1 /* $OpenBSD: pf_table.c,v 1.70 2007/05/23 11:53:45 markus Exp $ */
4 * Copyright (c) 2004 The DragonFly Project. All rights reserved.
6 * Copyright (c) 2002 Cedric Berger
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
13 * - Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * - Redistributions in binary form must reproduce the above
16 * copyright notice, this list of conditions and the following
17 * disclaimer in the documentation and/or other materials provided
18 * with the distribution.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
23 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
24 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
26 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
27 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
28 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
30 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31 * POSSIBILITY OF SUCH DAMAGE.
36 #include "opt_inet6.h"
38 #include <sys/param.h>
39 #include <sys/systm.h>
40 #include <sys/socket.h>
42 #include <sys/kernel.h>
43 #include <sys/malloc.h>
44 #include <sys/thread2.h>
45 #include <vm/vm_zone.h>
48 #include <net/route.h>
49 #include <netinet/in.h>
50 #include <net/pf/pfvar.h>
52 #define ACCEPT_FLAGS(flags, oklist) \
54 if ((flags & ~(oklist)) & \
59 #define COPYIN(from, to, size, flags) \
60 ((flags & PFR_FLAG_USERIOCTL) ? \
61 copyin((from), (to), (size)) : \
62 (bcopy((from), (to), (size)), 0))
64 #define COPYOUT(from, to, size, flags) \
65 ((flags & PFR_FLAG_USERIOCTL) ? \
66 copyout((from), (to), (size)) : \
67 (bcopy((from), (to), (size)), 0))
69 #define FILLIN_SIN(sin, addr) \
71 (sin).sin_len = sizeof(sin); \
72 (sin).sin_family = AF_INET; \
73 (sin).sin_addr = (addr); \
76 #define FILLIN_SIN6(sin6, addr) \
78 (sin6).sin6_len = sizeof(sin6); \
79 (sin6).sin6_family = AF_INET6; \
80 (sin6).sin6_addr = (addr); \
83 #define SWAP(type, a1, a2) \
90 #define SUNION2PF(su, af) (((af)==AF_INET) ? \
91 (struct pf_addr *)&(su)->sin.sin_addr : \
92 (struct pf_addr *)&(su)->sin6.sin6_addr)
94 #define AF_BITS(af) (((af)==AF_INET)?32:128)
95 #define ADDR_NETWORK(ad) ((ad)->pfra_net < AF_BITS((ad)->pfra_af))
96 #define KENTRY_NETWORK(ke) ((ke)->pfrke_net < AF_BITS((ke)->pfrke_af))
97 #define KENTRY_RNF_ROOT(ke) \
98 ((((struct radix_node *)(ke))->rn_flags & RNF_ROOT) != 0)
100 #define NO_ADDRESSES (-1)
101 #define ENQUEUE_UNMARKED_ONLY (1)
102 #define INVERT_NEG_FLAG (1)
104 struct pfr_walktree {
115 struct pfr_addr *pfrw1_addr;
116 struct pfr_astats *pfrw1_astats;
117 struct pfr_kentryworkq *pfrw1_workq;
118 struct pfr_kentry *pfrw1_kentry;
119 struct pfi_dynaddr *pfrw1_dyn;
124 #define pfrw_addr pfrw_1.pfrw1_addr
125 #define pfrw_astats pfrw_1.pfrw1_astats
126 #define pfrw_workq pfrw_1.pfrw1_workq
127 #define pfrw_kentry pfrw_1.pfrw1_kentry
128 #define pfrw_dyn pfrw_1.pfrw1_dyn
129 #define pfrw_cnt pfrw_free
131 #define senderr(e) do { rv = (e); goto _bad; } while (0)
133 vm_zone_t pfr_ktable_pl;
134 vm_zone_t pfr_kentry_pl;
135 vm_zone_t pfr_kentry_pl2;
136 struct sockaddr_in pfr_sin;
137 struct sockaddr_in6 pfr_sin6;
138 union sockaddr_union pfr_mask;
139 struct pf_addr pfr_ffaddr;
141 void pfr_copyout_addr(struct pfr_addr *,
142 struct pfr_kentry *ke);
143 int pfr_validate_addr(struct pfr_addr *);
144 void pfr_enqueue_addrs(struct pfr_ktable *,
145 struct pfr_kentryworkq *, int *, int);
146 void pfr_mark_addrs(struct pfr_ktable *);
147 struct pfr_kentry *pfr_lookup_addr(struct pfr_ktable *,
148 struct pfr_addr *, int);
149 struct pfr_kentry *pfr_create_kentry(struct pfr_addr *, int);
150 void pfr_destroy_kentries(struct pfr_kentryworkq *);
151 void pfr_destroy_kentry(struct pfr_kentry *);
152 void pfr_insert_kentries(struct pfr_ktable *,
153 struct pfr_kentryworkq *, long);
154 void pfr_remove_kentries(struct pfr_ktable *,
155 struct pfr_kentryworkq *);
156 void pfr_clstats_kentries(struct pfr_kentryworkq *, long,
158 void pfr_reset_feedback(struct pfr_addr *, int, int);
159 void pfr_prepare_network(union sockaddr_union *, int, int);
160 int pfr_route_kentry(struct pfr_ktable *,
161 struct pfr_kentry *);
162 int pfr_unroute_kentry(struct pfr_ktable *,
163 struct pfr_kentry *);
164 int pfr_walktree(struct radix_node *, void *);
165 int pfr_validate_table(struct pfr_table *, int, int);
166 int pfr_fix_anchor(char *);
167 void pfr_commit_ktable(struct pfr_ktable *, long);
168 void pfr_insert_ktables(struct pfr_ktableworkq *);
169 void pfr_insert_ktable(struct pfr_ktable *);
170 void pfr_setflags_ktables(struct pfr_ktableworkq *);
171 void pfr_setflags_ktable(struct pfr_ktable *, int);
172 void pfr_clstats_ktables(struct pfr_ktableworkq *, long,
174 void pfr_clstats_ktable(struct pfr_ktable *, long, int);
175 struct pfr_ktable *pfr_create_ktable(struct pfr_table *, long, int);
176 void pfr_destroy_ktables(struct pfr_ktableworkq *, int);
177 void pfr_destroy_ktable(struct pfr_ktable *, int);
178 int pfr_ktable_compare(struct pfr_ktable *,
179 struct pfr_ktable *);
180 struct pfr_ktable *pfr_lookup_table(struct pfr_table *);
181 void pfr_clean_node_mask(struct pfr_ktable *,
182 struct pfr_kentryworkq *);
183 int pfr_table_count(struct pfr_table *, int);
184 int pfr_skip_table(struct pfr_table *,
185 struct pfr_ktable *, int);
186 struct pfr_kentry *pfr_kentry_byidx(struct pfr_ktable *, int, int);
188 RB_PROTOTYPE(pfr_ktablehead, pfr_ktable, pfrkt_tree, pfr_ktable_compare);
189 RB_GENERATE(pfr_ktablehead, pfr_ktable, pfrkt_tree, pfr_ktable_compare);
191 struct pfr_ktablehead pfr_ktables;
192 struct pfr_table pfr_nulltable;
198 pfr_sin.sin_len = sizeof(pfr_sin);
199 pfr_sin.sin_family = AF_INET;
200 pfr_sin6.sin6_len = sizeof(pfr_sin6);
201 pfr_sin6.sin6_family = AF_INET6;
203 memset(&pfr_ffaddr, 0xff, sizeof(pfr_ffaddr));
207 pfr_clr_addrs(struct pfr_table *tbl, int *ndel, int flags)
209 struct pfr_ktable *kt;
210 struct pfr_kentryworkq workq;
212 ACCEPT_FLAGS(flags, PFR_FLAG_ATOMIC | PFR_FLAG_DUMMY);
213 if (pfr_validate_table(tbl, 0, flags & PFR_FLAG_USERIOCTL))
215 kt = pfr_lookup_table(tbl);
216 if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
218 if (kt->pfrkt_flags & PFR_TFLAG_CONST)
220 pfr_enqueue_addrs(kt, &workq, ndel, 0);
222 if (!(flags & PFR_FLAG_DUMMY)) {
223 if (flags & PFR_FLAG_ATOMIC)
225 pfr_remove_kentries(kt, &workq);
226 if (flags & PFR_FLAG_ATOMIC)
229 kprintf("pfr_clr_addrs: corruption detected (%d).\n",
238 pfr_add_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int size,
239 int *nadd, int flags)
241 struct pfr_ktable *kt, *tmpkt;
242 struct pfr_kentryworkq workq;
243 struct pfr_kentry *p, *q;
246 long tzero = time_second;
248 ACCEPT_FLAGS(flags, PFR_FLAG_ATOMIC | PFR_FLAG_DUMMY |
250 if (pfr_validate_table(tbl, 0, flags & PFR_FLAG_USERIOCTL))
252 kt = pfr_lookup_table(tbl);
253 if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
255 if (kt->pfrkt_flags & PFR_TFLAG_CONST)
257 tmpkt = pfr_create_ktable(&pfr_nulltable, 0, 0);
261 for (i = 0; i < size; i++) {
262 if (COPYIN(addr+i, &ad, sizeof(ad), flags))
264 if (pfr_validate_addr(&ad))
266 p = pfr_lookup_addr(kt, &ad, 1);
267 q = pfr_lookup_addr(tmpkt, &ad, 1);
268 if (flags & PFR_FLAG_FEEDBACK) {
270 ad.pfra_fback = PFR_FB_DUPLICATE;
272 ad.pfra_fback = PFR_FB_ADDED;
273 else if (p->pfrke_not != ad.pfra_not)
274 ad.pfra_fback = PFR_FB_CONFLICT;
276 ad.pfra_fback = PFR_FB_NONE;
278 if (p == NULL && q == NULL) {
279 p = pfr_create_kentry(&ad,
280 !(flags & PFR_FLAG_USERIOCTL));
283 if (pfr_route_kentry(tmpkt, p)) {
284 pfr_destroy_kentry(p);
285 ad.pfra_fback = PFR_FB_NONE;
287 SLIST_INSERT_HEAD(&workq, p, pfrke_workq);
291 if (flags & PFR_FLAG_FEEDBACK)
292 if (COPYOUT(&ad, addr+i, sizeof(ad), flags))
295 pfr_clean_node_mask(tmpkt, &workq);
296 if (!(flags & PFR_FLAG_DUMMY)) {
297 if (flags & PFR_FLAG_ATOMIC)
299 pfr_insert_kentries(kt, &workq, tzero);
300 if (flags & PFR_FLAG_ATOMIC)
303 pfr_destroy_kentries(&workq);
306 pfr_destroy_ktable(tmpkt, 0);
309 pfr_clean_node_mask(tmpkt, &workq);
310 pfr_destroy_kentries(&workq);
311 if (flags & PFR_FLAG_FEEDBACK)
312 pfr_reset_feedback(addr, size, flags);
313 pfr_destroy_ktable(tmpkt, 0);
318 pfr_del_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int size,
319 int *ndel, int flags)
321 struct pfr_ktable *kt;
322 struct pfr_kentryworkq workq;
323 struct pfr_kentry *p;
325 int i, rv, xdel = 0, log = 1;
327 ACCEPT_FLAGS(flags, PFR_FLAG_ATOMIC | PFR_FLAG_DUMMY |
329 if (pfr_validate_table(tbl, 0, flags & PFR_FLAG_USERIOCTL))
331 kt = pfr_lookup_table(tbl);
332 if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
334 if (kt->pfrkt_flags & PFR_TFLAG_CONST)
337 * there are two algorithms to choose from here.
339 * n: number of addresses to delete
340 * N: number of addresses in the table
342 * one is O(N) and is better for large 'n'
343 * one is O(n*LOG(N)) and is better for small 'n'
345 * following code try to decide which one is best.
347 for (i = kt->pfrkt_cnt; i > 0; i >>= 1)
349 if (size > kt->pfrkt_cnt/log) {
350 /* full table scan */
353 /* iterate over addresses to delete */
354 for (i = 0; i < size; i++) {
355 if (COPYIN(addr+i, &ad, sizeof(ad), flags))
357 if (pfr_validate_addr(&ad))
359 p = pfr_lookup_addr(kt, &ad, 1);
365 for (i = 0; i < size; i++) {
366 if (COPYIN(addr+i, &ad, sizeof(ad), flags))
368 if (pfr_validate_addr(&ad))
370 p = pfr_lookup_addr(kt, &ad, 1);
371 if (flags & PFR_FLAG_FEEDBACK) {
373 ad.pfra_fback = PFR_FB_NONE;
374 else if (p->pfrke_not != ad.pfra_not)
375 ad.pfra_fback = PFR_FB_CONFLICT;
376 else if (p->pfrke_mark)
377 ad.pfra_fback = PFR_FB_DUPLICATE;
379 ad.pfra_fback = PFR_FB_DELETED;
381 if (p != NULL && p->pfrke_not == ad.pfra_not &&
384 SLIST_INSERT_HEAD(&workq, p, pfrke_workq);
387 if (flags & PFR_FLAG_FEEDBACK)
388 if (COPYOUT(&ad, addr+i, sizeof(ad), flags))
391 if (!(flags & PFR_FLAG_DUMMY)) {
392 if (flags & PFR_FLAG_ATOMIC)
394 pfr_remove_kentries(kt, &workq);
395 if (flags & PFR_FLAG_ATOMIC)
402 if (flags & PFR_FLAG_FEEDBACK)
403 pfr_reset_feedback(addr, size, flags);
408 pfr_set_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int size,
409 int *size2, int *nadd, int *ndel, int *nchange, int flags,
410 u_int32_t ignore_pfrt_flags)
412 struct pfr_ktable *kt, *tmpkt;
413 struct pfr_kentryworkq addq, delq, changeq;
414 struct pfr_kentry *p, *q;
416 int i, rv, xadd = 0, xdel = 0, xchange = 0;
417 long tzero = time_second;
419 ACCEPT_FLAGS(flags, PFR_FLAG_ATOMIC | PFR_FLAG_DUMMY |
421 if (pfr_validate_table(tbl, ignore_pfrt_flags, flags &
424 kt = pfr_lookup_table(tbl);
425 if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
427 if (kt->pfrkt_flags & PFR_TFLAG_CONST)
429 tmpkt = pfr_create_ktable(&pfr_nulltable, 0, 0);
435 SLIST_INIT(&changeq);
436 for (i = 0; i < size; i++) {
437 if (COPYIN(addr+i, &ad, sizeof(ad), flags))
439 if (pfr_validate_addr(&ad))
441 ad.pfra_fback = PFR_FB_NONE;
442 p = pfr_lookup_addr(kt, &ad, 1);
445 ad.pfra_fback = PFR_FB_DUPLICATE;
449 if (p->pfrke_not != ad.pfra_not) {
450 SLIST_INSERT_HEAD(&changeq, p, pfrke_workq);
451 ad.pfra_fback = PFR_FB_CHANGED;
455 q = pfr_lookup_addr(tmpkt, &ad, 1);
457 ad.pfra_fback = PFR_FB_DUPLICATE;
460 p = pfr_create_kentry(&ad,
461 !(flags & PFR_FLAG_USERIOCTL));
464 if (pfr_route_kentry(tmpkt, p)) {
465 pfr_destroy_kentry(p);
466 ad.pfra_fback = PFR_FB_NONE;
468 SLIST_INSERT_HEAD(&addq, p, pfrke_workq);
469 ad.pfra_fback = PFR_FB_ADDED;
474 if (flags & PFR_FLAG_FEEDBACK)
475 if (COPYOUT(&ad, addr+i, sizeof(ad), flags))
478 pfr_enqueue_addrs(kt, &delq, &xdel, ENQUEUE_UNMARKED_ONLY);
479 if ((flags & PFR_FLAG_FEEDBACK) && *size2) {
480 if (*size2 < size+xdel) {
485 SLIST_FOREACH(p, &delq, pfrke_workq) {
486 pfr_copyout_addr(&ad, p);
487 ad.pfra_fback = PFR_FB_DELETED;
488 if (COPYOUT(&ad, addr+size+i, sizeof(ad), flags))
493 pfr_clean_node_mask(tmpkt, &addq);
494 if (!(flags & PFR_FLAG_DUMMY)) {
495 if (flags & PFR_FLAG_ATOMIC)
497 pfr_insert_kentries(kt, &addq, tzero);
498 pfr_remove_kentries(kt, &delq);
499 pfr_clstats_kentries(&changeq, tzero, INVERT_NEG_FLAG);
500 if (flags & PFR_FLAG_ATOMIC)
503 pfr_destroy_kentries(&addq);
510 if ((flags & PFR_FLAG_FEEDBACK) && size2)
512 pfr_destroy_ktable(tmpkt, 0);
515 pfr_clean_node_mask(tmpkt, &addq);
516 pfr_destroy_kentries(&addq);
517 if (flags & PFR_FLAG_FEEDBACK)
518 pfr_reset_feedback(addr, size, flags);
519 pfr_destroy_ktable(tmpkt, 0);
524 pfr_tst_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int size,
525 int *nmatch, int flags)
527 struct pfr_ktable *kt;
528 struct pfr_kentry *p;
532 ACCEPT_FLAGS(flags, PFR_FLAG_REPLACE);
533 if (pfr_validate_table(tbl, 0, 0))
535 kt = pfr_lookup_table(tbl);
536 if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
539 for (i = 0; i < size; i++) {
540 if (COPYIN(addr+i, &ad, sizeof(ad), flags))
542 if (pfr_validate_addr(&ad))
544 if (ADDR_NETWORK(&ad))
546 p = pfr_lookup_addr(kt, &ad, 0);
547 if (flags & PFR_FLAG_REPLACE)
548 pfr_copyout_addr(&ad, p);
549 ad.pfra_fback = (p == NULL) ? PFR_FB_NONE :
550 (p->pfrke_not ? PFR_FB_NOTMATCH : PFR_FB_MATCH);
551 if (p != NULL && !p->pfrke_not)
553 if (COPYOUT(&ad, addr+i, sizeof(ad), flags))
562 pfr_get_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int *size,
565 struct pfr_ktable *kt;
566 struct pfr_walktree w;
569 ACCEPT_FLAGS(flags, 0);
570 if (pfr_validate_table(tbl, 0, 0))
572 kt = pfr_lookup_table(tbl);
573 if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
575 if (kt->pfrkt_cnt > *size) {
576 *size = kt->pfrkt_cnt;
580 bzero(&w, sizeof(w));
581 w.pfrw_op = PFRW_GET_ADDRS;
583 w.pfrw_free = kt->pfrkt_cnt;
584 w.pfrw_flags = flags;
585 rv = kt->pfrkt_ip4->rnh_walktree(kt->pfrkt_ip4, pfr_walktree, &w);
587 rv = kt->pfrkt_ip6->rnh_walktree(kt->pfrkt_ip6, pfr_walktree, &w);
592 kprintf("pfr_get_addrs: corruption detected (%d).\n",
596 *size = kt->pfrkt_cnt;
601 pfr_get_astats(struct pfr_table *tbl, struct pfr_astats *addr, int *size,
604 struct pfr_ktable *kt;
605 struct pfr_walktree w;
606 struct pfr_kentryworkq workq;
608 long tzero = time_second;
610 /* XXX PFR_FLAG_CLSTATS disabled */
611 ACCEPT_FLAGS(flags, PFR_FLAG_ATOMIC);
612 if (pfr_validate_table(tbl, 0, 0))
614 kt = pfr_lookup_table(tbl);
615 if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
617 if (kt->pfrkt_cnt > *size) {
618 *size = kt->pfrkt_cnt;
622 bzero(&w, sizeof(w));
623 w.pfrw_op = PFRW_GET_ASTATS;
624 w.pfrw_astats = addr;
625 w.pfrw_free = kt->pfrkt_cnt;
626 w.pfrw_flags = flags;
627 if (flags & PFR_FLAG_ATOMIC)
629 rv = kt->pfrkt_ip4->rnh_walktree(kt->pfrkt_ip4, pfr_walktree, &w);
631 rv = kt->pfrkt_ip6->rnh_walktree(kt->pfrkt_ip6, pfr_walktree, &w);
632 if (!rv && (flags & PFR_FLAG_CLSTATS)) {
633 pfr_enqueue_addrs(kt, &workq, NULL, 0);
634 pfr_clstats_kentries(&workq, tzero, 0);
636 if (flags & PFR_FLAG_ATOMIC)
642 kprintf("pfr_get_astats: corruption detected (%d).\n",
646 *size = kt->pfrkt_cnt;
651 pfr_clr_astats(struct pfr_table *tbl, struct pfr_addr *addr, int size,
652 int *nzero, int flags)
654 struct pfr_ktable *kt;
655 struct pfr_kentryworkq workq;
656 struct pfr_kentry *p;
658 int i, rv, xzero = 0;
660 ACCEPT_FLAGS(flags, PFR_FLAG_ATOMIC | PFR_FLAG_DUMMY |
662 if (pfr_validate_table(tbl, 0, 0))
664 kt = pfr_lookup_table(tbl);
665 if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
668 for (i = 0; i < size; i++) {
669 if (COPYIN(addr+i, &ad, sizeof(ad), flags))
671 if (pfr_validate_addr(&ad))
673 p = pfr_lookup_addr(kt, &ad, 1);
674 if (flags & PFR_FLAG_FEEDBACK) {
675 ad.pfra_fback = (p != NULL) ?
676 PFR_FB_CLEARED : PFR_FB_NONE;
677 if (COPYOUT(&ad, addr+i, sizeof(ad), flags))
681 SLIST_INSERT_HEAD(&workq, p, pfrke_workq);
686 if (!(flags & PFR_FLAG_DUMMY)) {
687 if (flags & PFR_FLAG_ATOMIC)
689 pfr_clstats_kentries(&workq, 0, 0);
690 if (flags & PFR_FLAG_ATOMIC)
697 if (flags & PFR_FLAG_FEEDBACK)
698 pfr_reset_feedback(addr, size, flags);
703 pfr_validate_addr(struct pfr_addr *ad)
707 switch (ad->pfra_af) {
710 if (ad->pfra_net > 32)
716 if (ad->pfra_net > 128)
723 if (ad->pfra_net < 128 &&
724 (((caddr_t)ad)[ad->pfra_net/8] & (0xFF >> (ad->pfra_net%8))))
726 for (i = (ad->pfra_net+7)/8; i < sizeof(ad->pfra_u); i++)
727 if (((caddr_t)ad)[i])
729 if (ad->pfra_not && ad->pfra_not != 1)
737 pfr_enqueue_addrs(struct pfr_ktable *kt, struct pfr_kentryworkq *workq,
738 int *naddr, int sweep)
740 struct pfr_walktree w;
743 bzero(&w, sizeof(w));
744 w.pfrw_op = sweep ? PFRW_SWEEP : PFRW_ENQUEUE;
745 w.pfrw_workq = workq;
746 if (kt->pfrkt_ip4 != NULL)
747 if (kt->pfrkt_ip4->rnh_walktree(kt->pfrkt_ip4, pfr_walktree, &w))
748 kprintf("pfr_enqueue_addrs: IPv4 walktree failed.\n");
749 if (kt->pfrkt_ip6 != NULL)
750 if (kt->pfrkt_ip6->rnh_walktree(kt->pfrkt_ip6, pfr_walktree, &w))
751 kprintf("pfr_enqueue_addrs: IPv6 walktree failed.\n");
757 pfr_mark_addrs(struct pfr_ktable *kt)
759 struct pfr_walktree w;
761 bzero(&w, sizeof(w));
762 w.pfrw_op = PFRW_MARK;
763 if (kt->pfrkt_ip4->rnh_walktree(kt->pfrkt_ip4, pfr_walktree, &w))
764 kprintf("pfr_mark_addrs: IPv4 walktree failed.\n");
765 if (kt->pfrkt_ip6->rnh_walktree(kt->pfrkt_ip6, pfr_walktree, &w))
766 kprintf("pfr_mark_addrs: IPv6 walktree failed.\n");
771 pfr_lookup_addr(struct pfr_ktable *kt, struct pfr_addr *ad, int exact)
773 union sockaddr_union sa, mask;
774 struct radix_node_head *head = NULL;
775 struct pfr_kentry *ke;
777 bzero(&sa, sizeof(sa));
778 if (ad->pfra_af == AF_INET) {
779 FILLIN_SIN(sa.sin, ad->pfra_ip4addr);
780 head = kt->pfrkt_ip4;
781 } else if ( ad->pfra_af == AF_INET6 ) {
782 FILLIN_SIN6(sa.sin6, ad->pfra_ip6addr);
783 head = kt->pfrkt_ip6;
785 if (ADDR_NETWORK(ad)) {
786 pfr_prepare_network(&mask, ad->pfra_af, ad->pfra_net);
787 crit_enter(); /* rn_lookup makes use of globals */
788 ke = (struct pfr_kentry *)rn_lookup((char *)&sa, (char *)&mask,
791 if (ke && KENTRY_RNF_ROOT(ke))
794 ke = (struct pfr_kentry *)rn_match((char *)&sa, head);
795 if (ke && KENTRY_RNF_ROOT(ke))
797 if (exact && ke && KENTRY_NETWORK(ke))
804 pfr_create_kentry(struct pfr_addr *ad, int intr)
806 struct pfr_kentry *ke;
809 ke = pool_get(&pfr_kentry_pl2, PR_NOWAIT);
811 ke = pool_get(&pfr_kentry_pl, PR_NOWAIT);
814 bzero(ke, sizeof(*ke));
816 if (ad->pfra_af == AF_INET)
817 FILLIN_SIN(ke->pfrke_sa.sin, ad->pfra_ip4addr);
818 else if (ad->pfra_af == AF_INET6)
819 FILLIN_SIN6(ke->pfrke_sa.sin6, ad->pfra_ip6addr);
820 ke->pfrke_af = ad->pfra_af;
821 ke->pfrke_net = ad->pfra_net;
822 ke->pfrke_not = ad->pfra_not;
823 ke->pfrke_intrpool = intr;
828 pfr_destroy_kentries(struct pfr_kentryworkq *workq)
830 struct pfr_kentry *p, *q;
832 for (p = SLIST_FIRST(workq); p != NULL; p = q) {
833 q = SLIST_NEXT(p, pfrke_workq);
834 pfr_destroy_kentry(p);
839 pfr_destroy_kentry(struct pfr_kentry *ke)
841 if (ke->pfrke_intrpool)
842 pool_put(&pfr_kentry_pl2, ke);
844 pool_put(&pfr_kentry_pl, ke);
848 pfr_insert_kentries(struct pfr_ktable *kt,
849 struct pfr_kentryworkq *workq, long tzero)
851 struct pfr_kentry *p;
854 SLIST_FOREACH(p, workq, pfrke_workq) {
855 rv = pfr_route_kentry(kt, p);
857 kprintf("pfr_insert_kentries: cannot route entry "
861 p->pfrke_tzero = tzero;
868 pfr_insert_kentry(struct pfr_ktable *kt, struct pfr_addr *ad, long tzero)
870 struct pfr_kentry *p;
873 p = pfr_lookup_addr(kt, ad, 1);
876 p = pfr_create_kentry(ad, 1);
880 rv = pfr_route_kentry(kt, p);
884 p->pfrke_tzero = tzero;
891 pfr_remove_kentries(struct pfr_ktable *kt,
892 struct pfr_kentryworkq *workq)
894 struct pfr_kentry *p;
897 SLIST_FOREACH(p, workq, pfrke_workq) {
898 pfr_unroute_kentry(kt, p);
902 pfr_destroy_kentries(workq);
906 pfr_clean_node_mask(struct pfr_ktable *kt,
907 struct pfr_kentryworkq *workq)
909 struct pfr_kentry *p;
911 SLIST_FOREACH(p, workq, pfrke_workq)
912 pfr_unroute_kentry(kt, p);
916 pfr_clstats_kentries(struct pfr_kentryworkq *workq, long tzero, int negchange)
918 struct pfr_kentry *p;
920 SLIST_FOREACH(p, workq, pfrke_workq) {
923 p->pfrke_not = !p->pfrke_not;
924 bzero(p->pfrke_packets, sizeof(p->pfrke_packets));
925 bzero(p->pfrke_bytes, sizeof(p->pfrke_bytes));
927 p->pfrke_tzero = tzero;
932 pfr_reset_feedback(struct pfr_addr *addr, int size, int flags)
937 for (i = 0; i < size; i++) {
938 if (COPYIN(addr+i, &ad, sizeof(ad), flags))
940 ad.pfra_fback = PFR_FB_NONE;
941 if (COPYOUT(&ad, addr+i, sizeof(ad), flags))
947 pfr_prepare_network(union sockaddr_union *sa, int af, int net)
951 bzero(sa, sizeof(*sa));
953 sa->sin.sin_len = sizeof(sa->sin);
954 sa->sin.sin_family = AF_INET;
955 sa->sin.sin_addr.s_addr = net ? htonl(-1 << (32-net)) : 0;
956 } else if (af == AF_INET6) {
957 sa->sin6.sin6_len = sizeof(sa->sin6);
958 sa->sin6.sin6_family = AF_INET6;
959 for (i = 0; i < 4; i++) {
961 sa->sin6.sin6_addr.s6_addr32[i] =
962 net ? htonl(-1 << (32-net)) : 0;
965 sa->sin6.sin6_addr.s6_addr32[i] = 0xFFFFFFFF;
972 pfr_route_kentry(struct pfr_ktable *kt, struct pfr_kentry *ke)
974 union sockaddr_union mask;
975 struct radix_node *rn;
976 struct radix_node_head *head = NULL;
978 bzero(ke->pfrke_node, sizeof(ke->pfrke_node));
979 if (ke->pfrke_af == AF_INET)
980 head = kt->pfrkt_ip4;
981 else if (ke->pfrke_af == AF_INET6)
982 head = kt->pfrkt_ip6;
985 if (KENTRY_NETWORK(ke)) {
986 pfr_prepare_network(&mask, ke->pfrke_af, ke->pfrke_net);
987 rn = rn_addroute((char *)&ke->pfrke_sa, (char *)&mask, head,
990 rn = rn_addroute((char *)&ke->pfrke_sa, NULL, head,
994 return (rn == NULL ? -1 : 0);
998 pfr_unroute_kentry(struct pfr_ktable *kt, struct pfr_kentry *ke)
1000 union sockaddr_union mask;
1001 struct radix_node *rn;
1002 struct radix_node_head *head = NULL;
1004 if (ke->pfrke_af == AF_INET)
1005 head = kt->pfrkt_ip4;
1006 else if (ke->pfrke_af == AF_INET6)
1007 head = kt->pfrkt_ip6;
1010 if (KENTRY_NETWORK(ke)) {
1011 pfr_prepare_network(&mask, ke->pfrke_af, ke->pfrke_net);
1012 rn = rn_delete((char *)&ke->pfrke_sa, (char *)&mask, head);
1014 rn = rn_delete((char *)&ke->pfrke_sa, NULL, head);
1018 kprintf("pfr_unroute_kentry: delete failed.\n");
1025 pfr_copyout_addr(struct pfr_addr *ad, struct pfr_kentry *ke)
1027 bzero(ad, sizeof(*ad));
1030 ad->pfra_af = ke->pfrke_af;
1031 ad->pfra_net = ke->pfrke_net;
1032 ad->pfra_not = ke->pfrke_not;
1033 if (ad->pfra_af == AF_INET)
1034 ad->pfra_ip4addr = ke->pfrke_sa.sin.sin_addr;
1035 else if (ad->pfra_af == AF_INET6)
1036 ad->pfra_ip6addr = ke->pfrke_sa.sin6.sin6_addr;
1040 pfr_walktree(struct radix_node *rn, void *arg)
1042 struct pfr_kentry *ke = (struct pfr_kentry *)rn;
1043 struct pfr_walktree *w = arg;
1044 int flags = w->pfrw_flags;
1046 switch (w->pfrw_op) {
1055 SLIST_INSERT_HEAD(w->pfrw_workq, ke, pfrke_workq);
1058 case PFRW_GET_ADDRS:
1059 if (w->pfrw_free-- > 0) {
1062 pfr_copyout_addr(&ad, ke);
1063 if (copyout(&ad, w->pfrw_addr, sizeof(ad)))
1068 case PFRW_GET_ASTATS:
1069 if (w->pfrw_free-- > 0) {
1070 struct pfr_astats as;
1072 pfr_copyout_addr(&as.pfras_a, ke);
1075 bcopy(ke->pfrke_packets, as.pfras_packets,
1076 sizeof(as.pfras_packets));
1077 bcopy(ke->pfrke_bytes, as.pfras_bytes,
1078 sizeof(as.pfras_bytes));
1080 as.pfras_tzero = ke->pfrke_tzero;
1082 if (COPYOUT(&as, w->pfrw_astats, sizeof(as), flags))
1089 break; /* negative entries are ignored */
1090 if (!w->pfrw_cnt--) {
1091 w->pfrw_kentry = ke;
1092 return (1); /* finish search */
1095 case PFRW_DYNADDR_UPDATE:
1096 if (ke->pfrke_af == AF_INET) {
1097 if (w->pfrw_dyn->pfid_acnt4++ > 0)
1099 pfr_prepare_network(&pfr_mask, AF_INET, ke->pfrke_net);
1100 w->pfrw_dyn->pfid_addr4 = *SUNION2PF(
1101 &ke->pfrke_sa, AF_INET);
1102 w->pfrw_dyn->pfid_mask4 = *SUNION2PF(
1103 &pfr_mask, AF_INET);
1104 } else if (ke->pfrke_af == AF_INET6){
1105 if (w->pfrw_dyn->pfid_acnt6++ > 0)
1107 pfr_prepare_network(&pfr_mask, AF_INET6, ke->pfrke_net);
1108 w->pfrw_dyn->pfid_addr6 = *SUNION2PF(
1109 &ke->pfrke_sa, AF_INET6);
1110 w->pfrw_dyn->pfid_mask6 = *SUNION2PF(
1111 &pfr_mask, AF_INET6);
1119 pfr_clr_tables(struct pfr_table *filter, int *ndel, int flags)
1121 struct pfr_ktableworkq workq;
1122 struct pfr_ktable *p;
1125 ACCEPT_FLAGS(flags, PFR_FLAG_ATOMIC | PFR_FLAG_DUMMY |
1127 if (pfr_fix_anchor(filter->pfrt_anchor))
1129 if (pfr_table_count(filter, flags) < 0)
1133 RB_FOREACH(p, pfr_ktablehead, &pfr_ktables) {
1134 if (pfr_skip_table(filter, p, flags))
1136 if (!strcmp(p->pfrkt_anchor, PF_RESERVED_ANCHOR))
1138 if (!(p->pfrkt_flags & PFR_TFLAG_ACTIVE))
1140 p->pfrkt_nflags = p->pfrkt_flags & ~PFR_TFLAG_ACTIVE;
1141 SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);
1144 if (!(flags & PFR_FLAG_DUMMY)) {
1145 if (flags & PFR_FLAG_ATOMIC)
1147 pfr_setflags_ktables(&workq);
1148 if (flags & PFR_FLAG_ATOMIC)
1157 pfr_add_tables(struct pfr_table *tbl, int size, int *nadd, int flags)
1159 struct pfr_ktableworkq addq, changeq;
1160 struct pfr_ktable *p, *q, *r, key;
1161 int i, rv, xadd = 0;
1162 long tzero = time_second;
1164 ACCEPT_FLAGS(flags, PFR_FLAG_ATOMIC | PFR_FLAG_DUMMY);
1166 SLIST_INIT(&changeq);
1167 for (i = 0; i < size; i++) {
1168 if (COPYIN(tbl+i, &key.pfrkt_t, sizeof(key.pfrkt_t), flags))
1170 if (pfr_validate_table(&key.pfrkt_t, PFR_TFLAG_USRMASK,
1171 flags & PFR_FLAG_USERIOCTL))
1173 key.pfrkt_flags |= PFR_TFLAG_ACTIVE;
1174 p = RB_FIND(pfr_ktablehead, &pfr_ktables, &key);
1176 p = pfr_create_ktable(&key.pfrkt_t, tzero, 1);
1179 SLIST_FOREACH(q, &addq, pfrkt_workq) {
1180 if (!pfr_ktable_compare(p, q))
1183 SLIST_INSERT_HEAD(&addq, p, pfrkt_workq);
1185 if (!key.pfrkt_anchor[0])
1188 /* find or create root table */
1189 bzero(key.pfrkt_anchor, sizeof(key.pfrkt_anchor));
1190 r = RB_FIND(pfr_ktablehead, &pfr_ktables, &key);
1195 SLIST_FOREACH(q, &addq, pfrkt_workq) {
1196 if (!pfr_ktable_compare(&key, q)) {
1201 key.pfrkt_flags = 0;
1202 r = pfr_create_ktable(&key.pfrkt_t, 0, 1);
1205 SLIST_INSERT_HEAD(&addq, r, pfrkt_workq);
1207 } else if (!(p->pfrkt_flags & PFR_TFLAG_ACTIVE)) {
1208 SLIST_FOREACH(q, &changeq, pfrkt_workq)
1209 if (!pfr_ktable_compare(&key, q))
1211 p->pfrkt_nflags = (p->pfrkt_flags &
1212 ~PFR_TFLAG_USRMASK) | key.pfrkt_flags;
1213 SLIST_INSERT_HEAD(&changeq, p, pfrkt_workq);
1219 if (!(flags & PFR_FLAG_DUMMY)) {
1220 if (flags & PFR_FLAG_ATOMIC)
1222 pfr_insert_ktables(&addq);
1223 pfr_setflags_ktables(&changeq);
1224 if (flags & PFR_FLAG_ATOMIC)
1227 pfr_destroy_ktables(&addq, 0);
1232 pfr_destroy_ktables(&addq, 0);
1237 pfr_del_tables(struct pfr_table *tbl, int size, int *ndel, int flags)
1239 struct pfr_ktableworkq workq;
1240 struct pfr_ktable *p, *q, key;
1243 ACCEPT_FLAGS(flags, PFR_FLAG_ATOMIC | PFR_FLAG_DUMMY);
1245 for (i = 0; i < size; i++) {
1246 if (COPYIN(tbl+i, &key.pfrkt_t, sizeof(key.pfrkt_t), flags))
1248 if (pfr_validate_table(&key.pfrkt_t, 0,
1249 flags & PFR_FLAG_USERIOCTL))
1251 p = RB_FIND(pfr_ktablehead, &pfr_ktables, &key);
1252 if (p != NULL && (p->pfrkt_flags & PFR_TFLAG_ACTIVE)) {
1253 SLIST_FOREACH(q, &workq, pfrkt_workq)
1254 if (!pfr_ktable_compare(p, q))
1256 p->pfrkt_nflags = p->pfrkt_flags & ~PFR_TFLAG_ACTIVE;
1257 SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);
1264 if (!(flags & PFR_FLAG_DUMMY)) {
1265 if (flags & PFR_FLAG_ATOMIC)
1267 pfr_setflags_ktables(&workq);
1268 if (flags & PFR_FLAG_ATOMIC)
1277 pfr_get_tables(struct pfr_table *filter, struct pfr_table *tbl, int *size,
1280 struct pfr_ktable *p;
1283 ACCEPT_FLAGS(flags, PFR_FLAG_ALLRSETS);
1284 if (pfr_fix_anchor(filter->pfrt_anchor))
1286 n = nn = pfr_table_count(filter, flags);
1293 RB_FOREACH(p, pfr_ktablehead, &pfr_ktables) {
1294 if (pfr_skip_table(filter, p, flags))
1298 if (COPYOUT(&p->pfrkt_t, tbl++, sizeof(*tbl), flags))
1302 kprintf("pfr_get_tables: corruption detected (%d).\n", n);
1310 pfr_get_tstats(struct pfr_table *filter, struct pfr_tstats *tbl, int *size,
1313 struct pfr_ktable *p;
1314 struct pfr_ktableworkq workq;
1316 long tzero = time_second;
1318 /* XXX PFR_FLAG_CLSTATS disabled */
1319 ACCEPT_FLAGS(flags, PFR_FLAG_ATOMIC | PFR_FLAG_ALLRSETS);
1320 if (pfr_fix_anchor(filter->pfrt_anchor))
1322 n = nn = pfr_table_count(filter, flags);
1330 if (flags & PFR_FLAG_ATOMIC)
1332 RB_FOREACH(p, pfr_ktablehead, &pfr_ktables) {
1333 if (pfr_skip_table(filter, p, flags))
1337 if (!(flags & PFR_FLAG_ATOMIC))
1339 if (COPYOUT(&p->pfrkt_ts, tbl++, sizeof(*tbl), flags)) {
1343 if (!(flags & PFR_FLAG_ATOMIC))
1345 SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);
1347 if (flags & PFR_FLAG_CLSTATS)
1348 pfr_clstats_ktables(&workq, tzero,
1349 flags & PFR_FLAG_ADDRSTOO);
1350 if (flags & PFR_FLAG_ATOMIC)
1353 kprintf("pfr_get_tstats: corruption detected (%d).\n", n);
1361 pfr_clr_tstats(struct pfr_table *tbl, int size, int *nzero, int flags)
1363 struct pfr_ktableworkq workq;
1364 struct pfr_ktable *p, key;
1366 long tzero = time_second;
1368 ACCEPT_FLAGS(flags, PFR_FLAG_ATOMIC | PFR_FLAG_DUMMY |
1371 for (i = 0; i < size; i++) {
1372 if (COPYIN(tbl+i, &key.pfrkt_t, sizeof(key.pfrkt_t), flags))
1374 if (pfr_validate_table(&key.pfrkt_t, 0, 0))
1376 p = RB_FIND(pfr_ktablehead, &pfr_ktables, &key);
1378 SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);
1382 if (!(flags & PFR_FLAG_DUMMY)) {
1383 if (flags & PFR_FLAG_ATOMIC)
1385 pfr_clstats_ktables(&workq, tzero, flags & PFR_FLAG_ADDRSTOO);
1386 if (flags & PFR_FLAG_ATOMIC)
1395 pfr_set_tflags(struct pfr_table *tbl, int size, int setflag, int clrflag,
1396 int *nchange, int *ndel, int flags)
1398 struct pfr_ktableworkq workq;
1399 struct pfr_ktable *p, *q, key;
1400 int i, xchange = 0, xdel = 0;
1402 ACCEPT_FLAGS(flags, PFR_FLAG_ATOMIC | PFR_FLAG_DUMMY);
1403 if ((setflag & ~PFR_TFLAG_USRMASK) ||
1404 (clrflag & ~PFR_TFLAG_USRMASK) ||
1405 (setflag & clrflag))
1408 for (i = 0; i < size; i++) {
1409 if (COPYIN(tbl+i, &key.pfrkt_t, sizeof(key.pfrkt_t), flags))
1411 if (pfr_validate_table(&key.pfrkt_t, 0,
1412 flags & PFR_FLAG_USERIOCTL))
1414 p = RB_FIND(pfr_ktablehead, &pfr_ktables, &key);
1415 if (p != NULL && (p->pfrkt_flags & PFR_TFLAG_ACTIVE)) {
1416 p->pfrkt_nflags = (p->pfrkt_flags | setflag) &
1418 if (p->pfrkt_nflags == p->pfrkt_flags)
1420 SLIST_FOREACH(q, &workq, pfrkt_workq)
1421 if (!pfr_ktable_compare(p, q))
1423 SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);
1424 if ((p->pfrkt_flags & PFR_TFLAG_PERSIST) &&
1425 (clrflag & PFR_TFLAG_PERSIST) &&
1426 !(p->pfrkt_flags & PFR_TFLAG_REFERENCED))
1434 if (!(flags & PFR_FLAG_DUMMY)) {
1435 if (flags & PFR_FLAG_ATOMIC)
1437 pfr_setflags_ktables(&workq);
1438 if (flags & PFR_FLAG_ATOMIC)
1441 if (nchange != NULL)
1449 pfr_ina_begin(struct pfr_table *trs, u_int32_t *ticket, int *ndel, int flags)
1451 struct pfr_ktableworkq workq;
1452 struct pfr_ktable *p;
1453 struct pf_ruleset *rs;
1456 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY);
1457 rs = pf_find_or_create_ruleset(trs->pfrt_anchor);
1461 RB_FOREACH(p, pfr_ktablehead, &pfr_ktables) {
1462 if (!(p->pfrkt_flags & PFR_TFLAG_INACTIVE) ||
1463 pfr_skip_table(trs, p, 0))
1465 p->pfrkt_nflags = p->pfrkt_flags & ~PFR_TFLAG_INACTIVE;
1466 SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);
1469 if (!(flags & PFR_FLAG_DUMMY)) {
1470 pfr_setflags_ktables(&workq);
1472 *ticket = ++rs->tticket;
1475 pf_remove_if_empty_ruleset(rs);
1482 pfr_ina_define(struct pfr_table *tbl, struct pfr_addr *addr, int size,
1483 int *nadd, int *naddr, u_int32_t ticket, int flags)
1485 struct pfr_ktableworkq tableq;
1486 struct pfr_kentryworkq addrq;
1487 struct pfr_ktable *kt, *rt, *shadow, key;
1488 struct pfr_kentry *p;
1490 struct pf_ruleset *rs;
1491 int i, rv, xadd = 0, xaddr = 0;
1493 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY | PFR_FLAG_ADDRSTOO);
1494 if (size && !(flags & PFR_FLAG_ADDRSTOO))
1496 if (pfr_validate_table(tbl, PFR_TFLAG_USRMASK,
1497 flags & PFR_FLAG_USERIOCTL))
1499 rs = pf_find_ruleset(tbl->pfrt_anchor);
1500 if (rs == NULL || !rs->topen || ticket != rs->tticket)
1502 tbl->pfrt_flags |= PFR_TFLAG_INACTIVE;
1503 SLIST_INIT(&tableq);
1504 kt = RB_FIND(pfr_ktablehead, &pfr_ktables, (struct pfr_ktable *)tbl);
1506 kt = pfr_create_ktable(tbl, 0, 1);
1509 SLIST_INSERT_HEAD(&tableq, kt, pfrkt_workq);
1511 if (!tbl->pfrt_anchor[0])
1514 /* find or create root table */
1515 bzero(&key, sizeof(key));
1516 strlcpy(key.pfrkt_name, tbl->pfrt_name, sizeof(key.pfrkt_name));
1517 rt = RB_FIND(pfr_ktablehead, &pfr_ktables, &key);
1519 kt->pfrkt_root = rt;
1522 rt = pfr_create_ktable(&key.pfrkt_t, 0, 1);
1524 pfr_destroy_ktables(&tableq, 0);
1527 SLIST_INSERT_HEAD(&tableq, rt, pfrkt_workq);
1528 kt->pfrkt_root = rt;
1529 } else if (!(kt->pfrkt_flags & PFR_TFLAG_INACTIVE))
1532 shadow = pfr_create_ktable(tbl, 0, 0);
1533 if (shadow == NULL) {
1534 pfr_destroy_ktables(&tableq, 0);
1538 for (i = 0; i < size; i++) {
1539 if (COPYIN(addr+i, &ad, sizeof(ad), flags))
1541 if (pfr_validate_addr(&ad))
1543 if (pfr_lookup_addr(shadow, &ad, 1) != NULL)
1545 p = pfr_create_kentry(&ad, 0);
1548 if (pfr_route_kentry(shadow, p)) {
1549 pfr_destroy_kentry(p);
1552 SLIST_INSERT_HEAD(&addrq, p, pfrke_workq);
1555 if (!(flags & PFR_FLAG_DUMMY)) {
1556 if (kt->pfrkt_shadow != NULL)
1557 pfr_destroy_ktable(kt->pfrkt_shadow, 1);
1558 kt->pfrkt_flags |= PFR_TFLAG_INACTIVE;
1559 pfr_insert_ktables(&tableq);
1560 shadow->pfrkt_cnt = (flags & PFR_FLAG_ADDRSTOO) ?
1561 xaddr : NO_ADDRESSES;
1562 kt->pfrkt_shadow = shadow;
1564 pfr_clean_node_mask(shadow, &addrq);
1565 pfr_destroy_ktable(shadow, 0);
1566 pfr_destroy_ktables(&tableq, 0);
1567 pfr_destroy_kentries(&addrq);
1575 pfr_destroy_ktable(shadow, 0);
1576 pfr_destroy_ktables(&tableq, 0);
1577 pfr_destroy_kentries(&addrq);
1582 pfr_ina_rollback(struct pfr_table *trs, u_int32_t ticket, int *ndel, int flags)
1584 struct pfr_ktableworkq workq;
1585 struct pfr_ktable *p;
1586 struct pf_ruleset *rs;
1589 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY);
1590 rs = pf_find_ruleset(trs->pfrt_anchor);
1591 if (rs == NULL || !rs->topen || ticket != rs->tticket)
1594 RB_FOREACH(p, pfr_ktablehead, &pfr_ktables) {
1595 if (!(p->pfrkt_flags & PFR_TFLAG_INACTIVE) ||
1596 pfr_skip_table(trs, p, 0))
1598 p->pfrkt_nflags = p->pfrkt_flags & ~PFR_TFLAG_INACTIVE;
1599 SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);
1602 if (!(flags & PFR_FLAG_DUMMY)) {
1603 pfr_setflags_ktables(&workq);
1605 pf_remove_if_empty_ruleset(rs);
1613 pfr_ina_commit(struct pfr_table *trs, u_int32_t ticket, int *nadd,
1614 int *nchange, int flags)
1616 struct pfr_ktable *p, *q;
1617 struct pfr_ktableworkq workq;
1618 struct pf_ruleset *rs;
1619 int xadd = 0, xchange = 0;
1620 long tzero = time_second;
1622 ACCEPT_FLAGS(flags, PFR_FLAG_ATOMIC | PFR_FLAG_DUMMY);
1623 rs = pf_find_ruleset(trs->pfrt_anchor);
1624 if (rs == NULL || !rs->topen || ticket != rs->tticket)
1628 RB_FOREACH(p, pfr_ktablehead, &pfr_ktables) {
1629 if (!(p->pfrkt_flags & PFR_TFLAG_INACTIVE) ||
1630 pfr_skip_table(trs, p, 0))
1632 SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);
1633 if (p->pfrkt_flags & PFR_TFLAG_ACTIVE)
1639 if (!(flags & PFR_FLAG_DUMMY)) {
1640 if (flags & PFR_FLAG_ATOMIC)
1642 for (p = SLIST_FIRST(&workq); p != NULL; p = q) {
1643 q = SLIST_NEXT(p, pfrkt_workq);
1644 pfr_commit_ktable(p, tzero);
1646 if (flags & PFR_FLAG_ATOMIC)
1649 pf_remove_if_empty_ruleset(rs);
1653 if (nchange != NULL)
1660 pfr_commit_ktable(struct pfr_ktable *kt, long tzero)
1662 struct pfr_ktable *shadow = kt->pfrkt_shadow;
1665 if (shadow->pfrkt_cnt == NO_ADDRESSES) {
1666 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
1667 pfr_clstats_ktable(kt, tzero, 1);
1668 } else if (kt->pfrkt_flags & PFR_TFLAG_ACTIVE) {
1669 /* kt might contain addresses */
1670 struct pfr_kentryworkq addrq, addq, changeq, delq, garbageq;
1671 struct pfr_kentry *p, *q, *next;
1674 pfr_enqueue_addrs(shadow, &addrq, NULL, 0);
1677 SLIST_INIT(&changeq);
1679 SLIST_INIT(&garbageq);
1680 pfr_clean_node_mask(shadow, &addrq);
1681 for (p = SLIST_FIRST(&addrq); p != NULL; p = next) {
1682 next = SLIST_NEXT(p, pfrke_workq); /* XXX */
1683 pfr_copyout_addr(&ad, p);
1684 q = pfr_lookup_addr(kt, &ad, 1);
1686 if (q->pfrke_not != p->pfrke_not)
1687 SLIST_INSERT_HEAD(&changeq, q,
1690 SLIST_INSERT_HEAD(&garbageq, p, pfrke_workq);
1692 p->pfrke_tzero = tzero;
1693 SLIST_INSERT_HEAD(&addq, p, pfrke_workq);
1696 pfr_enqueue_addrs(kt, &delq, NULL, ENQUEUE_UNMARKED_ONLY);
1697 pfr_insert_kentries(kt, &addq, tzero);
1698 pfr_remove_kentries(kt, &delq);
1699 pfr_clstats_kentries(&changeq, tzero, INVERT_NEG_FLAG);
1700 pfr_destroy_kentries(&garbageq);
1702 /* kt cannot contain addresses */
1703 SWAP(struct radix_node_head *, kt->pfrkt_ip4,
1705 SWAP(struct radix_node_head *, kt->pfrkt_ip6,
1707 SWAP(int, kt->pfrkt_cnt, shadow->pfrkt_cnt);
1708 pfr_clstats_ktable(kt, tzero, 1);
1710 nflags = ((shadow->pfrkt_flags & PFR_TFLAG_USRMASK) |
1711 (kt->pfrkt_flags & PFR_TFLAG_SETMASK) | PFR_TFLAG_ACTIVE)
1712 & ~PFR_TFLAG_INACTIVE;
1713 pfr_destroy_ktable(shadow, 0);
1714 kt->pfrkt_shadow = NULL;
1715 pfr_setflags_ktable(kt, nflags);
1719 pfr_validate_table(struct pfr_table *tbl, int allowedflags, int no_reserved)
1723 if (!tbl->pfrt_name[0])
1725 if (no_reserved && !strcmp(tbl->pfrt_anchor, PF_RESERVED_ANCHOR))
1727 if (tbl->pfrt_name[PF_TABLE_NAME_SIZE-1])
1729 for (i = strlen(tbl->pfrt_name); i < PF_TABLE_NAME_SIZE; i++)
1730 if (tbl->pfrt_name[i])
1732 if (pfr_fix_anchor(tbl->pfrt_anchor))
1734 if (tbl->pfrt_flags & ~allowedflags)
1740 * Rewrite anchors referenced by tables to remove slashes
1741 * and check for validity.
1744 pfr_fix_anchor(char *anchor)
1746 size_t siz = MAXPATHLEN;
1749 if (anchor[0] == '/') {
1755 while (*++path == '/')
1757 bcopy(path, anchor, siz - off);
1758 memset(anchor + siz - off, 0, off);
1760 if (anchor[siz - 1])
1762 for (i = strlen(anchor); i < siz; i++)
1769 pfr_table_count(struct pfr_table *filter, int flags)
1771 struct pf_ruleset *rs;
1773 if (flags & PFR_FLAG_ALLRSETS)
1774 return (pfr_ktable_cnt);
1775 if (filter->pfrt_anchor[0]) {
1776 rs = pf_find_ruleset(filter->pfrt_anchor);
1777 return ((rs != NULL) ? rs->tables : -1);
1779 return (pf_main_ruleset.tables);
1783 pfr_skip_table(struct pfr_table *filter, struct pfr_ktable *kt, int flags)
1785 if (flags & PFR_FLAG_ALLRSETS)
1787 if (strcmp(filter->pfrt_anchor, kt->pfrkt_anchor))
1793 pfr_insert_ktables(struct pfr_ktableworkq *workq)
1795 struct pfr_ktable *p;
1797 SLIST_FOREACH(p, workq, pfrkt_workq)
1798 pfr_insert_ktable(p);
1802 pfr_insert_ktable(struct pfr_ktable *kt)
1804 RB_INSERT(pfr_ktablehead, &pfr_ktables, kt);
1806 if (kt->pfrkt_root != NULL)
1807 if (!kt->pfrkt_root->pfrkt_refcnt[PFR_REFCNT_ANCHOR]++)
1808 pfr_setflags_ktable(kt->pfrkt_root,
1809 kt->pfrkt_root->pfrkt_flags|PFR_TFLAG_REFDANCHOR);
1813 pfr_setflags_ktables(struct pfr_ktableworkq *workq)
1815 struct pfr_ktable *p, *q;
1817 for (p = SLIST_FIRST(workq); p; p = q) {
1818 q = SLIST_NEXT(p, pfrkt_workq);
1819 pfr_setflags_ktable(p, p->pfrkt_nflags);
1824 pfr_setflags_ktable(struct pfr_ktable *kt, int newf)
1826 struct pfr_kentryworkq addrq;
1828 if (!(newf & PFR_TFLAG_REFERENCED) &&
1829 !(newf & PFR_TFLAG_PERSIST))
1830 newf &= ~PFR_TFLAG_ACTIVE;
1831 if (!(newf & PFR_TFLAG_ACTIVE))
1832 newf &= ~PFR_TFLAG_USRMASK;
1833 if (!(newf & PFR_TFLAG_SETMASK)) {
1834 RB_REMOVE(pfr_ktablehead, &pfr_ktables, kt);
1835 if (kt->pfrkt_root != NULL)
1836 if (!--kt->pfrkt_root->pfrkt_refcnt[PFR_REFCNT_ANCHOR])
1837 pfr_setflags_ktable(kt->pfrkt_root,
1838 kt->pfrkt_root->pfrkt_flags &
1839 ~PFR_TFLAG_REFDANCHOR);
1840 pfr_destroy_ktable(kt, 1);
1844 if (!(newf & PFR_TFLAG_ACTIVE) && kt->pfrkt_cnt) {
1845 pfr_enqueue_addrs(kt, &addrq, NULL, 0);
1846 pfr_remove_kentries(kt, &addrq);
1848 if (!(newf & PFR_TFLAG_INACTIVE) && kt->pfrkt_shadow != NULL) {
1849 pfr_destroy_ktable(kt->pfrkt_shadow, 1);
1850 kt->pfrkt_shadow = NULL;
1852 kt->pfrkt_flags = newf;
1856 pfr_clstats_ktables(struct pfr_ktableworkq *workq, long tzero, int recurse)
1858 struct pfr_ktable *p;
1860 SLIST_FOREACH(p, workq, pfrkt_workq)
1861 pfr_clstats_ktable(p, tzero, recurse);
1865 pfr_clstats_ktable(struct pfr_ktable *kt, long tzero, int recurse)
1867 struct pfr_kentryworkq addrq;
1870 pfr_enqueue_addrs(kt, &addrq, NULL, 0);
1871 pfr_clstats_kentries(&addrq, tzero, 0);
1874 bzero(kt->pfrkt_packets, sizeof(kt->pfrkt_packets));
1875 bzero(kt->pfrkt_bytes, sizeof(kt->pfrkt_bytes));
1876 kt->pfrkt_match = kt->pfrkt_nomatch = 0;
1878 kt->pfrkt_tzero = tzero;
1882 pfr_create_ktable(struct pfr_table *tbl, long tzero, int attachruleset)
1884 struct pfr_ktable *kt;
1885 struct pf_ruleset *rs;
1887 kt = pool_get(&pfr_ktable_pl, PR_NOWAIT);
1890 bzero(kt, sizeof(*kt));
1893 if (attachruleset) {
1894 rs = pf_find_or_create_ruleset(tbl->pfrt_anchor);
1896 pfr_destroy_ktable(kt, 0);
1903 if (!rn_inithead((void **)&kt->pfrkt_ip4,
1904 offsetof(struct sockaddr_in, sin_addr) * 8) ||
1905 !rn_inithead((void **)&kt->pfrkt_ip6,
1906 offsetof(struct sockaddr_in6, sin6_addr) * 8)) {
1907 pfr_destroy_ktable(kt, 0);
1910 kt->pfrkt_tzero = tzero;
1916 pfr_destroy_ktables(struct pfr_ktableworkq *workq, int flushaddr)
1918 struct pfr_ktable *p, *q;
1920 for (p = SLIST_FIRST(workq); p; p = q) {
1921 q = SLIST_NEXT(p, pfrkt_workq);
1922 pfr_destroy_ktable(p, flushaddr);
1927 pfr_destroy_ktable(struct pfr_ktable *kt, int flushaddr)
1929 struct pfr_kentryworkq addrq;
1932 pfr_enqueue_addrs(kt, &addrq, NULL, 0);
1933 pfr_clean_node_mask(kt, &addrq);
1934 pfr_destroy_kentries(&addrq);
1936 if (kt->pfrkt_ip4 != NULL)
1937 kfree((caddr_t)kt->pfrkt_ip4, M_RTABLE);
1938 if (kt->pfrkt_ip6 != NULL)
1939 kfree((caddr_t)kt->pfrkt_ip6, M_RTABLE);
1940 if (kt->pfrkt_shadow != NULL)
1941 pfr_destroy_ktable(kt->pfrkt_shadow, flushaddr);
1942 if (kt->pfrkt_rs != NULL) {
1943 kt->pfrkt_rs->tables--;
1944 pf_remove_if_empty_ruleset(kt->pfrkt_rs);
1946 pool_put(&pfr_ktable_pl, kt);
1950 pfr_ktable_compare(struct pfr_ktable *p, struct pfr_ktable *q)
1954 if ((d = strncmp(p->pfrkt_name, q->pfrkt_name, PF_TABLE_NAME_SIZE)))
1956 return (strcmp(p->pfrkt_anchor, q->pfrkt_anchor));
1960 pfr_lookup_table(struct pfr_table *tbl)
1962 /* struct pfr_ktable start like a struct pfr_table */
1963 return (RB_FIND(pfr_ktablehead, &pfr_ktables,
1964 (struct pfr_ktable *)tbl));
1968 pfr_match_addr(struct pfr_ktable *kt, struct pf_addr *a, sa_family_t af)
1970 struct pfr_kentry *ke = NULL;
1973 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root != NULL)
1974 kt = kt->pfrkt_root;
1975 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
1981 pfr_sin.sin_addr.s_addr = a->addr32[0];
1982 ke = (struct pfr_kentry *)rn_match((char *)&pfr_sin,
1984 if (ke && KENTRY_RNF_ROOT(ke))
1990 bcopy(a, &pfr_sin6.sin6_addr, sizeof(pfr_sin6.sin6_addr));
1991 ke = (struct pfr_kentry *)rn_match((char *)&pfr_sin6,
1993 if (ke && KENTRY_RNF_ROOT(ke))
1998 match = (ke && !ke->pfrke_not);
2002 kt->pfrkt_nomatch++;
2007 pfr_update_stats(struct pfr_ktable *kt, struct pf_addr *a, sa_family_t af,
2008 u_int64_t len, int dir_out, int op_pass, int notrule)
2010 struct pfr_kentry *ke = NULL;
2012 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root != NULL)
2013 kt = kt->pfrkt_root;
2014 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
2020 pfr_sin.sin_addr.s_addr = a->addr32[0];
2021 ke = (struct pfr_kentry *)rn_match((char *)&pfr_sin,
2023 if (ke && KENTRY_RNF_ROOT(ke))
2029 bcopy(a, &pfr_sin6.sin6_addr, sizeof(pfr_sin6.sin6_addr));
2030 ke = (struct pfr_kentry *)rn_match((char *)&pfr_sin6,
2032 if (ke && KENTRY_RNF_ROOT(ke))
2039 if ((ke == NULL || ke->pfrke_not) != notrule) {
2040 if (op_pass != PFR_OP_PASS)
2041 kprintf("pfr_update_stats: assertion failed.\n");
2042 op_pass = PFR_OP_XPASS;
2044 kt->pfrkt_packets[dir_out][op_pass]++;
2045 kt->pfrkt_bytes[dir_out][op_pass] += len;
2046 if (ke != NULL && op_pass != PFR_OP_XPASS) {
2047 ke->pfrke_packets[dir_out][op_pass]++;
2048 ke->pfrke_bytes[dir_out][op_pass] += len;
2053 pfr_attach_table(struct pf_ruleset *rs, char *name)
2055 struct pfr_ktable *kt, *rt;
2056 struct pfr_table tbl;
2057 struct pf_anchor *ac = rs->anchor;
2059 bzero(&tbl, sizeof(tbl));
2060 strlcpy(tbl.pfrt_name, name, sizeof(tbl.pfrt_name));
2062 strlcpy(tbl.pfrt_anchor, ac->path, sizeof(tbl.pfrt_anchor));
2063 kt = pfr_lookup_table(&tbl);
2065 kt = pfr_create_ktable(&tbl, time_second, 1);
2069 bzero(tbl.pfrt_anchor, sizeof(tbl.pfrt_anchor));
2070 rt = pfr_lookup_table(&tbl);
2072 rt = pfr_create_ktable(&tbl, 0, 1);
2074 pfr_destroy_ktable(kt, 0);
2077 pfr_insert_ktable(rt);
2079 kt->pfrkt_root = rt;
2081 pfr_insert_ktable(kt);
2083 if (!kt->pfrkt_refcnt[PFR_REFCNT_RULE]++)
2084 pfr_setflags_ktable(kt, kt->pfrkt_flags|PFR_TFLAG_REFERENCED);
2089 pfr_detach_table(struct pfr_ktable *kt)
2091 if (kt->pfrkt_refcnt[PFR_REFCNT_RULE] <= 0)
2092 kprintf("pfr_detach_table: refcount = %d.\n",
2093 kt->pfrkt_refcnt[PFR_REFCNT_RULE]);
2094 else if (!--kt->pfrkt_refcnt[PFR_REFCNT_RULE])
2095 pfr_setflags_ktable(kt, kt->pfrkt_flags&~PFR_TFLAG_REFERENCED);
2099 pfr_pool_get(struct pfr_ktable *kt, int *pidx, struct pf_addr *counter,
2100 struct pf_addr **raddr, struct pf_addr **rmask, sa_family_t af)
2102 struct pfr_kentry *ke, *ke2 = NULL;
2103 struct pf_addr *addr = NULL;
2104 union sockaddr_union mask;
2105 int idx = -1, use_counter = 0;
2108 addr = (struct pf_addr *)&pfr_sin.sin_addr;
2109 else if (af == AF_INET6)
2110 addr = (struct pf_addr *)&pfr_sin6.sin6_addr;
2111 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root != NULL)
2112 kt = kt->pfrkt_root;
2113 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
2118 if (counter != NULL && idx >= 0)
2124 ke = pfr_kentry_byidx(kt, idx, af);
2127 pfr_prepare_network(&pfr_mask, af, ke->pfrke_net);
2128 *raddr = SUNION2PF(&ke->pfrke_sa, af);
2129 *rmask = SUNION2PF(&pfr_mask, af);
2132 /* is supplied address within block? */
2133 if (!PF_MATCHA(0, *raddr, *rmask, counter, af)) {
2134 /* no, go to next block in table */
2139 PF_ACPY(addr, counter, af);
2141 /* use first address of block */
2142 PF_ACPY(addr, *raddr, af);
2145 if (!KENTRY_NETWORK(ke)) {
2146 /* this is a single IP address - no possible nested block */
2147 PF_ACPY(counter, addr, af);
2152 /* we don't want to use a nested block */
2154 ke2 = (struct pfr_kentry *)rn_match((char *)&pfr_sin,
2156 else if (af == AF_INET6)
2157 ke2 = (struct pfr_kentry *)rn_match((char *)&pfr_sin6,
2159 /* no need to check KENTRY_RNF_ROOT() here */
2161 /* lookup return the same block - perfect */
2162 PF_ACPY(counter, addr, af);
2167 /* we need to increase the counter past the nested block */
2168 pfr_prepare_network(&mask, AF_INET, ke2->pfrke_net);
2169 PF_POOLMASK(addr, addr, SUNION2PF(&mask, af), &pfr_ffaddr, af);
2171 if (!PF_MATCHA(0, *raddr, *rmask, addr, af)) {
2172 /* ok, we reached the end of our main block */
2173 /* go to next block in table */
2182 pfr_kentry_byidx(struct pfr_ktable *kt, int idx, int af)
2184 struct pfr_walktree w;
2186 bzero(&w, sizeof(w));
2187 w.pfrw_op = PFRW_POOL_GET;
2193 kt->pfrkt_ip4->rnh_walktree(kt->pfrkt_ip4, pfr_walktree, &w);
2194 return (w.pfrw_kentry);
2198 kt->pfrkt_ip6->rnh_walktree(kt->pfrkt_ip6, pfr_walktree, &w);
2199 return (w.pfrw_kentry);
2207 pfr_dynaddr_update(struct pfr_ktable *kt, struct pfi_dynaddr *dyn)
2209 struct pfr_walktree w;
2211 bzero(&w, sizeof(w));
2212 w.pfrw_op = PFRW_DYNADDR_UPDATE;
2216 dyn->pfid_acnt4 = 0;
2217 dyn->pfid_acnt6 = 0;
2218 if (!dyn->pfid_af || dyn->pfid_af == AF_INET)
2219 kt->pfrkt_ip4->rnh_walktree(kt->pfrkt_ip4, pfr_walktree, &w);
2220 if (!dyn->pfid_af || dyn->pfid_af == AF_INET6)
2221 kt->pfrkt_ip6->rnh_walktree(kt->pfrkt_ip6, pfr_walktree, &w);
lentferj's projects / dragonfly.git / blob