1 /* $OpenBSD: pf_table.c,v 1.78 2008/06/14 03:50:14 art Exp $ */
4 * Copyright (c) 2010 The DragonFly Project. All rights reserved.
6 * Copyright (c) 2002 Cedric Berger
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
13 * - Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * - Redistributions in binary form must reproduce the above
16 * copyright notice, this list of conditions and the following
17 * disclaimer in the documentation and/or other materials provided
18 * with the distribution.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
23 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
24 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
26 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
27 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
28 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
30 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31 * POSSIBILITY OF SUCH DAMAGE.
36 #include "opt_inet6.h"
38 #include <sys/param.h>
39 #include <sys/systm.h>
40 #include <sys/socket.h>
42 #include <sys/kernel.h>
43 #include <sys/malloc.h>
44 #include <sys/thread2.h>
47 #include <net/route.h>
48 #include <netinet/in.h>
49 #include <net/pf/pfvar.h>
51 #define ACCEPT_FLAGS(flags, oklist) \
53 if ((flags & ~(oklist)) & \
58 #define COPYIN(from, to, size, flags) \
59 ((flags & PFR_FLAG_USERIOCTL) ? \
60 copyin((from), (to), (size)) : \
61 (bcopy((from), (to), (size)), 0))
63 #define COPYOUT(from, to, size, flags) \
64 ((flags & PFR_FLAG_USERIOCTL) ? \
65 copyout((from), (to), (size)) : \
66 (bcopy((from), (to), (size)), 0))
68 #define FILLIN_SIN(sin, addr) \
70 (sin).sin_len = sizeof(sin); \
71 (sin).sin_family = AF_INET; \
72 (sin).sin_addr = (addr); \
75 #define FILLIN_SIN6(sin6, addr) \
77 (sin6).sin6_len = sizeof(sin6); \
78 (sin6).sin6_family = AF_INET6; \
79 (sin6).sin6_addr = (addr); \
82 #define SWAP(type, a1, a2) \
89 #define SUNION2PF(su, af) (((af)==AF_INET) ? \
90 (struct pf_addr *)&(su)->sin.sin_addr : \
91 (struct pf_addr *)&(su)->sin6.sin6_addr)
93 #define AF_BITS(af) (((af)==AF_INET)?32:128)
94 #define ADDR_NETWORK(ad) ((ad)->pfra_net < AF_BITS((ad)->pfra_af))
95 #define KENTRY_NETWORK(ke) ((ke)->pfrke_net < AF_BITS((ke)->pfrke_af))
96 #define KENTRY_RNF_ROOT(ke) \
97 ((((struct radix_node *)(ke))->rn_flags & RNF_ROOT) != 0)
99 #define NO_ADDRESSES (-1)
100 #define ENQUEUE_UNMARKED_ONLY (1)
101 #define INVERT_NEG_FLAG (1)
103 static MALLOC_DEFINE(M_PFRKTABLEPL, "pfrktable", "pf radix table pool list");
104 static MALLOC_DEFINE(M_PFRKENTRYPL, "pfrkentry", "pf radix entry pool list");
105 static MALLOC_DEFINE(M_PFRKENTRYPL2, "pfrkentry2", "pf radix entry 2 pool list");
106 static MALLOC_DEFINE(M_PFRKCOUNTERSPL, "pfrkcounters", "pf radix counters");
108 struct pfr_walktree {
119 struct pfr_addr *pfrw1_addr;
120 struct pfr_astats *pfrw1_astats;
121 struct pfr_kentryworkq *pfrw1_workq;
122 struct pfr_kentry *pfrw1_kentry;
123 struct pfi_dynaddr *pfrw1_dyn;
128 #define pfrw_addr pfrw_1.pfrw1_addr
129 #define pfrw_astats pfrw_1.pfrw1_astats
130 #define pfrw_workq pfrw_1.pfrw1_workq
131 #define pfrw_kentry pfrw_1.pfrw1_kentry
132 #define pfrw_dyn pfrw_1.pfrw1_dyn
133 #define pfrw_cnt pfrw_free
135 #define senderr(e) do { rv = (e); goto _bad; } while (0)
136 struct malloc_type *pfr_ktable_pl;
137 struct malloc_type *pfr_kentry_pl;
138 struct malloc_type *pfr_kentry_pl2;
139 struct sockaddr_in pfr_sin;
140 struct sockaddr_in6 pfr_sin6;
141 union sockaddr_union pfr_mask;
142 struct pf_addr pfr_ffaddr;
144 void pfr_copyout_addr(struct pfr_addr *,
145 struct pfr_kentry *ke);
146 int pfr_validate_addr(struct pfr_addr *);
147 void pfr_enqueue_addrs(struct pfr_ktable *,
148 struct pfr_kentryworkq *, int *, int);
149 void pfr_mark_addrs(struct pfr_ktable *);
150 struct pfr_kentry *pfr_lookup_addr(struct pfr_ktable *,
151 struct pfr_addr *, int);
152 struct pfr_kentry *pfr_create_kentry(struct pfr_addr *, int);
153 void pfr_destroy_kentries(struct pfr_kentryworkq *);
154 void pfr_destroy_kentry(struct pfr_kentry *);
155 void pfr_insert_kentries(struct pfr_ktable *,
156 struct pfr_kentryworkq *, long);
157 void pfr_remove_kentries(struct pfr_ktable *,
158 struct pfr_kentryworkq *);
159 void pfr_clstats_kentries(struct pfr_kentryworkq *, long,
161 void pfr_reset_feedback(struct pfr_addr *, int, int);
162 void pfr_prepare_network(union sockaddr_union *, int, int);
163 int pfr_route_kentry(struct pfr_ktable *,
164 struct pfr_kentry *);
165 int pfr_unroute_kentry(struct pfr_ktable *,
166 struct pfr_kentry *);
167 int pfr_walktree(struct radix_node *, void *);
168 int pfr_validate_table(struct pfr_table *, int, int);
169 int pfr_fix_anchor(char *);
170 void pfr_commit_ktable(struct pfr_ktable *, long);
171 void pfr_insert_ktables(struct pfr_ktableworkq *);
172 void pfr_insert_ktable(struct pfr_ktable *);
173 void pfr_setflags_ktables(struct pfr_ktableworkq *);
174 void pfr_setflags_ktable(struct pfr_ktable *, int);
175 void pfr_clstats_ktables(struct pfr_ktableworkq *, long,
177 void pfr_clstats_ktable(struct pfr_ktable *, long, int);
178 struct pfr_ktable *pfr_create_ktable(struct pfr_table *, long, int);
179 void pfr_destroy_ktables(struct pfr_ktableworkq *, int);
180 void pfr_destroy_ktable(struct pfr_ktable *, int);
181 int pfr_ktable_compare(struct pfr_ktable *,
182 struct pfr_ktable *);
183 struct pfr_ktable *pfr_lookup_table(struct pfr_table *);
184 void pfr_clean_node_mask(struct pfr_ktable *,
185 struct pfr_kentryworkq *);
186 int pfr_table_count(struct pfr_table *, int);
187 int pfr_skip_table(struct pfr_table *,
188 struct pfr_ktable *, int);
189 struct pfr_kentry *pfr_kentry_byidx(struct pfr_ktable *, int, int);
191 RB_PROTOTYPE(pfr_ktablehead, pfr_ktable, pfrkt_tree, pfr_ktable_compare);
192 RB_GENERATE(pfr_ktablehead, pfr_ktable, pfrkt_tree, pfr_ktable_compare);
194 struct pfr_ktablehead pfr_ktables;
195 struct pfr_table pfr_nulltable;
201 pfr_sin.sin_len = sizeof(pfr_sin);
202 pfr_sin.sin_family = AF_INET;
203 pfr_sin6.sin6_len = sizeof(pfr_sin6);
204 pfr_sin6.sin6_family = AF_INET6;
206 memset(&pfr_ffaddr, 0xff, sizeof(pfr_ffaddr));
210 pfr_clr_addrs(struct pfr_table *tbl, int *ndel, int flags)
212 struct pfr_ktable *kt;
213 struct pfr_kentryworkq workq;
215 ACCEPT_FLAGS(flags, PFR_FLAG_ATOMIC | PFR_FLAG_DUMMY);
216 if (pfr_validate_table(tbl, 0, flags & PFR_FLAG_USERIOCTL))
218 kt = pfr_lookup_table(tbl);
219 if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
221 if (kt->pfrkt_flags & PFR_TFLAG_CONST)
223 pfr_enqueue_addrs(kt, &workq, ndel, 0);
225 if (!(flags & PFR_FLAG_DUMMY)) {
226 if (flags & PFR_FLAG_ATOMIC)
228 pfr_remove_kentries(kt, &workq);
229 if (flags & PFR_FLAG_ATOMIC)
232 kprintf("pfr_clr_addrs: corruption detected (%d).\n",
241 pfr_add_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int size,
242 int *nadd, int flags)
244 struct pfr_ktable *kt, *tmpkt;
245 struct pfr_kentryworkq workq;
246 struct pfr_kentry *p, *q;
249 long tzero = time_second;
251 ACCEPT_FLAGS(flags, PFR_FLAG_ATOMIC | PFR_FLAG_DUMMY |
253 if (pfr_validate_table(tbl, 0, flags & PFR_FLAG_USERIOCTL))
255 kt = pfr_lookup_table(tbl);
256 if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
258 if (kt->pfrkt_flags & PFR_TFLAG_CONST)
260 tmpkt = pfr_create_ktable(&pfr_nulltable, 0, 0);
264 for (i = 0; i < size; i++) {
265 if (COPYIN(addr+i, &ad, sizeof(ad), flags))
267 if (pfr_validate_addr(&ad))
269 p = pfr_lookup_addr(kt, &ad, 1);
270 q = pfr_lookup_addr(tmpkt, &ad, 1);
271 if (flags & PFR_FLAG_FEEDBACK) {
273 ad.pfra_fback = PFR_FB_DUPLICATE;
275 ad.pfra_fback = PFR_FB_ADDED;
276 else if (p->pfrke_not != ad.pfra_not)
277 ad.pfra_fback = PFR_FB_CONFLICT;
279 ad.pfra_fback = PFR_FB_NONE;
281 if (p == NULL && q == NULL) {
282 p = pfr_create_kentry(&ad,
283 !(flags & PFR_FLAG_USERIOCTL));
286 if (pfr_route_kentry(tmpkt, p)) {
287 pfr_destroy_kentry(p);
288 ad.pfra_fback = PFR_FB_NONE;
290 SLIST_INSERT_HEAD(&workq, p, pfrke_workq);
294 if (flags & PFR_FLAG_FEEDBACK)
295 if (COPYOUT(&ad, addr+i, sizeof(ad), flags))
298 pfr_clean_node_mask(tmpkt, &workq);
299 if (!(flags & PFR_FLAG_DUMMY)) {
300 if (flags & PFR_FLAG_ATOMIC)
302 pfr_insert_kentries(kt, &workq, tzero);
303 if (flags & PFR_FLAG_ATOMIC)
306 pfr_destroy_kentries(&workq);
309 pfr_destroy_ktable(tmpkt, 0);
312 pfr_clean_node_mask(tmpkt, &workq);
313 pfr_destroy_kentries(&workq);
314 if (flags & PFR_FLAG_FEEDBACK)
315 pfr_reset_feedback(addr, size, flags);
316 pfr_destroy_ktable(tmpkt, 0);
321 pfr_del_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int size,
322 int *ndel, int flags)
324 struct pfr_ktable *kt;
325 struct pfr_kentryworkq workq;
326 struct pfr_kentry *p;
328 int i, rv, xdel = 0, log = 1;
330 ACCEPT_FLAGS(flags, PFR_FLAG_ATOMIC | PFR_FLAG_DUMMY |
332 if (pfr_validate_table(tbl, 0, flags & PFR_FLAG_USERIOCTL))
334 kt = pfr_lookup_table(tbl);
335 if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
337 if (kt->pfrkt_flags & PFR_TFLAG_CONST)
340 * there are two algorithms to choose from here.
342 * n: number of addresses to delete
343 * N: number of addresses in the table
345 * one is O(N) and is better for large 'n'
346 * one is O(n*LOG(N)) and is better for small 'n'
348 * following code try to decide which one is best.
350 for (i = kt->pfrkt_cnt; i > 0; i >>= 1)
352 if (size > kt->pfrkt_cnt/log) {
353 /* full table scan */
356 /* iterate over addresses to delete */
357 for (i = 0; i < size; i++) {
358 if (COPYIN(addr+i, &ad, sizeof(ad), flags))
360 if (pfr_validate_addr(&ad))
362 p = pfr_lookup_addr(kt, &ad, 1);
368 for (i = 0; i < size; i++) {
369 if (COPYIN(addr+i, &ad, sizeof(ad), flags))
371 if (pfr_validate_addr(&ad))
373 p = pfr_lookup_addr(kt, &ad, 1);
374 if (flags & PFR_FLAG_FEEDBACK) {
376 ad.pfra_fback = PFR_FB_NONE;
377 else if (p->pfrke_not != ad.pfra_not)
378 ad.pfra_fback = PFR_FB_CONFLICT;
379 else if (p->pfrke_mark)
380 ad.pfra_fback = PFR_FB_DUPLICATE;
382 ad.pfra_fback = PFR_FB_DELETED;
384 if (p != NULL && p->pfrke_not == ad.pfra_not &&
387 SLIST_INSERT_HEAD(&workq, p, pfrke_workq);
390 if (flags & PFR_FLAG_FEEDBACK)
391 if (COPYOUT(&ad, addr+i, sizeof(ad), flags))
394 if (!(flags & PFR_FLAG_DUMMY)) {
395 if (flags & PFR_FLAG_ATOMIC)
397 pfr_remove_kentries(kt, &workq);
398 if (flags & PFR_FLAG_ATOMIC)
405 if (flags & PFR_FLAG_FEEDBACK)
406 pfr_reset_feedback(addr, size, flags);
411 pfr_set_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int size,
412 int *size2, int *nadd, int *ndel, int *nchange, int flags,
413 u_int32_t ignore_pfrt_flags)
415 struct pfr_ktable *kt, *tmpkt;
416 struct pfr_kentryworkq addq, delq, changeq;
417 struct pfr_kentry *p, *q;
419 int i, rv, xadd = 0, xdel = 0, xchange = 0;
420 long tzero = time_second;
422 ACCEPT_FLAGS(flags, PFR_FLAG_ATOMIC | PFR_FLAG_DUMMY |
424 if (pfr_validate_table(tbl, ignore_pfrt_flags, flags &
427 kt = pfr_lookup_table(tbl);
428 if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
430 if (kt->pfrkt_flags & PFR_TFLAG_CONST)
432 tmpkt = pfr_create_ktable(&pfr_nulltable, 0, 0);
438 SLIST_INIT(&changeq);
439 for (i = 0; i < size; i++) {
440 if (COPYIN(addr+i, &ad, sizeof(ad), flags))
442 if (pfr_validate_addr(&ad))
444 ad.pfra_fback = PFR_FB_NONE;
445 p = pfr_lookup_addr(kt, &ad, 1);
448 ad.pfra_fback = PFR_FB_DUPLICATE;
452 if (p->pfrke_not != ad.pfra_not) {
453 SLIST_INSERT_HEAD(&changeq, p, pfrke_workq);
454 ad.pfra_fback = PFR_FB_CHANGED;
458 q = pfr_lookup_addr(tmpkt, &ad, 1);
460 ad.pfra_fback = PFR_FB_DUPLICATE;
463 p = pfr_create_kentry(&ad,
464 !(flags & PFR_FLAG_USERIOCTL));
467 if (pfr_route_kentry(tmpkt, p)) {
468 pfr_destroy_kentry(p);
469 ad.pfra_fback = PFR_FB_NONE;
471 SLIST_INSERT_HEAD(&addq, p, pfrke_workq);
472 ad.pfra_fback = PFR_FB_ADDED;
477 if (flags & PFR_FLAG_FEEDBACK)
478 if (COPYOUT(&ad, addr+i, sizeof(ad), flags))
481 pfr_enqueue_addrs(kt, &delq, &xdel, ENQUEUE_UNMARKED_ONLY);
482 if ((flags & PFR_FLAG_FEEDBACK) && *size2) {
483 if (*size2 < size+xdel) {
488 SLIST_FOREACH(p, &delq, pfrke_workq) {
489 pfr_copyout_addr(&ad, p);
490 ad.pfra_fback = PFR_FB_DELETED;
491 if (COPYOUT(&ad, addr+size+i, sizeof(ad), flags))
496 pfr_clean_node_mask(tmpkt, &addq);
497 if (!(flags & PFR_FLAG_DUMMY)) {
498 if (flags & PFR_FLAG_ATOMIC)
500 pfr_insert_kentries(kt, &addq, tzero);
501 pfr_remove_kentries(kt, &delq);
502 pfr_clstats_kentries(&changeq, tzero, INVERT_NEG_FLAG);
503 if (flags & PFR_FLAG_ATOMIC)
506 pfr_destroy_kentries(&addq);
513 if ((flags & PFR_FLAG_FEEDBACK) && size2)
515 pfr_destroy_ktable(tmpkt, 0);
518 pfr_clean_node_mask(tmpkt, &addq);
519 pfr_destroy_kentries(&addq);
520 if (flags & PFR_FLAG_FEEDBACK)
521 pfr_reset_feedback(addr, size, flags);
522 pfr_destroy_ktable(tmpkt, 0);
527 pfr_tst_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int size,
528 int *nmatch, int flags)
530 struct pfr_ktable *kt;
531 struct pfr_kentry *p;
535 ACCEPT_FLAGS(flags, PFR_FLAG_REPLACE);
536 if (pfr_validate_table(tbl, 0, 0))
538 kt = pfr_lookup_table(tbl);
539 if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
542 for (i = 0; i < size; i++) {
543 if (COPYIN(addr+i, &ad, sizeof(ad), flags))
545 if (pfr_validate_addr(&ad))
547 if (ADDR_NETWORK(&ad))
549 p = pfr_lookup_addr(kt, &ad, 0);
550 if (flags & PFR_FLAG_REPLACE)
551 pfr_copyout_addr(&ad, p);
552 ad.pfra_fback = (p == NULL) ? PFR_FB_NONE :
553 (p->pfrke_not ? PFR_FB_NOTMATCH : PFR_FB_MATCH);
554 if (p != NULL && !p->pfrke_not)
556 if (COPYOUT(&ad, addr+i, sizeof(ad), flags))
565 pfr_get_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int *size,
568 struct pfr_ktable *kt;
569 struct pfr_walktree w;
572 ACCEPT_FLAGS(flags, 0);
573 if (pfr_validate_table(tbl, 0, 0))
575 kt = pfr_lookup_table(tbl);
576 if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
578 if (kt->pfrkt_cnt > *size) {
579 *size = kt->pfrkt_cnt;
583 bzero(&w, sizeof(w));
584 w.pfrw_op = PFRW_GET_ADDRS;
586 w.pfrw_free = kt->pfrkt_cnt;
587 w.pfrw_flags = flags;
588 rv = kt->pfrkt_ip4->rnh_walktree(kt->pfrkt_ip4, pfr_walktree, &w);
590 rv = kt->pfrkt_ip6->rnh_walktree(kt->pfrkt_ip6, pfr_walktree, &w);
595 kprintf("pfr_get_addrs: corruption detected (%d).\n",
599 *size = kt->pfrkt_cnt;
604 pfr_get_astats(struct pfr_table *tbl, struct pfr_astats *addr, int *size,
607 struct pfr_ktable *kt;
608 struct pfr_walktree w;
609 struct pfr_kentryworkq workq;
611 long tzero = time_second;
613 /* XXX PFR_FLAG_CLSTATS disabled */
614 ACCEPT_FLAGS(flags, PFR_FLAG_ATOMIC);
615 if (pfr_validate_table(tbl, 0, 0))
617 kt = pfr_lookup_table(tbl);
618 if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
620 if (kt->pfrkt_cnt > *size) {
621 *size = kt->pfrkt_cnt;
625 bzero(&w, sizeof(w));
626 w.pfrw_op = PFRW_GET_ASTATS;
627 w.pfrw_astats = addr;
628 w.pfrw_free = kt->pfrkt_cnt;
629 w.pfrw_flags = flags;
630 if (flags & PFR_FLAG_ATOMIC)
632 rv = kt->pfrkt_ip4->rnh_walktree(kt->pfrkt_ip4, pfr_walktree, &w);
634 rv = kt->pfrkt_ip6->rnh_walktree(kt->pfrkt_ip6, pfr_walktree, &w);
635 if (!rv && (flags & PFR_FLAG_CLSTATS)) {
636 pfr_enqueue_addrs(kt, &workq, NULL, 0);
637 pfr_clstats_kentries(&workq, tzero, 0);
639 if (flags & PFR_FLAG_ATOMIC)
645 kprintf("pfr_get_astats: corruption detected (%d).\n",
649 *size = kt->pfrkt_cnt;
654 pfr_clr_astats(struct pfr_table *tbl, struct pfr_addr *addr, int size,
655 int *nzero, int flags)
657 struct pfr_ktable *kt;
658 struct pfr_kentryworkq workq;
659 struct pfr_kentry *p;
661 int i, rv, xzero = 0;
663 ACCEPT_FLAGS(flags, PFR_FLAG_ATOMIC | PFR_FLAG_DUMMY |
665 if (pfr_validate_table(tbl, 0, 0))
667 kt = pfr_lookup_table(tbl);
668 if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
671 for (i = 0; i < size; i++) {
672 if (COPYIN(addr+i, &ad, sizeof(ad), flags))
674 if (pfr_validate_addr(&ad))
676 p = pfr_lookup_addr(kt, &ad, 1);
677 if (flags & PFR_FLAG_FEEDBACK) {
678 ad.pfra_fback = (p != NULL) ?
679 PFR_FB_CLEARED : PFR_FB_NONE;
680 if (COPYOUT(&ad, addr+i, sizeof(ad), flags))
684 SLIST_INSERT_HEAD(&workq, p, pfrke_workq);
689 if (!(flags & PFR_FLAG_DUMMY)) {
690 if (flags & PFR_FLAG_ATOMIC)
692 pfr_clstats_kentries(&workq, 0, 0);
693 if (flags & PFR_FLAG_ATOMIC)
700 if (flags & PFR_FLAG_FEEDBACK)
701 pfr_reset_feedback(addr, size, flags);
706 pfr_validate_addr(struct pfr_addr *ad)
710 switch (ad->pfra_af) {
713 if (ad->pfra_net > 32)
719 if (ad->pfra_net > 128)
726 if (ad->pfra_net < 128 &&
727 (((caddr_t)ad)[ad->pfra_net/8] & (0xFF >> (ad->pfra_net%8))))
729 for (i = (ad->pfra_net+7)/8; i < sizeof(ad->pfra_u); i++)
730 if (((caddr_t)ad)[i])
732 if (ad->pfra_not && ad->pfra_not != 1)
740 pfr_enqueue_addrs(struct pfr_ktable *kt, struct pfr_kentryworkq *workq,
741 int *naddr, int sweep)
743 struct pfr_walktree w;
746 bzero(&w, sizeof(w));
747 w.pfrw_op = sweep ? PFRW_SWEEP : PFRW_ENQUEUE;
748 w.pfrw_workq = workq;
749 if (kt->pfrkt_ip4 != NULL)
750 if (kt->pfrkt_ip4->rnh_walktree(kt->pfrkt_ip4, pfr_walktree, &w))
751 kprintf("pfr_enqueue_addrs: IPv4 walktree failed.\n");
752 if (kt->pfrkt_ip6 != NULL)
753 if (kt->pfrkt_ip6->rnh_walktree(kt->pfrkt_ip6, pfr_walktree, &w))
754 kprintf("pfr_enqueue_addrs: IPv6 walktree failed.\n");
760 pfr_mark_addrs(struct pfr_ktable *kt)
762 struct pfr_walktree w;
764 bzero(&w, sizeof(w));
765 w.pfrw_op = PFRW_MARK;
766 if (kt->pfrkt_ip4->rnh_walktree(kt->pfrkt_ip4, pfr_walktree, &w))
767 kprintf("pfr_mark_addrs: IPv4 walktree failed.\n");
768 if (kt->pfrkt_ip6->rnh_walktree(kt->pfrkt_ip6, pfr_walktree, &w))
769 kprintf("pfr_mark_addrs: IPv6 walktree failed.\n");
774 pfr_lookup_addr(struct pfr_ktable *kt, struct pfr_addr *ad, int exact)
776 union sockaddr_union sa, mask;
777 struct radix_node_head *head = NULL;
778 struct pfr_kentry *ke;
780 bzero(&sa, sizeof(sa));
781 if (ad->pfra_af == AF_INET) {
782 FILLIN_SIN(sa.sin, ad->pfra_ip4addr);
783 head = kt->pfrkt_ip4;
784 } else if ( ad->pfra_af == AF_INET6 ) {
785 FILLIN_SIN6(sa.sin6, ad->pfra_ip6addr);
786 head = kt->pfrkt_ip6;
788 if (ADDR_NETWORK(ad)) {
789 pfr_prepare_network(&mask, ad->pfra_af, ad->pfra_net);
790 crit_enter(); /* rn_lookup makes use of globals */
791 ke = (struct pfr_kentry *)rn_lookup((char *)&sa, (char *)&mask,
794 if (ke && KENTRY_RNF_ROOT(ke))
797 ke = (struct pfr_kentry *)rn_match((char *)&sa, head);
798 if (ke && KENTRY_RNF_ROOT(ke))
800 if (exact && ke && KENTRY_NETWORK(ke))
807 pfr_create_kentry(struct pfr_addr *ad, int intr)
809 struct pfr_kentry *ke;
812 ke = kmalloc(sizeof(struct pfr_kentry), M_PFRKENTRYPL2, M_NOWAIT|M_ZERO);
814 ke = kmalloc(sizeof(struct pfr_kentry), M_PFRKENTRYPL, M_NOWAIT|M_ZERO|M_NULLOK);
818 if (ad->pfra_af == AF_INET)
819 FILLIN_SIN(ke->pfrke_sa.sin, ad->pfra_ip4addr);
820 else if (ad->pfra_af == AF_INET6)
821 FILLIN_SIN6(ke->pfrke_sa.sin6, ad->pfra_ip6addr);
822 ke->pfrke_af = ad->pfra_af;
823 ke->pfrke_net = ad->pfra_net;
824 ke->pfrke_not = ad->pfra_not;
825 ke->pfrke_intrpool = intr;
830 pfr_destroy_kentries(struct pfr_kentryworkq *workq)
832 struct pfr_kentry *p, *q;
834 for (p = SLIST_FIRST(workq); p != NULL; p = q) {
835 q = SLIST_NEXT(p, pfrke_workq);
836 pfr_destroy_kentry(p);
841 pfr_destroy_kentry(struct pfr_kentry *ke)
843 if (ke->pfrke_counters)
844 kfree(ke->pfrke_counters, M_PFRKCOUNTERSPL);
845 if (ke->pfrke_intrpool)
846 kfree(ke, M_PFRKENTRYPL2);
848 kfree(ke, M_PFRKENTRYPL);
852 pfr_insert_kentries(struct pfr_ktable *kt,
853 struct pfr_kentryworkq *workq, long tzero)
855 struct pfr_kentry *p;
858 SLIST_FOREACH(p, workq, pfrke_workq) {
859 rv = pfr_route_kentry(kt, p);
861 kprintf("pfr_insert_kentries: cannot route entry "
865 p->pfrke_tzero = tzero;
872 pfr_insert_kentry(struct pfr_ktable *kt, struct pfr_addr *ad, long tzero)
874 struct pfr_kentry *p;
877 p = pfr_lookup_addr(kt, ad, 1);
880 p = pfr_create_kentry(ad, 1);
884 rv = pfr_route_kentry(kt, p);
888 p->pfrke_tzero = tzero;
895 pfr_remove_kentries(struct pfr_ktable *kt,
896 struct pfr_kentryworkq *workq)
898 struct pfr_kentry *p;
901 SLIST_FOREACH(p, workq, pfrke_workq) {
902 pfr_unroute_kentry(kt, p);
906 pfr_destroy_kentries(workq);
910 pfr_clean_node_mask(struct pfr_ktable *kt,
911 struct pfr_kentryworkq *workq)
913 struct pfr_kentry *p;
915 SLIST_FOREACH(p, workq, pfrke_workq)
916 pfr_unroute_kentry(kt, p);
920 pfr_clstats_kentries(struct pfr_kentryworkq *workq, long tzero, int negchange)
922 struct pfr_kentry *p;
924 SLIST_FOREACH(p, workq, pfrke_workq) {
927 p->pfrke_not = !p->pfrke_not;
928 if (p->pfrke_counters) {
929 kfree(p->pfrke_counters, M_PFRKCOUNTERSPL);
930 p->pfrke_counters = NULL;
933 p->pfrke_tzero = tzero;
938 pfr_reset_feedback(struct pfr_addr *addr, int size, int flags)
943 for (i = 0; i < size; i++) {
944 if (COPYIN(addr+i, &ad, sizeof(ad), flags))
946 ad.pfra_fback = PFR_FB_NONE;
947 if (COPYOUT(&ad, addr+i, sizeof(ad), flags))
953 pfr_prepare_network(union sockaddr_union *sa, int af, int net)
957 bzero(sa, sizeof(*sa));
959 sa->sin.sin_len = sizeof(sa->sin);
960 sa->sin.sin_family = AF_INET;
961 sa->sin.sin_addr.s_addr = net ? htonl(-1 << (32-net)) : 0;
962 } else if (af == AF_INET6) {
963 sa->sin6.sin6_len = sizeof(sa->sin6);
964 sa->sin6.sin6_family = AF_INET6;
965 for (i = 0; i < 4; i++) {
967 sa->sin6.sin6_addr.s6_addr32[i] =
968 net ? htonl(-1 << (32-net)) : 0;
971 sa->sin6.sin6_addr.s6_addr32[i] = 0xFFFFFFFF;
978 pfr_route_kentry(struct pfr_ktable *kt, struct pfr_kentry *ke)
980 union sockaddr_union mask;
981 struct radix_node *rn;
982 struct radix_node_head *head = NULL;
984 bzero(ke->pfrke_node, sizeof(ke->pfrke_node));
985 if (ke->pfrke_af == AF_INET)
986 head = kt->pfrkt_ip4;
987 else if (ke->pfrke_af == AF_INET6)
988 head = kt->pfrkt_ip6;
991 if (KENTRY_NETWORK(ke)) {
992 pfr_prepare_network(&mask, ke->pfrke_af, ke->pfrke_net);
993 rn = rn_addroute((char *)&ke->pfrke_sa, (char *)&mask, head,
996 rn = rn_addroute((char *)&ke->pfrke_sa, NULL, head,
1000 return (rn == NULL ? -1 : 0);
1004 pfr_unroute_kentry(struct pfr_ktable *kt, struct pfr_kentry *ke)
1006 union sockaddr_union mask;
1007 struct radix_node *rn;
1008 struct radix_node_head *head = NULL;
1010 if (ke->pfrke_af == AF_INET)
1011 head = kt->pfrkt_ip4;
1012 else if (ke->pfrke_af == AF_INET6)
1013 head = kt->pfrkt_ip6;
1016 if (KENTRY_NETWORK(ke)) {
1017 pfr_prepare_network(&mask, ke->pfrke_af, ke->pfrke_net);
1018 rn = rn_delete((char *)&ke->pfrke_sa, (char *)&mask, head);
1020 rn = rn_delete((char *)&ke->pfrke_sa, NULL, head);
1024 kprintf("pfr_unroute_kentry: delete failed.\n");
1031 pfr_copyout_addr(struct pfr_addr *ad, struct pfr_kentry *ke)
1033 bzero(ad, sizeof(*ad));
1036 ad->pfra_af = ke->pfrke_af;
1037 ad->pfra_net = ke->pfrke_net;
1038 ad->pfra_not = ke->pfrke_not;
1039 if (ad->pfra_af == AF_INET)
1040 ad->pfra_ip4addr = ke->pfrke_sa.sin.sin_addr;
1041 else if (ad->pfra_af == AF_INET6)
1042 ad->pfra_ip6addr = ke->pfrke_sa.sin6.sin6_addr;
1046 pfr_walktree(struct radix_node *rn, void *arg)
1048 struct pfr_kentry *ke = (struct pfr_kentry *)rn;
1049 struct pfr_walktree *w = arg;
1050 int flags = w->pfrw_flags;
1052 switch (w->pfrw_op) {
1061 SLIST_INSERT_HEAD(w->pfrw_workq, ke, pfrke_workq);
1064 case PFRW_GET_ADDRS:
1065 if (w->pfrw_free-- > 0) {
1068 pfr_copyout_addr(&ad, ke);
1069 if (copyout(&ad, w->pfrw_addr, sizeof(ad)))
1074 case PFRW_GET_ASTATS:
1075 if (w->pfrw_free-- > 0) {
1076 struct pfr_astats as;
1078 pfr_copyout_addr(&as.pfras_a, ke);
1081 if (ke->pfrke_counters) {
1082 bcopy(ke->pfrke_counters->pfrkc_packets,
1083 as.pfras_packets, sizeof(as.pfras_packets));
1084 bcopy(ke->pfrke_counters->pfrkc_bytes,
1085 as.pfras_bytes, sizeof(as.pfras_bytes));
1087 bzero(as.pfras_packets, sizeof(as.pfras_packets));
1088 bzero(as.pfras_bytes, sizeof(as.pfras_bytes));
1089 as.pfras_a.pfra_fback = PFR_FB_NOCOUNT;
1092 as.pfras_tzero = ke->pfrke_tzero;
1094 if (COPYOUT(&as, w->pfrw_astats, sizeof(as), flags))
1101 break; /* negative entries are ignored */
1102 if (!w->pfrw_cnt--) {
1103 w->pfrw_kentry = ke;
1104 return (1); /* finish search */
1107 case PFRW_DYNADDR_UPDATE:
1108 if (ke->pfrke_af == AF_INET) {
1109 if (w->pfrw_dyn->pfid_acnt4++ > 0)
1111 pfr_prepare_network(&pfr_mask, AF_INET, ke->pfrke_net);
1112 w->pfrw_dyn->pfid_addr4 = *SUNION2PF(
1113 &ke->pfrke_sa, AF_INET);
1114 w->pfrw_dyn->pfid_mask4 = *SUNION2PF(
1115 &pfr_mask, AF_INET);
1116 } else if (ke->pfrke_af == AF_INET6){
1117 if (w->pfrw_dyn->pfid_acnt6++ > 0)
1119 pfr_prepare_network(&pfr_mask, AF_INET6, ke->pfrke_net);
1120 w->pfrw_dyn->pfid_addr6 = *SUNION2PF(
1121 &ke->pfrke_sa, AF_INET6);
1122 w->pfrw_dyn->pfid_mask6 = *SUNION2PF(
1123 &pfr_mask, AF_INET6);
1131 pfr_clr_tables(struct pfr_table *filter, int *ndel, int flags)
1133 struct pfr_ktableworkq workq;
1134 struct pfr_ktable *p;
1137 ACCEPT_FLAGS(flags, PFR_FLAG_ATOMIC | PFR_FLAG_DUMMY |
1139 if (pfr_fix_anchor(filter->pfrt_anchor))
1141 if (pfr_table_count(filter, flags) < 0)
1145 RB_FOREACH(p, pfr_ktablehead, &pfr_ktables) {
1146 if (pfr_skip_table(filter, p, flags))
1148 if (!strcmp(p->pfrkt_anchor, PF_RESERVED_ANCHOR))
1150 if (!(p->pfrkt_flags & PFR_TFLAG_ACTIVE))
1152 p->pfrkt_nflags = p->pfrkt_flags & ~PFR_TFLAG_ACTIVE;
1153 SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);
1156 if (!(flags & PFR_FLAG_DUMMY)) {
1157 if (flags & PFR_FLAG_ATOMIC)
1159 pfr_setflags_ktables(&workq);
1160 if (flags & PFR_FLAG_ATOMIC)
1169 pfr_add_tables(struct pfr_table *tbl, int size, int *nadd, int flags)
1171 struct pfr_ktableworkq addq, changeq;
1172 struct pfr_ktable *p, *q, *r, key;
1173 int i, rv, xadd = 0;
1174 long tzero = time_second;
1176 ACCEPT_FLAGS(flags, PFR_FLAG_ATOMIC | PFR_FLAG_DUMMY);
1178 SLIST_INIT(&changeq);
1179 for (i = 0; i < size; i++) {
1180 if (COPYIN(tbl+i, &key.pfrkt_t, sizeof(key.pfrkt_t), flags))
1182 if (pfr_validate_table(&key.pfrkt_t, PFR_TFLAG_USRMASK,
1183 flags & PFR_FLAG_USERIOCTL))
1185 key.pfrkt_flags |= PFR_TFLAG_ACTIVE;
1186 p = RB_FIND(pfr_ktablehead, &pfr_ktables, &key);
1188 p = pfr_create_ktable(&key.pfrkt_t, tzero, 1);
1191 SLIST_FOREACH(q, &addq, pfrkt_workq) {
1192 if (!pfr_ktable_compare(p, q))
1195 SLIST_INSERT_HEAD(&addq, p, pfrkt_workq);
1197 if (!key.pfrkt_anchor[0])
1200 /* find or create root table */
1201 bzero(key.pfrkt_anchor, sizeof(key.pfrkt_anchor));
1202 r = RB_FIND(pfr_ktablehead, &pfr_ktables, &key);
1207 SLIST_FOREACH(q, &addq, pfrkt_workq) {
1208 if (!pfr_ktable_compare(&key, q)) {
1213 key.pfrkt_flags = 0;
1214 r = pfr_create_ktable(&key.pfrkt_t, 0, 1);
1217 SLIST_INSERT_HEAD(&addq, r, pfrkt_workq);
1219 } else if (!(p->pfrkt_flags & PFR_TFLAG_ACTIVE)) {
1220 SLIST_FOREACH(q, &changeq, pfrkt_workq)
1221 if (!pfr_ktable_compare(&key, q))
1223 p->pfrkt_nflags = (p->pfrkt_flags &
1224 ~PFR_TFLAG_USRMASK) | key.pfrkt_flags;
1225 SLIST_INSERT_HEAD(&changeq, p, pfrkt_workq);
1231 if (!(flags & PFR_FLAG_DUMMY)) {
1232 if (flags & PFR_FLAG_ATOMIC)
1234 pfr_insert_ktables(&addq);
1235 pfr_setflags_ktables(&changeq);
1236 if (flags & PFR_FLAG_ATOMIC)
1239 pfr_destroy_ktables(&addq, 0);
1244 pfr_destroy_ktables(&addq, 0);
1249 pfr_del_tables(struct pfr_table *tbl, int size, int *ndel, int flags)
1251 struct pfr_ktableworkq workq;
1252 struct pfr_ktable *p, *q, key;
1255 ACCEPT_FLAGS(flags, PFR_FLAG_ATOMIC | PFR_FLAG_DUMMY);
1257 for (i = 0; i < size; i++) {
1258 if (COPYIN(tbl+i, &key.pfrkt_t, sizeof(key.pfrkt_t), flags))
1260 if (pfr_validate_table(&key.pfrkt_t, 0,
1261 flags & PFR_FLAG_USERIOCTL))
1263 p = RB_FIND(pfr_ktablehead, &pfr_ktables, &key);
1264 if (p != NULL && (p->pfrkt_flags & PFR_TFLAG_ACTIVE)) {
1265 SLIST_FOREACH(q, &workq, pfrkt_workq)
1266 if (!pfr_ktable_compare(p, q))
1268 p->pfrkt_nflags = p->pfrkt_flags & ~PFR_TFLAG_ACTIVE;
1269 SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);
1276 if (!(flags & PFR_FLAG_DUMMY)) {
1277 if (flags & PFR_FLAG_ATOMIC)
1279 pfr_setflags_ktables(&workq);
1280 if (flags & PFR_FLAG_ATOMIC)
1289 pfr_get_tables(struct pfr_table *filter, struct pfr_table *tbl, int *size,
1292 struct pfr_ktable *p;
1295 ACCEPT_FLAGS(flags, PFR_FLAG_ALLRSETS);
1296 if (pfr_fix_anchor(filter->pfrt_anchor))
1298 n = nn = pfr_table_count(filter, flags);
1305 RB_FOREACH(p, pfr_ktablehead, &pfr_ktables) {
1306 if (pfr_skip_table(filter, p, flags))
1310 if (COPYOUT(&p->pfrkt_t, tbl++, sizeof(*tbl), flags))
1314 kprintf("pfr_get_tables: corruption detected (%d).\n", n);
1322 pfr_get_tstats(struct pfr_table *filter, struct pfr_tstats *tbl, int *size,
1325 struct pfr_ktable *p;
1326 struct pfr_ktableworkq workq;
1328 long tzero = time_second;
1330 /* XXX PFR_FLAG_CLSTATS disabled */
1331 ACCEPT_FLAGS(flags, PFR_FLAG_ATOMIC | PFR_FLAG_ALLRSETS);
1332 if (pfr_fix_anchor(filter->pfrt_anchor))
1334 n = nn = pfr_table_count(filter, flags);
1342 if (flags & PFR_FLAG_ATOMIC)
1344 RB_FOREACH(p, pfr_ktablehead, &pfr_ktables) {
1345 if (pfr_skip_table(filter, p, flags))
1349 if (!(flags & PFR_FLAG_ATOMIC))
1351 if (COPYOUT(&p->pfrkt_ts, tbl++, sizeof(*tbl), flags)) {
1355 if (!(flags & PFR_FLAG_ATOMIC))
1357 SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);
1359 if (flags & PFR_FLAG_CLSTATS)
1360 pfr_clstats_ktables(&workq, tzero,
1361 flags & PFR_FLAG_ADDRSTOO);
1362 if (flags & PFR_FLAG_ATOMIC)
1365 kprintf("pfr_get_tstats: corruption detected (%d).\n", n);
1373 pfr_clr_tstats(struct pfr_table *tbl, int size, int *nzero, int flags)
1375 struct pfr_ktableworkq workq;
1376 struct pfr_ktable *p, key;
1378 long tzero = time_second;
1380 ACCEPT_FLAGS(flags, PFR_FLAG_ATOMIC | PFR_FLAG_DUMMY |
1383 for (i = 0; i < size; i++) {
1384 if (COPYIN(tbl+i, &key.pfrkt_t, sizeof(key.pfrkt_t), flags))
1386 if (pfr_validate_table(&key.pfrkt_t, 0, 0))
1388 p = RB_FIND(pfr_ktablehead, &pfr_ktables, &key);
1390 SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);
1394 if (!(flags & PFR_FLAG_DUMMY)) {
1395 if (flags & PFR_FLAG_ATOMIC)
1397 pfr_clstats_ktables(&workq, tzero, flags & PFR_FLAG_ADDRSTOO);
1398 if (flags & PFR_FLAG_ATOMIC)
1407 pfr_set_tflags(struct pfr_table *tbl, int size, int setflag, int clrflag,
1408 int *nchange, int *ndel, int flags)
1410 struct pfr_ktableworkq workq;
1411 struct pfr_ktable *p, *q, key;
1412 int i, xchange = 0, xdel = 0;
1414 ACCEPT_FLAGS(flags, PFR_FLAG_ATOMIC | PFR_FLAG_DUMMY);
1415 if ((setflag & ~PFR_TFLAG_USRMASK) ||
1416 (clrflag & ~PFR_TFLAG_USRMASK) ||
1417 (setflag & clrflag))
1420 for (i = 0; i < size; i++) {
1421 if (COPYIN(tbl+i, &key.pfrkt_t, sizeof(key.pfrkt_t), flags))
1423 if (pfr_validate_table(&key.pfrkt_t, 0,
1424 flags & PFR_FLAG_USERIOCTL))
1426 p = RB_FIND(pfr_ktablehead, &pfr_ktables, &key);
1427 if (p != NULL && (p->pfrkt_flags & PFR_TFLAG_ACTIVE)) {
1428 p->pfrkt_nflags = (p->pfrkt_flags | setflag) &
1430 if (p->pfrkt_nflags == p->pfrkt_flags)
1432 SLIST_FOREACH(q, &workq, pfrkt_workq)
1433 if (!pfr_ktable_compare(p, q))
1435 SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);
1436 if ((p->pfrkt_flags & PFR_TFLAG_PERSIST) &&
1437 (clrflag & PFR_TFLAG_PERSIST) &&
1438 !(p->pfrkt_flags & PFR_TFLAG_REFERENCED))
1446 if (!(flags & PFR_FLAG_DUMMY)) {
1447 if (flags & PFR_FLAG_ATOMIC)
1449 pfr_setflags_ktables(&workq);
1450 if (flags & PFR_FLAG_ATOMIC)
1453 if (nchange != NULL)
1461 pfr_ina_begin(struct pfr_table *trs, u_int32_t *ticket, int *ndel, int flags)
1463 struct pfr_ktableworkq workq;
1464 struct pfr_ktable *p;
1465 struct pf_ruleset *rs;
1468 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY);
1469 rs = pf_find_or_create_ruleset(trs->pfrt_anchor);
1473 RB_FOREACH(p, pfr_ktablehead, &pfr_ktables) {
1474 if (!(p->pfrkt_flags & PFR_TFLAG_INACTIVE) ||
1475 pfr_skip_table(trs, p, 0))
1477 p->pfrkt_nflags = p->pfrkt_flags & ~PFR_TFLAG_INACTIVE;
1478 SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);
1481 if (!(flags & PFR_FLAG_DUMMY)) {
1482 pfr_setflags_ktables(&workq);
1484 *ticket = ++rs->tticket;
1487 pf_remove_if_empty_ruleset(rs);
1494 pfr_ina_define(struct pfr_table *tbl, struct pfr_addr *addr, int size,
1495 int *nadd, int *naddr, u_int32_t ticket, int flags)
1497 struct pfr_ktableworkq tableq;
1498 struct pfr_kentryworkq addrq;
1499 struct pfr_ktable *kt, *rt, *shadow, key;
1500 struct pfr_kentry *p;
1502 struct pf_ruleset *rs;
1503 int i, rv, xadd = 0, xaddr = 0;
1505 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY | PFR_FLAG_ADDRSTOO);
1506 if (size && !(flags & PFR_FLAG_ADDRSTOO))
1508 if (pfr_validate_table(tbl, PFR_TFLAG_USRMASK,
1509 flags & PFR_FLAG_USERIOCTL))
1511 rs = pf_find_ruleset(tbl->pfrt_anchor);
1512 if (rs == NULL || !rs->topen || ticket != rs->tticket)
1514 tbl->pfrt_flags |= PFR_TFLAG_INACTIVE;
1515 SLIST_INIT(&tableq);
1516 kt = RB_FIND(pfr_ktablehead, &pfr_ktables, (struct pfr_ktable *)tbl);
1518 kt = pfr_create_ktable(tbl, 0, 1);
1521 SLIST_INSERT_HEAD(&tableq, kt, pfrkt_workq);
1523 if (!tbl->pfrt_anchor[0])
1526 /* find or create root table */
1527 bzero(&key, sizeof(key));
1528 strlcpy(key.pfrkt_name, tbl->pfrt_name, sizeof(key.pfrkt_name));
1529 rt = RB_FIND(pfr_ktablehead, &pfr_ktables, &key);
1531 kt->pfrkt_root = rt;
1534 rt = pfr_create_ktable(&key.pfrkt_t, 0, 1);
1536 pfr_destroy_ktables(&tableq, 0);
1539 SLIST_INSERT_HEAD(&tableq, rt, pfrkt_workq);
1540 kt->pfrkt_root = rt;
1541 } else if (!(kt->pfrkt_flags & PFR_TFLAG_INACTIVE))
1544 shadow = pfr_create_ktable(tbl, 0, 0);
1545 if (shadow == NULL) {
1546 pfr_destroy_ktables(&tableq, 0);
1550 for (i = 0; i < size; i++) {
1551 if (COPYIN(addr+i, &ad, sizeof(ad), flags))
1553 if (pfr_validate_addr(&ad))
1555 if (pfr_lookup_addr(shadow, &ad, 1) != NULL)
1557 p = pfr_create_kentry(&ad, 0);
1560 if (pfr_route_kentry(shadow, p)) {
1561 pfr_destroy_kentry(p);
1564 SLIST_INSERT_HEAD(&addrq, p, pfrke_workq);
1567 if (!(flags & PFR_FLAG_DUMMY)) {
1568 if (kt->pfrkt_shadow != NULL)
1569 pfr_destroy_ktable(kt->pfrkt_shadow, 1);
1570 kt->pfrkt_flags |= PFR_TFLAG_INACTIVE;
1571 pfr_insert_ktables(&tableq);
1572 shadow->pfrkt_cnt = (flags & PFR_FLAG_ADDRSTOO) ?
1573 xaddr : NO_ADDRESSES;
1574 kt->pfrkt_shadow = shadow;
1576 pfr_clean_node_mask(shadow, &addrq);
1577 pfr_destroy_ktable(shadow, 0);
1578 pfr_destroy_ktables(&tableq, 0);
1579 pfr_destroy_kentries(&addrq);
1587 pfr_destroy_ktable(shadow, 0);
1588 pfr_destroy_ktables(&tableq, 0);
1589 pfr_destroy_kentries(&addrq);
1594 pfr_ina_rollback(struct pfr_table *trs, u_int32_t ticket, int *ndel, int flags)
1596 struct pfr_ktableworkq workq;
1597 struct pfr_ktable *p;
1598 struct pf_ruleset *rs;
1601 ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY);
1602 rs = pf_find_ruleset(trs->pfrt_anchor);
1603 if (rs == NULL || !rs->topen || ticket != rs->tticket)
1606 RB_FOREACH(p, pfr_ktablehead, &pfr_ktables) {
1607 if (!(p->pfrkt_flags & PFR_TFLAG_INACTIVE) ||
1608 pfr_skip_table(trs, p, 0))
1610 p->pfrkt_nflags = p->pfrkt_flags & ~PFR_TFLAG_INACTIVE;
1611 SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);
1614 if (!(flags & PFR_FLAG_DUMMY)) {
1615 pfr_setflags_ktables(&workq);
1617 pf_remove_if_empty_ruleset(rs);
1625 pfr_ina_commit(struct pfr_table *trs, u_int32_t ticket, int *nadd,
1626 int *nchange, int flags)
1628 struct pfr_ktable *p, *q;
1629 struct pfr_ktableworkq workq;
1630 struct pf_ruleset *rs;
1631 int xadd = 0, xchange = 0;
1632 long tzero = time_second;
1634 ACCEPT_FLAGS(flags, PFR_FLAG_ATOMIC | PFR_FLAG_DUMMY);
1635 rs = pf_find_ruleset(trs->pfrt_anchor);
1636 if (rs == NULL || !rs->topen || ticket != rs->tticket)
1640 RB_FOREACH(p, pfr_ktablehead, &pfr_ktables) {
1641 if (!(p->pfrkt_flags & PFR_TFLAG_INACTIVE) ||
1642 pfr_skip_table(trs, p, 0))
1644 SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);
1645 if (p->pfrkt_flags & PFR_TFLAG_ACTIVE)
1651 if (!(flags & PFR_FLAG_DUMMY)) {
1652 if (flags & PFR_FLAG_ATOMIC)
1654 for (p = SLIST_FIRST(&workq); p != NULL; p = q) {
1655 q = SLIST_NEXT(p, pfrkt_workq);
1656 pfr_commit_ktable(p, tzero);
1658 if (flags & PFR_FLAG_ATOMIC)
1661 pf_remove_if_empty_ruleset(rs);
1665 if (nchange != NULL)
1672 pfr_commit_ktable(struct pfr_ktable *kt, long tzero)
1674 struct pfr_ktable *shadow = kt->pfrkt_shadow;
1677 if (shadow->pfrkt_cnt == NO_ADDRESSES) {
1678 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
1679 pfr_clstats_ktable(kt, tzero, 1);
1680 } else if (kt->pfrkt_flags & PFR_TFLAG_ACTIVE) {
1681 /* kt might contain addresses */
1682 struct pfr_kentryworkq addrq, addq, changeq, delq, garbageq;
1683 struct pfr_kentry *p, *q, *next;
1686 pfr_enqueue_addrs(shadow, &addrq, NULL, 0);
1689 SLIST_INIT(&changeq);
1691 SLIST_INIT(&garbageq);
1692 pfr_clean_node_mask(shadow, &addrq);
1693 for (p = SLIST_FIRST(&addrq); p != NULL; p = next) {
1694 next = SLIST_NEXT(p, pfrke_workq); /* XXX */
1695 pfr_copyout_addr(&ad, p);
1696 q = pfr_lookup_addr(kt, &ad, 1);
1698 if (q->pfrke_not != p->pfrke_not)
1699 SLIST_INSERT_HEAD(&changeq, q,
1702 SLIST_INSERT_HEAD(&garbageq, p, pfrke_workq);
1704 p->pfrke_tzero = tzero;
1705 SLIST_INSERT_HEAD(&addq, p, pfrke_workq);
1708 pfr_enqueue_addrs(kt, &delq, NULL, ENQUEUE_UNMARKED_ONLY);
1709 pfr_insert_kentries(kt, &addq, tzero);
1710 pfr_remove_kentries(kt, &delq);
1711 pfr_clstats_kentries(&changeq, tzero, INVERT_NEG_FLAG);
1712 pfr_destroy_kentries(&garbageq);
1714 /* kt cannot contain addresses */
1715 SWAP(struct radix_node_head *, kt->pfrkt_ip4,
1717 SWAP(struct radix_node_head *, kt->pfrkt_ip6,
1719 SWAP(int, kt->pfrkt_cnt, shadow->pfrkt_cnt);
1720 pfr_clstats_ktable(kt, tzero, 1);
1722 nflags = ((shadow->pfrkt_flags & PFR_TFLAG_USRMASK) |
1723 (kt->pfrkt_flags & PFR_TFLAG_SETMASK) | PFR_TFLAG_ACTIVE)
1724 & ~PFR_TFLAG_INACTIVE;
1725 pfr_destroy_ktable(shadow, 0);
1726 kt->pfrkt_shadow = NULL;
1727 pfr_setflags_ktable(kt, nflags);
1731 pfr_validate_table(struct pfr_table *tbl, int allowedflags, int no_reserved)
1735 if (!tbl->pfrt_name[0])
1737 if (no_reserved && !strcmp(tbl->pfrt_anchor, PF_RESERVED_ANCHOR))
1739 if (tbl->pfrt_name[PF_TABLE_NAME_SIZE-1])
1741 for (i = strlen(tbl->pfrt_name); i < PF_TABLE_NAME_SIZE; i++)
1742 if (tbl->pfrt_name[i])
1744 if (pfr_fix_anchor(tbl->pfrt_anchor))
1746 if (tbl->pfrt_flags & ~allowedflags)
1752 * Rewrite anchors referenced by tables to remove slashes
1753 * and check for validity.
1756 pfr_fix_anchor(char *anchor)
1758 size_t siz = MAXPATHLEN;
1761 if (anchor[0] == '/') {
1767 while (*++path == '/')
1769 bcopy(path, anchor, siz - off);
1770 memset(anchor + siz - off, 0, off);
1772 if (anchor[siz - 1])
1774 for (i = strlen(anchor); i < siz; i++)
1781 pfr_table_count(struct pfr_table *filter, int flags)
1783 struct pf_ruleset *rs;
1785 if (flags & PFR_FLAG_ALLRSETS)
1786 return (pfr_ktable_cnt);
1787 if (filter->pfrt_anchor[0]) {
1788 rs = pf_find_ruleset(filter->pfrt_anchor);
1789 return ((rs != NULL) ? rs->tables : -1);
1791 return (pf_main_ruleset.tables);
1795 pfr_skip_table(struct pfr_table *filter, struct pfr_ktable *kt, int flags)
1797 if (flags & PFR_FLAG_ALLRSETS)
1799 if (strcmp(filter->pfrt_anchor, kt->pfrkt_anchor))
1805 pfr_insert_ktables(struct pfr_ktableworkq *workq)
1807 struct pfr_ktable *p;
1809 SLIST_FOREACH(p, workq, pfrkt_workq)
1810 pfr_insert_ktable(p);
1814 pfr_insert_ktable(struct pfr_ktable *kt)
1816 RB_INSERT(pfr_ktablehead, &pfr_ktables, kt);
1818 if (kt->pfrkt_root != NULL)
1819 if (!kt->pfrkt_root->pfrkt_refcnt[PFR_REFCNT_ANCHOR]++)
1820 pfr_setflags_ktable(kt->pfrkt_root,
1821 kt->pfrkt_root->pfrkt_flags|PFR_TFLAG_REFDANCHOR);
1825 pfr_setflags_ktables(struct pfr_ktableworkq *workq)
1827 struct pfr_ktable *p, *q;
1829 for (p = SLIST_FIRST(workq); p; p = q) {
1830 q = SLIST_NEXT(p, pfrkt_workq);
1831 pfr_setflags_ktable(p, p->pfrkt_nflags);
1836 pfr_setflags_ktable(struct pfr_ktable *kt, int newf)
1838 struct pfr_kentryworkq addrq;
1840 if (!(newf & PFR_TFLAG_REFERENCED) &&
1841 !(newf & PFR_TFLAG_PERSIST))
1842 newf &= ~PFR_TFLAG_ACTIVE;
1843 if (!(newf & PFR_TFLAG_ACTIVE))
1844 newf &= ~PFR_TFLAG_USRMASK;
1845 if (!(newf & PFR_TFLAG_SETMASK)) {
1846 RB_REMOVE(pfr_ktablehead, &pfr_ktables, kt);
1847 if (kt->pfrkt_root != NULL)
1848 if (!--kt->pfrkt_root->pfrkt_refcnt[PFR_REFCNT_ANCHOR])
1849 pfr_setflags_ktable(kt->pfrkt_root,
1850 kt->pfrkt_root->pfrkt_flags &
1851 ~PFR_TFLAG_REFDANCHOR);
1852 pfr_destroy_ktable(kt, 1);
1856 if (!(newf & PFR_TFLAG_ACTIVE) && kt->pfrkt_cnt) {
1857 pfr_enqueue_addrs(kt, &addrq, NULL, 0);
1858 pfr_remove_kentries(kt, &addrq);
1860 if (!(newf & PFR_TFLAG_INACTIVE) && kt->pfrkt_shadow != NULL) {
1861 pfr_destroy_ktable(kt->pfrkt_shadow, 1);
1862 kt->pfrkt_shadow = NULL;
1864 kt->pfrkt_flags = newf;
1868 pfr_clstats_ktables(struct pfr_ktableworkq *workq, long tzero, int recurse)
1870 struct pfr_ktable *p;
1872 SLIST_FOREACH(p, workq, pfrkt_workq)
1873 pfr_clstats_ktable(p, tzero, recurse);
1877 pfr_clstats_ktable(struct pfr_ktable *kt, long tzero, int recurse)
1879 struct pfr_kentryworkq addrq;
1882 pfr_enqueue_addrs(kt, &addrq, NULL, 0);
1883 pfr_clstats_kentries(&addrq, tzero, 0);
1886 bzero(kt->pfrkt_packets, sizeof(kt->pfrkt_packets));
1887 bzero(kt->pfrkt_bytes, sizeof(kt->pfrkt_bytes));
1888 kt->pfrkt_match = kt->pfrkt_nomatch = 0;
1890 kt->pfrkt_tzero = tzero;
1894 pfr_create_ktable(struct pfr_table *tbl, long tzero, int attachruleset)
1896 struct pfr_ktable *kt;
1897 struct pf_ruleset *rs;
1899 kt = kmalloc(sizeof(struct pfr_ktable), M_PFRKTABLEPL, M_NOWAIT|M_ZERO|M_NULLOK);
1904 if (attachruleset) {
1905 rs = pf_find_or_create_ruleset(tbl->pfrt_anchor);
1907 pfr_destroy_ktable(kt, 0);
1914 KKASSERT(pf_maskhead != NULL);
1915 if (!rn_inithead((void **)&kt->pfrkt_ip4, pf_maskhead,
1916 offsetof(struct sockaddr_in, sin_addr) * 8) ||
1917 !rn_inithead((void **)&kt->pfrkt_ip6, pf_maskhead,
1918 offsetof(struct sockaddr_in6, sin6_addr) * 8)) {
1919 pfr_destroy_ktable(kt, 0);
1922 kt->pfrkt_tzero = tzero;
1928 pfr_destroy_ktables(struct pfr_ktableworkq *workq, int flushaddr)
1930 struct pfr_ktable *p, *q;
1932 for (p = SLIST_FIRST(workq); p; p = q) {
1933 q = SLIST_NEXT(p, pfrkt_workq);
1934 pfr_destroy_ktable(p, flushaddr);
1939 pfr_destroy_ktable(struct pfr_ktable *kt, int flushaddr)
1941 struct pfr_kentryworkq addrq;
1944 pfr_enqueue_addrs(kt, &addrq, NULL, 0);
1945 pfr_clean_node_mask(kt, &addrq);
1946 pfr_destroy_kentries(&addrq);
1948 if (kt->pfrkt_ip4 != NULL)
1949 kfree((caddr_t)kt->pfrkt_ip4, M_RTABLE);
1951 if (kt->pfrkt_ip6 != NULL)
1952 kfree((caddr_t)kt->pfrkt_ip6, M_RTABLE);
1953 if (kt->pfrkt_shadow != NULL)
1954 pfr_destroy_ktable(kt->pfrkt_shadow, flushaddr);
1955 if (kt->pfrkt_rs != NULL) {
1956 kt->pfrkt_rs->tables--;
1957 pf_remove_if_empty_ruleset(kt->pfrkt_rs);
1959 kfree(kt, M_PFRKTABLEPL);
1963 pfr_ktable_compare(struct pfr_ktable *p, struct pfr_ktable *q)
1967 if ((d = strncmp(p->pfrkt_name, q->pfrkt_name, PF_TABLE_NAME_SIZE)))
1969 return (strcmp(p->pfrkt_anchor, q->pfrkt_anchor));
1973 pfr_lookup_table(struct pfr_table *tbl)
1975 /* struct pfr_ktable start like a struct pfr_table */
1976 return (RB_FIND(pfr_ktablehead, &pfr_ktables,
1977 (struct pfr_ktable *)tbl));
1981 pfr_match_addr(struct pfr_ktable *kt, struct pf_addr *a, sa_family_t af)
1983 struct pfr_kentry *ke = NULL;
1986 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root != NULL)
1987 kt = kt->pfrkt_root;
1988 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
1994 pfr_sin.sin_addr.s_addr = a->addr32[0];
1995 ke = (struct pfr_kentry *)rn_match((char *)&pfr_sin,
1997 if (ke && KENTRY_RNF_ROOT(ke))
2003 bcopy(a, &pfr_sin6.sin6_addr, sizeof(pfr_sin6.sin6_addr));
2004 ke = (struct pfr_kentry *)rn_match((char *)&pfr_sin6,
2006 if (ke && KENTRY_RNF_ROOT(ke))
2011 match = (ke && !ke->pfrke_not);
2015 kt->pfrkt_nomatch++;
2020 pfr_update_stats(struct pfr_ktable *kt, struct pf_addr *a, sa_family_t af,
2021 u_int64_t len, int dir_out, int op_pass, int notrule)
2023 struct pfr_kentry *ke = NULL;
2025 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root != NULL)
2026 kt = kt->pfrkt_root;
2027 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
2033 pfr_sin.sin_addr.s_addr = a->addr32[0];
2034 ke = (struct pfr_kentry *)rn_match((char *)&pfr_sin,
2036 if (ke && KENTRY_RNF_ROOT(ke))
2042 bcopy(a, &pfr_sin6.sin6_addr, sizeof(pfr_sin6.sin6_addr));
2043 ke = (struct pfr_kentry *)rn_match((char *)&pfr_sin6,
2045 if (ke && KENTRY_RNF_ROOT(ke))
2052 if ((ke == NULL || ke->pfrke_not) != notrule) {
2053 if (op_pass != PFR_OP_PASS)
2054 kprintf("pfr_update_stats: assertion failed.\n");
2055 op_pass = PFR_OP_XPASS;
2057 kt->pfrkt_packets[dir_out][op_pass]++;
2058 kt->pfrkt_bytes[dir_out][op_pass] += len;
2059 if (ke != NULL && op_pass != PFR_OP_XPASS &&
2060 (kt->pfrkt_flags & PFR_TFLAG_COUNTERS)) {
2061 if (ke->pfrke_counters == NULL)
2062 ke->pfrke_counters = kmalloc(sizeof(struct pfr_kcounters),
2063 M_PFRKCOUNTERSPL, M_NOWAIT|M_ZERO);
2064 if (ke->pfrke_counters != NULL) {
2065 ke->pfrke_counters->pfrkc_packets[dir_out][op_pass]++;
2066 ke->pfrke_counters->pfrkc_bytes[dir_out][op_pass] += len;
2072 pfr_attach_table(struct pf_ruleset *rs, char *name)
2074 struct pfr_ktable *kt, *rt;
2075 struct pfr_table tbl;
2076 struct pf_anchor *ac = rs->anchor;
2078 bzero(&tbl, sizeof(tbl));
2079 strlcpy(tbl.pfrt_name, name, sizeof(tbl.pfrt_name));
2081 strlcpy(tbl.pfrt_anchor, ac->path, sizeof(tbl.pfrt_anchor));
2082 kt = pfr_lookup_table(&tbl);
2084 kt = pfr_create_ktable(&tbl, time_second, 1);
2088 bzero(tbl.pfrt_anchor, sizeof(tbl.pfrt_anchor));
2089 rt = pfr_lookup_table(&tbl);
2091 rt = pfr_create_ktable(&tbl, 0, 1);
2093 pfr_destroy_ktable(kt, 0);
2096 pfr_insert_ktable(rt);
2098 kt->pfrkt_root = rt;
2100 pfr_insert_ktable(kt);
2102 if (!kt->pfrkt_refcnt[PFR_REFCNT_RULE]++)
2103 pfr_setflags_ktable(kt, kt->pfrkt_flags|PFR_TFLAG_REFERENCED);
2108 pfr_detach_table(struct pfr_ktable *kt)
2110 if (kt->pfrkt_refcnt[PFR_REFCNT_RULE] <= 0)
2111 kprintf("pfr_detach_table: refcount = %d.\n",
2112 kt->pfrkt_refcnt[PFR_REFCNT_RULE]);
2113 else if (!--kt->pfrkt_refcnt[PFR_REFCNT_RULE])
2114 pfr_setflags_ktable(kt, kt->pfrkt_flags&~PFR_TFLAG_REFERENCED);
2118 pfr_pool_get(struct pfr_ktable *kt, int *pidx, struct pf_addr *counter,
2119 struct pf_addr **raddr, struct pf_addr **rmask, sa_family_t af)
2121 struct pfr_kentry *ke, *ke2 = NULL;
2122 struct pf_addr *addr = NULL;
2123 union sockaddr_union mask;
2124 int idx = -1, use_counter = 0;
2127 addr = (struct pf_addr *)&pfr_sin.sin_addr;
2128 else if (af == AF_INET6)
2129 addr = (struct pf_addr *)&pfr_sin6.sin6_addr;
2130 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root != NULL)
2131 kt = kt->pfrkt_root;
2132 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE))
2137 if (counter != NULL && idx >= 0)
2143 ke = pfr_kentry_byidx(kt, idx, af);
2145 kt->pfrkt_nomatch++;
2148 pfr_prepare_network(&pfr_mask, af, ke->pfrke_net);
2149 *raddr = SUNION2PF(&ke->pfrke_sa, af);
2150 *rmask = SUNION2PF(&pfr_mask, af);
2153 /* is supplied address within block? */
2154 if (!PF_MATCHA(0, *raddr, *rmask, counter, af)) {
2155 /* no, go to next block in table */
2160 PF_ACPY(addr, counter, af);
2162 /* use first address of block */
2163 PF_ACPY(addr, *raddr, af);
2166 if (!KENTRY_NETWORK(ke)) {
2167 /* this is a single IP address - no possible nested block */
2168 PF_ACPY(counter, addr, af);
2174 /* we don't want to use a nested block */
2176 ke2 = (struct pfr_kentry *)rn_match((char *)&pfr_sin,
2178 else if (af == AF_INET6)
2179 ke2 = (struct pfr_kentry *)rn_match((char *)&pfr_sin6,
2181 /* no need to check KENTRY_RNF_ROOT() here */
2183 /* lookup return the same block - perfect */
2184 PF_ACPY(counter, addr, af);
2190 /* we need to increase the counter past the nested block */
2191 pfr_prepare_network(&mask, AF_INET, ke2->pfrke_net);
2192 PF_POOLMASK(addr, addr, SUNION2PF(&mask, af), &pfr_ffaddr, af);
2194 if (!PF_MATCHA(0, *raddr, *rmask, addr, af)) {
2195 /* ok, we reached the end of our main block */
2196 /* go to next block in table */
2205 pfr_kentry_byidx(struct pfr_ktable *kt, int idx, int af)
2207 struct pfr_walktree w;
2209 bzero(&w, sizeof(w));
2210 w.pfrw_op = PFRW_POOL_GET;
2216 kt->pfrkt_ip4->rnh_walktree(kt->pfrkt_ip4, pfr_walktree, &w);
2217 return (w.pfrw_kentry);
2221 kt->pfrkt_ip6->rnh_walktree(kt->pfrkt_ip6, pfr_walktree, &w);
2222 return (w.pfrw_kentry);
2230 pfr_dynaddr_update(struct pfr_ktable *kt, struct pfi_dynaddr *dyn)
2232 struct pfr_walktree w;
2234 bzero(&w, sizeof(w));
2235 w.pfrw_op = PFRW_DYNADDR_UPDATE;
2239 dyn->pfid_acnt4 = 0;
2240 dyn->pfid_acnt6 = 0;
2241 if (!dyn->pfid_af || dyn->pfid_af == AF_INET)
2242 kt->pfrkt_ip4->rnh_walktree(kt->pfrkt_ip4, pfr_walktree, &w);
2243 if (!dyn->pfid_af || dyn->pfid_af == AF_INET6)
2244 kt->pfrkt_ip6->rnh_walktree(kt->pfrkt_ip6, pfr_walktree, &w);
mneumann's projects / dragonfly.git / blob