pf, PF_MODVER);
projects / dragonfly.git / blob