2 * SPDX-License-Identifier: BSD-2-Clause
4 * Copyright (c) 2001 Daniel Hartmeier
5 * Copyright (c) 2002,2003 Henning Brauer
6 * Copyright (c) 2012 Gleb Smirnoff <glebius@FreeBSD.org>
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
13 * - Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * - Redistributions in binary form must reproduce the above
16 * copyright notice, this list of conditions and the following
17 * disclaimer in the documentation and/or other materials provided
18 * with the distribution.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
23 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
24 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
26 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
27 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
28 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
30 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31 * POSSIBILITY OF SUCH DAMAGE.
33 * Effort sponsored in part by the Defense Advanced Research Projects
34 * Agency (DARPA) and Air Force Research Laboratory, Air Force
35 * Materiel Command, USAF, under agreement number F30602-01-2-0537.
37 * $OpenBSD: pf_ioctl.c,v 1.213 2009/02/15 21:46:12 mbalmer Exp $
40 #include <sys/cdefs.h>
42 #include "opt_inet6.h"
46 #include <sys/param.h>
47 #include <sys/_bitset.h>
48 #include <sys/bitset.h>
51 #include <sys/endian.h>
52 #include <sys/fcntl.h>
53 #include <sys/filio.h>
55 #include <sys/interrupt.h>
57 #include <sys/kernel.h>
58 #include <sys/kthread.h>
61 #include <sys/module.h>
66 #include <sys/socket.h>
67 #include <sys/sysctl.h>
69 #include <sys/ucred.h>
72 #include <net/if_var.h>
73 #include <net/if_private.h>
75 #include <net/route.h>
77 #include <net/pfvar.h>
78 #include <net/if_pfsync.h>
79 #include <net/if_pflog.h>
81 #include <netinet/in.h>
82 #include <netinet/ip.h>
83 #include <netinet/ip_var.h>
84 #include <netinet6/ip6_var.h>
85 #include <netinet/ip_icmp.h>
86 #include <netpfil/pf/pf_nl.h>
87 #include <netpfil/pf/pf_nv.h>
90 #include <netinet/ip6.h>
94 #include <net/altq/altq.h>
97 SDT_PROBE_DEFINE3(pf, ioctl, ioctl, error, "int", "int", "int");
98 SDT_PROBE_DEFINE3(pf, ioctl, function, error, "char *", "int", "int");
99 SDT_PROBE_DEFINE2(pf, ioctl, addrule, error, "int", "int");
100 SDT_PROBE_DEFINE2(pf, ioctl, nvchk, error, "int", "int");
102 static struct pf_kpool *pf_get_kpool(const char *, u_int32_t, u_int8_t,
103 u_int32_t, u_int8_t, u_int8_t, u_int8_t);
105 static void pf_mv_kpool(struct pf_kpalist *, struct pf_kpalist *);
106 static void pf_empty_kpool(struct pf_kpalist *);
107 static int pfioctl(struct cdev *, u_long, caddr_t, int,
109 static int pf_begin_eth(uint32_t *, const char *);
110 static void pf_rollback_eth_cb(struct epoch_context *);
111 static int pf_rollback_eth(uint32_t, const char *);
112 static int pf_commit_eth(uint32_t, const char *);
113 static void pf_free_eth_rule(struct pf_keth_rule *);
115 static int pf_begin_altq(u_int32_t *);
116 static int pf_rollback_altq(u_int32_t);
117 static int pf_commit_altq(u_int32_t);
118 static int pf_enable_altq(struct pf_altq *);
119 static int pf_disable_altq(struct pf_altq *);
120 static uint16_t pf_qname2qid(const char *);
121 static void pf_qid_unref(uint16_t);
123 static int pf_begin_rules(u_int32_t *, int, const char *);
124 static int pf_rollback_rules(u_int32_t, int, char *);
125 static int pf_setup_pfsync_matching(struct pf_kruleset *);
126 static void pf_hash_rule_rolling(MD5_CTX *, struct pf_krule *);
127 static void pf_hash_rule(struct pf_krule *);
128 static void pf_hash_rule_addr(MD5_CTX *, struct pf_rule_addr *);
129 static int pf_commit_rules(u_int32_t, int, char *);
130 static int pf_addr_setup(struct pf_kruleset *,
131 struct pf_addr_wrap *, sa_family_t);
132 static void pf_addr_copyout(struct pf_addr_wrap *);
133 static void pf_src_node_copy(const struct pf_ksrc_node *,
134 struct pf_src_node *);
136 static int pf_export_kaltq(struct pf_altq *,
137 struct pfioc_altq_v1 *, size_t);
138 static int pf_import_kaltq(struct pfioc_altq_v1 *,
139 struct pf_altq *, size_t);
142 VNET_DEFINE(struct pf_krule, pf_default_rule);
144 static __inline int pf_krule_compare(struct pf_krule *,
147 RB_GENERATE(pf_krule_global, pf_krule, entry_global, pf_krule_compare);
150 VNET_DEFINE_STATIC(int, pf_altq_running);
151 #define V_pf_altq_running VNET(pf_altq_running)
154 #define TAGID_MAX 50000
156 TAILQ_ENTRY(pf_tagname) namehash_entries;
157 TAILQ_ENTRY(pf_tagname) taghash_entries;
158 char name[PF_TAG_NAME_SIZE];
164 TAILQ_HEAD(, pf_tagname) *namehash;
165 TAILQ_HEAD(, pf_tagname) *taghash;
168 BITSET_DEFINE(, TAGID_MAX) avail;
171 VNET_DEFINE(struct pf_tagset, pf_tags);
172 #define V_pf_tags VNET(pf_tags)
173 static unsigned int pf_rule_tag_hashsize;
174 #define PF_RULE_TAG_HASH_SIZE_DEFAULT 128
175 SYSCTL_UINT(_net_pf, OID_AUTO, rule_tag_hashsize, CTLFLAG_RDTUN,
176 &pf_rule_tag_hashsize, PF_RULE_TAG_HASH_SIZE_DEFAULT,
177 "Size of pf(4) rule tag hashtable");
180 VNET_DEFINE(struct pf_tagset, pf_qids);
181 #define V_pf_qids VNET(pf_qids)
182 static unsigned int pf_queue_tag_hashsize;
183 #define PF_QUEUE_TAG_HASH_SIZE_DEFAULT 128
184 SYSCTL_UINT(_net_pf, OID_AUTO, queue_tag_hashsize, CTLFLAG_RDTUN,
185 &pf_queue_tag_hashsize, PF_QUEUE_TAG_HASH_SIZE_DEFAULT,
186 "Size of pf(4) queue tag hashtable");
188 VNET_DEFINE(uma_zone_t, pf_tag_z);
189 #define V_pf_tag_z VNET(pf_tag_z)
190 static MALLOC_DEFINE(M_PFALTQ, "pf_altq", "pf(4) altq configuration db");
191 static MALLOC_DEFINE(M_PFRULE, "pf_rule", "pf(4) rules");
193 #if (PF_QNAME_SIZE != PF_TAG_NAME_SIZE)
194 #error PF_QNAME_SIZE must be equal to PF_TAG_NAME_SIZE
197 VNET_DEFINE_STATIC(bool, pf_filter_local) = false;
198 #define V_pf_filter_local VNET(pf_filter_local)
199 SYSCTL_BOOL(_net_pf, OID_AUTO, filter_local, CTLFLAG_VNET | CTLFLAG_RW,
200 &VNET_NAME(pf_filter_local), false,
201 "Enable filtering for packets delivered to local network stack");
203 #ifdef PF_DEFAULT_TO_DROP
204 VNET_DEFINE_STATIC(bool, default_to_drop) = true;
206 VNET_DEFINE_STATIC(bool, default_to_drop);
208 #define V_default_to_drop VNET(default_to_drop)
209 SYSCTL_BOOL(_net_pf, OID_AUTO, default_to_drop, CTLFLAG_RDTUN | CTLFLAG_VNET,
210 &VNET_NAME(default_to_drop), false,
211 "Make the default rule drop all packets.");
213 static void pf_init_tagset(struct pf_tagset *, unsigned int *,
215 static void pf_cleanup_tagset(struct pf_tagset *);
216 static uint16_t tagname2hashindex(const struct pf_tagset *, const char *);
217 static uint16_t tag2hashindex(const struct pf_tagset *, uint16_t);
218 static u_int16_t tagname2tag(struct pf_tagset *, const char *);
219 static u_int16_t pf_tagname2tag(const char *);
220 static void tag_unref(struct pf_tagset *, u_int16_t);
222 #define DPFPRINTF(n, x) if (V_pf_status.debug >= (n)) printf x
227 * XXX - These are new and need to be checked when moveing to a new version
229 static void pf_clear_all_states(void);
230 static unsigned int pf_clear_states(const struct pf_kstate_kill *);
231 static void pf_killstates(struct pf_kstate_kill *,
233 static int pf_killstates_row(struct pf_kstate_kill *,
235 static int pf_killstates_nv(struct pfioc_nv *);
236 static int pf_clearstates_nv(struct pfioc_nv *);
237 static int pf_getstate(struct pfioc_nv *);
238 static int pf_getstatus(struct pfioc_nv *);
239 static int pf_clear_tables(void);
240 static void pf_clear_srcnodes(struct pf_ksrc_node *);
241 static void pf_kill_srcnodes(struct pfioc_src_node_kill *);
242 static int pf_keepcounters(struct pfioc_nv *);
243 static void pf_tbladdr_copyout(struct pf_addr_wrap *);
246 * Wrapper functions for pfil(9) hooks
248 static pfil_return_t pf_eth_check_in(struct mbuf **m, struct ifnet *ifp,
249 int flags, void *ruleset __unused, struct inpcb *inp);
250 static pfil_return_t pf_eth_check_out(struct mbuf **m, struct ifnet *ifp,
251 int flags, void *ruleset __unused, struct inpcb *inp);
253 static pfil_return_t pf_check_in(struct mbuf **m, struct ifnet *ifp,
254 int flags, void *ruleset __unused, struct inpcb *inp);
255 static pfil_return_t pf_check_out(struct mbuf **m, struct ifnet *ifp,
256 int flags, void *ruleset __unused, struct inpcb *inp);
259 static pfil_return_t pf_check6_in(struct mbuf **m, struct ifnet *ifp,
260 int flags, void *ruleset __unused, struct inpcb *inp);
261 static pfil_return_t pf_check6_out(struct mbuf **m, struct ifnet *ifp,
262 int flags, void *ruleset __unused, struct inpcb *inp);
265 static void hook_pf_eth(void);
266 static void hook_pf(void);
267 static void dehook_pf_eth(void);
268 static void dehook_pf(void);
269 static int shutdown_pf(void);
270 static int pf_load(void);
271 static void pf_unload(void);
273 static struct cdevsw pf_cdevsw = {
276 .d_version = D_VERSION,
279 VNET_DEFINE_STATIC(bool, pf_pfil_hooked);
280 #define V_pf_pfil_hooked VNET(pf_pfil_hooked)
281 VNET_DEFINE_STATIC(bool, pf_pfil_eth_hooked);
282 #define V_pf_pfil_eth_hooked VNET(pf_pfil_eth_hooked)
285 * We need a flag that is neither hooked nor running to know when
286 * the VNET is "valid". We primarily need this to control (global)
287 * external event, e.g., eventhandlers.
289 VNET_DEFINE(int, pf_vnet_active);
290 #define V_pf_vnet_active VNET(pf_vnet_active)
293 struct proc *pf_purge_proc;
295 VNET_DEFINE(struct rmlock, pf_rules_lock);
296 VNET_DEFINE_STATIC(struct sx, pf_ioctl_lock);
297 #define V_pf_ioctl_lock VNET(pf_ioctl_lock)
298 struct sx pf_end_lock;
301 VNET_DEFINE(pfsync_state_import_t *, pfsync_state_import_ptr);
302 VNET_DEFINE(pfsync_insert_state_t *, pfsync_insert_state_ptr);
303 VNET_DEFINE(pfsync_update_state_t *, pfsync_update_state_ptr);
304 VNET_DEFINE(pfsync_delete_state_t *, pfsync_delete_state_ptr);
305 VNET_DEFINE(pfsync_clear_states_t *, pfsync_clear_states_ptr);
306 VNET_DEFINE(pfsync_defer_t *, pfsync_defer_ptr);
307 pfsync_detach_ifnet_t *pfsync_detach_ifnet_ptr;
310 pflog_packet_t *pflog_packet_ptr = NULL;
313 * Copy a user-provided string, returning an error if truncation would occur.
314 * Avoid scanning past "sz" bytes in the source string since there's no
315 * guarantee that it's nul-terminated.
318 pf_user_strcpy(char *dst, const char *src, size_t sz)
320 if (strnlen(src, sz) == sz)
322 (void)strlcpy(dst, src, sz);
329 u_int32_t *my_timeout = V_pf_default_rule.timeout;
331 bzero(&V_pf_status, sizeof(V_pf_status));
335 pfi_initialize_vnet();
337 pf_syncookies_init();
339 V_pf_limits[PF_LIMIT_STATES].limit = PFSTATE_HIWAT;
340 V_pf_limits[PF_LIMIT_SRC_NODES].limit = PFSNODE_HIWAT;
342 RB_INIT(&V_pf_anchors);
343 pf_init_kruleset(&pf_main_ruleset);
345 pf_init_keth(V_pf_keth);
347 /* default rule should never be garbage collected */
348 V_pf_default_rule.entries.tqe_prev = &V_pf_default_rule.entries.tqe_next;
349 V_pf_default_rule.action = V_default_to_drop ? PF_DROP : PF_PASS;
350 V_pf_default_rule.nr = -1;
351 V_pf_default_rule.rtableid = -1;
353 pf_counter_u64_init(&V_pf_default_rule.evaluations, M_WAITOK);
354 for (int i = 0; i < 2; i++) {
355 pf_counter_u64_init(&V_pf_default_rule.packets[i], M_WAITOK);
356 pf_counter_u64_init(&V_pf_default_rule.bytes[i], M_WAITOK);
358 V_pf_default_rule.states_cur = counter_u64_alloc(M_WAITOK);
359 V_pf_default_rule.states_tot = counter_u64_alloc(M_WAITOK);
360 V_pf_default_rule.src_nodes = counter_u64_alloc(M_WAITOK);
362 V_pf_default_rule.timestamp = uma_zalloc_pcpu(pf_timestamp_pcpu_zone,
365 #ifdef PF_WANT_32_TO_64_COUNTER
366 V_pf_kifmarker = malloc(sizeof(*V_pf_kifmarker), PFI_MTYPE, M_WAITOK | M_ZERO);
367 V_pf_rulemarker = malloc(sizeof(*V_pf_rulemarker), M_PFRULE, M_WAITOK | M_ZERO);
369 LIST_INSERT_HEAD(&V_pf_allkiflist, V_pf_kifmarker, pfik_allkiflist);
370 LIST_INSERT_HEAD(&V_pf_allrulelist, &V_pf_default_rule, allrulelist);
372 LIST_INSERT_HEAD(&V_pf_allrulelist, V_pf_rulemarker, allrulelist);
376 /* initialize default timeouts */
377 my_timeout[PFTM_TCP_FIRST_PACKET] = PFTM_TCP_FIRST_PACKET_VAL;
378 my_timeout[PFTM_TCP_OPENING] = PFTM_TCP_OPENING_VAL;
379 my_timeout[PFTM_TCP_ESTABLISHED] = PFTM_TCP_ESTABLISHED_VAL;
380 my_timeout[PFTM_TCP_CLOSING] = PFTM_TCP_CLOSING_VAL;
381 my_timeout[PFTM_TCP_FIN_WAIT] = PFTM_TCP_FIN_WAIT_VAL;
382 my_timeout[PFTM_TCP_CLOSED] = PFTM_TCP_CLOSED_VAL;
383 my_timeout[PFTM_UDP_FIRST_PACKET] = PFTM_UDP_FIRST_PACKET_VAL;
384 my_timeout[PFTM_UDP_SINGLE] = PFTM_UDP_SINGLE_VAL;
385 my_timeout[PFTM_UDP_MULTIPLE] = PFTM_UDP_MULTIPLE_VAL;
386 my_timeout[PFTM_ICMP_FIRST_PACKET] = PFTM_ICMP_FIRST_PACKET_VAL;
387 my_timeout[PFTM_ICMP_ERROR_REPLY] = PFTM_ICMP_ERROR_REPLY_VAL;
388 my_timeout[PFTM_OTHER_FIRST_PACKET] = PFTM_OTHER_FIRST_PACKET_VAL;
389 my_timeout[PFTM_OTHER_SINGLE] = PFTM_OTHER_SINGLE_VAL;
390 my_timeout[PFTM_OTHER_MULTIPLE] = PFTM_OTHER_MULTIPLE_VAL;
391 my_timeout[PFTM_FRAG] = PFTM_FRAG_VAL;
392 my_timeout[PFTM_INTERVAL] = PFTM_INTERVAL_VAL;
393 my_timeout[PFTM_SRC_NODE] = PFTM_SRC_NODE_VAL;
394 my_timeout[PFTM_TS_DIFF] = PFTM_TS_DIFF_VAL;
395 my_timeout[PFTM_ADAPTIVE_START] = PFSTATE_ADAPT_START;
396 my_timeout[PFTM_ADAPTIVE_END] = PFSTATE_ADAPT_END;
398 V_pf_status.debug = PF_DEBUG_URGENT;
400 * XXX This is different than in OpenBSD where reassembly is enabled by
401 * defult. In FreeBSD we expect people to still use scrub rules and
402 * switch to the new syntax later. Only when they switch they must
403 * explicitly enable reassemle. We could change the default once the
404 * scrub rule functionality is hopefully removed some day in future.
406 V_pf_status.reass = 0;
408 V_pf_pfil_hooked = false;
409 V_pf_pfil_eth_hooked = false;
411 /* XXX do our best to avoid a conflict */
412 V_pf_status.hostid = arc4random();
414 for (int i = 0; i < PFRES_MAX; i++)
415 V_pf_status.counters[i] = counter_u64_alloc(M_WAITOK);
416 for (int i = 0; i < KLCNT_MAX; i++)
417 V_pf_status.lcounters[i] = counter_u64_alloc(M_WAITOK);
418 for (int i = 0; i < FCNT_MAX; i++)
419 pf_counter_u64_init(&V_pf_status.fcounters[i], M_WAITOK);
420 for (int i = 0; i < SCNT_MAX; i++)
421 V_pf_status.scounters[i] = counter_u64_alloc(M_WAITOK);
423 if (swi_add(&V_pf_swi_ie, "pf send", pf_intr, curvnet, SWI_NET,
424 INTR_MPSAFE, &V_pf_swi_cookie) != 0)
425 /* XXXGL: leaked all above. */
429 static struct pf_kpool *
430 pf_get_kpool(const char *anchor, u_int32_t ticket, u_int8_t rule_action,
431 u_int32_t rule_number, u_int8_t r_last, u_int8_t active,
432 u_int8_t check_ticket)
434 struct pf_kruleset *ruleset;
435 struct pf_krule *rule;
438 ruleset = pf_find_kruleset(anchor);
441 rs_num = pf_get_ruleset_number(rule_action);
442 if (rs_num >= PF_RULESET_MAX)
445 if (check_ticket && ticket !=
446 ruleset->rules[rs_num].active.ticket)
449 rule = TAILQ_LAST(ruleset->rules[rs_num].active.ptr,
452 rule = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr);
454 if (check_ticket && ticket !=
455 ruleset->rules[rs_num].inactive.ticket)
458 rule = TAILQ_LAST(ruleset->rules[rs_num].inactive.ptr,
461 rule = TAILQ_FIRST(ruleset->rules[rs_num].inactive.ptr);
464 while ((rule != NULL) && (rule->nr != rule_number))
465 rule = TAILQ_NEXT(rule, entries);
470 return (&rule->rpool);
474 pf_mv_kpool(struct pf_kpalist *poola, struct pf_kpalist *poolb)
476 struct pf_kpooladdr *mv_pool_pa;
478 while ((mv_pool_pa = TAILQ_FIRST(poola)) != NULL) {
479 TAILQ_REMOVE(poola, mv_pool_pa, entries);
480 TAILQ_INSERT_TAIL(poolb, mv_pool_pa, entries);
485 pf_empty_kpool(struct pf_kpalist *poola)
487 struct pf_kpooladdr *pa;
489 while ((pa = TAILQ_FIRST(poola)) != NULL) {
490 switch (pa->addr.type) {
491 case PF_ADDR_DYNIFTL:
492 pfi_dynaddr_remove(pa->addr.p.dyn);
495 /* XXX: this could be unfinished pooladdr on pabuf */
496 if (pa->addr.p.tbl != NULL)
497 pfr_detach_table(pa->addr.p.tbl);
501 pfi_kkif_unref(pa->kif);
502 TAILQ_REMOVE(poola, pa, entries);
508 pf_unlink_rule_locked(struct pf_krulequeue *rulequeue, struct pf_krule *rule)
512 PF_UNLNKDRULES_ASSERT();
514 TAILQ_REMOVE(rulequeue, rule, entries);
516 rule->rule_ref |= PFRULE_REFS;
517 TAILQ_INSERT_TAIL(&V_pf_unlinked_rules, rule, entries);
521 pf_unlink_rule(struct pf_krulequeue *rulequeue, struct pf_krule *rule)
526 PF_UNLNKDRULES_LOCK();
527 pf_unlink_rule_locked(rulequeue, rule);
528 PF_UNLNKDRULES_UNLOCK();
532 pf_free_eth_rule(struct pf_keth_rule *rule)
540 tag_unref(&V_pf_tags, rule->tag);
542 tag_unref(&V_pf_tags, rule->match_tag);
544 pf_qid_unref(rule->qid);
548 pfi_kkif_unref(rule->bridge_to);
550 pfi_kkif_unref(rule->kif);
552 if (rule->ipsrc.addr.type == PF_ADDR_TABLE)
553 pfr_detach_table(rule->ipsrc.addr.p.tbl);
554 if (rule->ipdst.addr.type == PF_ADDR_TABLE)
555 pfr_detach_table(rule->ipdst.addr.p.tbl);
557 counter_u64_free(rule->evaluations);
558 for (int i = 0; i < 2; i++) {
559 counter_u64_free(rule->packets[i]);
560 counter_u64_free(rule->bytes[i]);
562 uma_zfree_pcpu(pf_timestamp_pcpu_zone, rule->timestamp);
563 pf_keth_anchor_remove(rule);
565 free(rule, M_PFRULE);
569 pf_free_rule(struct pf_krule *rule)
576 tag_unref(&V_pf_tags, rule->tag);
578 tag_unref(&V_pf_tags, rule->match_tag);
580 if (rule->pqid != rule->qid)
581 pf_qid_unref(rule->pqid);
582 pf_qid_unref(rule->qid);
584 switch (rule->src.addr.type) {
585 case PF_ADDR_DYNIFTL:
586 pfi_dynaddr_remove(rule->src.addr.p.dyn);
589 pfr_detach_table(rule->src.addr.p.tbl);
592 switch (rule->dst.addr.type) {
593 case PF_ADDR_DYNIFTL:
594 pfi_dynaddr_remove(rule->dst.addr.p.dyn);
597 pfr_detach_table(rule->dst.addr.p.tbl);
600 if (rule->overload_tbl)
601 pfr_detach_table(rule->overload_tbl);
603 pfi_kkif_unref(rule->kif);
604 pf_kanchor_remove(rule);
605 pf_empty_kpool(&rule->rpool.list);
611 pf_init_tagset(struct pf_tagset *ts, unsigned int *tunable_size,
612 unsigned int default_size)
615 unsigned int hashsize;
617 if (*tunable_size == 0 || !powerof2(*tunable_size))
618 *tunable_size = default_size;
620 hashsize = *tunable_size;
621 ts->namehash = mallocarray(hashsize, sizeof(*ts->namehash), M_PFHASH,
623 ts->taghash = mallocarray(hashsize, sizeof(*ts->taghash), M_PFHASH,
625 ts->mask = hashsize - 1;
626 ts->seed = arc4random();
627 for (i = 0; i < hashsize; i++) {
628 TAILQ_INIT(&ts->namehash[i]);
629 TAILQ_INIT(&ts->taghash[i]);
631 BIT_FILL(TAGID_MAX, &ts->avail);
635 pf_cleanup_tagset(struct pf_tagset *ts)
638 unsigned int hashsize;
639 struct pf_tagname *t, *tmp;
642 * Only need to clean up one of the hashes as each tag is hashed
645 hashsize = ts->mask + 1;
646 for (i = 0; i < hashsize; i++)
647 TAILQ_FOREACH_SAFE(t, &ts->namehash[i], namehash_entries, tmp)
648 uma_zfree(V_pf_tag_z, t);
650 free(ts->namehash, M_PFHASH);
651 free(ts->taghash, M_PFHASH);
655 tagname2hashindex(const struct pf_tagset *ts, const char *tagname)
659 len = strnlen(tagname, PF_TAG_NAME_SIZE - 1);
660 return (murmur3_32_hash(tagname, len, ts->seed) & ts->mask);
664 tag2hashindex(const struct pf_tagset *ts, uint16_t tag)
667 return (tag & ts->mask);
671 tagname2tag(struct pf_tagset *ts, const char *tagname)
673 struct pf_tagname *tag;
679 index = tagname2hashindex(ts, tagname);
680 TAILQ_FOREACH(tag, &ts->namehash[index], namehash_entries)
681 if (strcmp(tagname, tag->name) == 0) {
689 * to avoid fragmentation, we do a linear search from the beginning
690 * and take the first free slot we find.
692 new_tagid = BIT_FFS(TAGID_MAX, &ts->avail);
694 * Tags are 1-based, with valid tags in the range [1..TAGID_MAX].
695 * BIT_FFS() returns a 1-based bit number, with 0 indicating no bits
696 * set. It may also return a bit number greater than TAGID_MAX due
697 * to rounding of the number of bits in the vector up to a multiple
698 * of the vector word size at declaration/allocation time.
700 if ((new_tagid == 0) || (new_tagid > TAGID_MAX))
703 /* Mark the tag as in use. Bits are 0-based for BIT_CLR() */
704 BIT_CLR(TAGID_MAX, new_tagid - 1, &ts->avail);
706 /* allocate and fill new struct pf_tagname */
707 tag = uma_zalloc(V_pf_tag_z, M_NOWAIT);
710 strlcpy(tag->name, tagname, sizeof(tag->name));
711 tag->tag = new_tagid;
714 /* Insert into namehash */
715 TAILQ_INSERT_TAIL(&ts->namehash[index], tag, namehash_entries);
717 /* Insert into taghash */
718 index = tag2hashindex(ts, new_tagid);
719 TAILQ_INSERT_TAIL(&ts->taghash[index], tag, taghash_entries);
725 tag_unref(struct pf_tagset *ts, u_int16_t tag)
727 struct pf_tagname *t;
732 index = tag2hashindex(ts, tag);
733 TAILQ_FOREACH(t, &ts->taghash[index], taghash_entries)
736 TAILQ_REMOVE(&ts->taghash[index], t,
738 index = tagname2hashindex(ts, t->name);
739 TAILQ_REMOVE(&ts->namehash[index], t,
741 /* Bits are 0-based for BIT_SET() */
742 BIT_SET(TAGID_MAX, tag - 1, &ts->avail);
743 uma_zfree(V_pf_tag_z, t);
750 pf_tagname2tag(const char *tagname)
752 return (tagname2tag(&V_pf_tags, tagname));
756 pf_begin_eth(uint32_t *ticket, const char *anchor)
758 struct pf_keth_rule *rule, *tmp;
759 struct pf_keth_ruleset *rs;
763 rs = pf_find_or_create_keth_ruleset(anchor);
767 /* Purge old inactive rules. */
768 TAILQ_FOREACH_SAFE(rule, rs->inactive.rules, entries,
770 TAILQ_REMOVE(rs->inactive.rules, rule,
772 pf_free_eth_rule(rule);
775 *ticket = ++rs->inactive.ticket;
776 rs->inactive.open = 1;
782 pf_rollback_eth_cb(struct epoch_context *ctx)
784 struct pf_keth_ruleset *rs;
786 rs = __containerof(ctx, struct pf_keth_ruleset, epoch_ctx);
788 CURVNET_SET(rs->vnet);
791 pf_rollback_eth(rs->inactive.ticket,
792 rs->anchor ? rs->anchor->path : "");
799 pf_rollback_eth(uint32_t ticket, const char *anchor)
801 struct pf_keth_rule *rule, *tmp;
802 struct pf_keth_ruleset *rs;
806 rs = pf_find_keth_ruleset(anchor);
810 if (!rs->inactive.open ||
811 ticket != rs->inactive.ticket)
814 /* Purge old inactive rules. */
815 TAILQ_FOREACH_SAFE(rule, rs->inactive.rules, entries,
817 TAILQ_REMOVE(rs->inactive.rules, rule, entries);
818 pf_free_eth_rule(rule);
821 rs->inactive.open = 0;
823 pf_remove_if_empty_keth_ruleset(rs);
828 #define PF_SET_SKIP_STEPS(i) \
830 while (head[i] != cur) { \
831 head[i]->skip[i].ptr = cur; \
832 head[i] = TAILQ_NEXT(head[i], entries); \
837 pf_eth_calc_skip_steps(struct pf_keth_ruleq *rules)
839 struct pf_keth_rule *cur, *prev, *head[PFE_SKIP_COUNT];
842 cur = TAILQ_FIRST(rules);
844 for (i = 0; i < PFE_SKIP_COUNT; ++i)
846 while (cur != NULL) {
847 if (cur->kif != prev->kif || cur->ifnot != prev->ifnot)
848 PF_SET_SKIP_STEPS(PFE_SKIP_IFP);
849 if (cur->direction != prev->direction)
850 PF_SET_SKIP_STEPS(PFE_SKIP_DIR);
851 if (cur->proto != prev->proto)
852 PF_SET_SKIP_STEPS(PFE_SKIP_PROTO);
853 if (memcmp(&cur->src, &prev->src, sizeof(cur->src)) != 0)
854 PF_SET_SKIP_STEPS(PFE_SKIP_SRC_ADDR);
855 if (memcmp(&cur->dst, &prev->dst, sizeof(cur->dst)) != 0)
856 PF_SET_SKIP_STEPS(PFE_SKIP_DST_ADDR);
857 if (cur->ipsrc.neg != prev->ipsrc.neg ||
858 pf_addr_wrap_neq(&cur->ipsrc.addr, &prev->ipsrc.addr))
859 PF_SET_SKIP_STEPS(PFE_SKIP_SRC_IP_ADDR);
860 if (cur->ipdst.neg != prev->ipdst.neg ||
861 pf_addr_wrap_neq(&cur->ipdst.addr, &prev->ipdst.addr))
862 PF_SET_SKIP_STEPS(PFE_SKIP_DST_IP_ADDR);
865 cur = TAILQ_NEXT(cur, entries);
867 for (i = 0; i < PFE_SKIP_COUNT; ++i)
868 PF_SET_SKIP_STEPS(i);
872 pf_commit_eth(uint32_t ticket, const char *anchor)
874 struct pf_keth_ruleq *rules;
875 struct pf_keth_ruleset *rs;
877 rs = pf_find_keth_ruleset(anchor);
882 if (!rs->inactive.open ||
883 ticket != rs->inactive.ticket)
888 pf_eth_calc_skip_steps(rs->inactive.rules);
890 rules = rs->active.rules;
891 ck_pr_store_ptr(&rs->active.rules, rs->inactive.rules);
892 rs->inactive.rules = rules;
893 rs->inactive.ticket = rs->active.ticket;
895 /* Clean up inactive rules (i.e. previously active rules), only when
896 * we're sure they're no longer used. */
897 NET_EPOCH_CALL(pf_rollback_eth_cb, &rs->epoch_ctx);
904 pf_qname2qid(const char *qname)
906 return (tagname2tag(&V_pf_qids, qname));
910 pf_qid_unref(uint16_t qid)
912 tag_unref(&V_pf_qids, qid);
916 pf_begin_altq(u_int32_t *ticket)
918 struct pf_altq *altq, *tmp;
923 /* Purge the old altq lists */
924 TAILQ_FOREACH_SAFE(altq, V_pf_altq_ifs_inactive, entries, tmp) {
925 if ((altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
926 /* detach and destroy the discipline */
927 error = altq_remove(altq);
929 free(altq, M_PFALTQ);
931 TAILQ_INIT(V_pf_altq_ifs_inactive);
932 TAILQ_FOREACH_SAFE(altq, V_pf_altqs_inactive, entries, tmp) {
933 pf_qid_unref(altq->qid);
934 free(altq, M_PFALTQ);
936 TAILQ_INIT(V_pf_altqs_inactive);
939 *ticket = ++V_ticket_altqs_inactive;
940 V_altqs_inactive_open = 1;
945 pf_rollback_altq(u_int32_t ticket)
947 struct pf_altq *altq, *tmp;
952 if (!V_altqs_inactive_open || ticket != V_ticket_altqs_inactive)
954 /* Purge the old altq lists */
955 TAILQ_FOREACH_SAFE(altq, V_pf_altq_ifs_inactive, entries, tmp) {
956 if ((altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
957 /* detach and destroy the discipline */
958 error = altq_remove(altq);
960 free(altq, M_PFALTQ);
962 TAILQ_INIT(V_pf_altq_ifs_inactive);
963 TAILQ_FOREACH_SAFE(altq, V_pf_altqs_inactive, entries, tmp) {
964 pf_qid_unref(altq->qid);
965 free(altq, M_PFALTQ);
967 TAILQ_INIT(V_pf_altqs_inactive);
968 V_altqs_inactive_open = 0;
973 pf_commit_altq(u_int32_t ticket)
975 struct pf_altqqueue *old_altqs, *old_altq_ifs;
976 struct pf_altq *altq, *tmp;
981 if (!V_altqs_inactive_open || ticket != V_ticket_altqs_inactive)
984 /* swap altqs, keep the old. */
985 old_altqs = V_pf_altqs_active;
986 old_altq_ifs = V_pf_altq_ifs_active;
987 V_pf_altqs_active = V_pf_altqs_inactive;
988 V_pf_altq_ifs_active = V_pf_altq_ifs_inactive;
989 V_pf_altqs_inactive = old_altqs;
990 V_pf_altq_ifs_inactive = old_altq_ifs;
991 V_ticket_altqs_active = V_ticket_altqs_inactive;
993 /* Attach new disciplines */
994 TAILQ_FOREACH(altq, V_pf_altq_ifs_active, entries) {
995 if ((altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
996 /* attach the discipline */
997 error = altq_pfattach(altq);
998 if (error == 0 && V_pf_altq_running)
999 error = pf_enable_altq(altq);
1005 /* Purge the old altq lists */
1006 TAILQ_FOREACH_SAFE(altq, V_pf_altq_ifs_inactive, entries, tmp) {
1007 if ((altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
1008 /* detach and destroy the discipline */
1009 if (V_pf_altq_running)
1010 error = pf_disable_altq(altq);
1011 err = altq_pfdetach(altq);
1012 if (err != 0 && error == 0)
1014 err = altq_remove(altq);
1015 if (err != 0 && error == 0)
1018 free(altq, M_PFALTQ);
1020 TAILQ_INIT(V_pf_altq_ifs_inactive);
1021 TAILQ_FOREACH_SAFE(altq, V_pf_altqs_inactive, entries, tmp) {
1022 pf_qid_unref(altq->qid);
1023 free(altq, M_PFALTQ);
1025 TAILQ_INIT(V_pf_altqs_inactive);
1027 V_altqs_inactive_open = 0;
1032 pf_enable_altq(struct pf_altq *altq)
1035 struct tb_profile tb;
1038 if ((ifp = ifunit(altq->ifname)) == NULL)
1041 if (ifp->if_snd.altq_type != ALTQT_NONE)
1042 error = altq_enable(&ifp->if_snd);
1044 /* set tokenbucket regulator */
1045 if (error == 0 && ifp != NULL && ALTQ_IS_ENABLED(&ifp->if_snd)) {
1046 tb.rate = altq->ifbandwidth;
1047 tb.depth = altq->tbrsize;
1048 error = tbr_set(&ifp->if_snd, &tb);
1055 pf_disable_altq(struct pf_altq *altq)
1058 struct tb_profile tb;
1061 if ((ifp = ifunit(altq->ifname)) == NULL)
1065 * when the discipline is no longer referenced, it was overridden
1066 * by a new one. if so, just return.
1068 if (altq->altq_disc != ifp->if_snd.altq_disc)
1071 error = altq_disable(&ifp->if_snd);
1074 /* clear tokenbucket regulator */
1076 error = tbr_set(&ifp->if_snd, &tb);
1083 pf_altq_ifnet_event_add(struct ifnet *ifp, int remove, u_int32_t ticket,
1084 struct pf_altq *altq)
1089 /* Deactivate the interface in question */
1090 altq->local_flags &= ~PFALTQ_FLAG_IF_REMOVED;
1091 if ((ifp1 = ifunit(altq->ifname)) == NULL ||
1092 (remove && ifp1 == ifp)) {
1093 altq->local_flags |= PFALTQ_FLAG_IF_REMOVED;
1095 error = altq_add(ifp1, altq);
1097 if (ticket != V_ticket_altqs_inactive)
1101 free(altq, M_PFALTQ);
1108 pf_altq_ifnet_event(struct ifnet *ifp, int remove)
1110 struct pf_altq *a1, *a2, *a3;
1115 * No need to re-evaluate the configuration for events on interfaces
1116 * that do not support ALTQ, as it's not possible for such
1117 * interfaces to be part of the configuration.
1119 if (!ALTQ_IS_READY(&ifp->if_snd))
1122 /* Interrupt userland queue modifications */
1123 if (V_altqs_inactive_open)
1124 pf_rollback_altq(V_ticket_altqs_inactive);
1126 /* Start new altq ruleset */
1127 if (pf_begin_altq(&ticket))
1130 /* Copy the current active set */
1131 TAILQ_FOREACH(a1, V_pf_altq_ifs_active, entries) {
1132 a2 = malloc(sizeof(*a2), M_PFALTQ, M_NOWAIT);
1137 bcopy(a1, a2, sizeof(struct pf_altq));
1139 error = pf_altq_ifnet_event_add(ifp, remove, ticket, a2);
1143 TAILQ_INSERT_TAIL(V_pf_altq_ifs_inactive, a2, entries);
1147 TAILQ_FOREACH(a1, V_pf_altqs_active, entries) {
1148 a2 = malloc(sizeof(*a2), M_PFALTQ, M_NOWAIT);
1153 bcopy(a1, a2, sizeof(struct pf_altq));
1155 if ((a2->qid = pf_qname2qid(a2->qname)) == 0) {
1160 a2->altq_disc = NULL;
1161 TAILQ_FOREACH(a3, V_pf_altq_ifs_inactive, entries) {
1162 if (strncmp(a3->ifname, a2->ifname,
1164 a2->altq_disc = a3->altq_disc;
1168 error = pf_altq_ifnet_event_add(ifp, remove, ticket, a2);
1172 TAILQ_INSERT_TAIL(V_pf_altqs_inactive, a2, entries);
1177 pf_rollback_altq(ticket);
1179 pf_commit_altq(ticket);
1183 static struct pf_krule_global *
1184 pf_rule_tree_alloc(int flags)
1186 struct pf_krule_global *tree;
1188 tree = malloc(sizeof(struct pf_krule_global), M_TEMP, flags);
1196 pf_rule_tree_free(struct pf_krule_global *tree)
1203 pf_begin_rules(u_int32_t *ticket, int rs_num, const char *anchor)
1205 struct pf_krule_global *tree;
1206 struct pf_kruleset *rs;
1207 struct pf_krule *rule;
1211 if (rs_num < 0 || rs_num >= PF_RULESET_MAX)
1213 tree = pf_rule_tree_alloc(M_NOWAIT);
1216 rs = pf_find_or_create_kruleset(anchor);
1221 pf_rule_tree_free(rs->rules[rs_num].inactive.tree);
1222 rs->rules[rs_num].inactive.tree = tree;
1224 while ((rule = TAILQ_FIRST(rs->rules[rs_num].inactive.ptr)) != NULL) {
1225 pf_unlink_rule(rs->rules[rs_num].inactive.ptr, rule);
1226 rs->rules[rs_num].inactive.rcount--;
1228 *ticket = ++rs->rules[rs_num].inactive.ticket;
1229 rs->rules[rs_num].inactive.open = 1;
1234 pf_rollback_rules(u_int32_t ticket, int rs_num, char *anchor)
1236 struct pf_kruleset *rs;
1237 struct pf_krule *rule;
1241 if (rs_num < 0 || rs_num >= PF_RULESET_MAX)
1243 rs = pf_find_kruleset(anchor);
1244 if (rs == NULL || !rs->rules[rs_num].inactive.open ||
1245 rs->rules[rs_num].inactive.ticket != ticket)
1247 while ((rule = TAILQ_FIRST(rs->rules[rs_num].inactive.ptr)) != NULL) {
1248 pf_unlink_rule(rs->rules[rs_num].inactive.ptr, rule);
1249 rs->rules[rs_num].inactive.rcount--;
1251 rs->rules[rs_num].inactive.open = 0;
1255 #define PF_MD5_UPD(st, elm) \
1256 MD5Update(ctx, (u_int8_t *) &(st)->elm, sizeof((st)->elm))
1258 #define PF_MD5_UPD_STR(st, elm) \
1259 MD5Update(ctx, (u_int8_t *) (st)->elm, strlen((st)->elm))
1261 #define PF_MD5_UPD_HTONL(st, elm, stor) do { \
1262 (stor) = htonl((st)->elm); \
1263 MD5Update(ctx, (u_int8_t *) &(stor), sizeof(u_int32_t));\
1266 #define PF_MD5_UPD_HTONS(st, elm, stor) do { \
1267 (stor) = htons((st)->elm); \
1268 MD5Update(ctx, (u_int8_t *) &(stor), sizeof(u_int16_t));\
1272 pf_hash_rule_addr(MD5_CTX *ctx, struct pf_rule_addr *pfr)
1274 PF_MD5_UPD(pfr, addr.type);
1275 switch (pfr->addr.type) {
1276 case PF_ADDR_DYNIFTL:
1277 PF_MD5_UPD(pfr, addr.v.ifname);
1278 PF_MD5_UPD(pfr, addr.iflags);
1281 PF_MD5_UPD(pfr, addr.v.tblname);
1283 case PF_ADDR_ADDRMASK:
1284 /* XXX ignore af? */
1285 PF_MD5_UPD(pfr, addr.v.a.addr.addr32);
1286 PF_MD5_UPD(pfr, addr.v.a.mask.addr32);
1290 PF_MD5_UPD(pfr, port[0]);
1291 PF_MD5_UPD(pfr, port[1]);
1292 PF_MD5_UPD(pfr, neg);
1293 PF_MD5_UPD(pfr, port_op);
1297 pf_hash_rule_rolling(MD5_CTX *ctx, struct pf_krule *rule)
1302 pf_hash_rule_addr(ctx, &rule->src);
1303 pf_hash_rule_addr(ctx, &rule->dst);
1304 for (int i = 0; i < PF_RULE_MAX_LABEL_COUNT; i++)
1305 PF_MD5_UPD_STR(rule, label[i]);
1306 PF_MD5_UPD_STR(rule, ifname);
1307 PF_MD5_UPD_STR(rule, match_tagname);
1308 PF_MD5_UPD_HTONS(rule, match_tag, x); /* dup? */
1309 PF_MD5_UPD_HTONL(rule, os_fingerprint, y);
1310 PF_MD5_UPD_HTONL(rule, prob, y);
1311 PF_MD5_UPD_HTONL(rule, uid.uid[0], y);
1312 PF_MD5_UPD_HTONL(rule, uid.uid[1], y);
1313 PF_MD5_UPD(rule, uid.op);
1314 PF_MD5_UPD_HTONL(rule, gid.gid[0], y);
1315 PF_MD5_UPD_HTONL(rule, gid.gid[1], y);
1316 PF_MD5_UPD(rule, gid.op);
1317 PF_MD5_UPD_HTONL(rule, rule_flag, y);
1318 PF_MD5_UPD(rule, action);
1319 PF_MD5_UPD(rule, direction);
1320 PF_MD5_UPD(rule, af);
1321 PF_MD5_UPD(rule, quick);
1322 PF_MD5_UPD(rule, ifnot);
1323 PF_MD5_UPD(rule, match_tag_not);
1324 PF_MD5_UPD(rule, natpass);
1325 PF_MD5_UPD(rule, keep_state);
1326 PF_MD5_UPD(rule, proto);
1327 PF_MD5_UPD(rule, type);
1328 PF_MD5_UPD(rule, code);
1329 PF_MD5_UPD(rule, flags);
1330 PF_MD5_UPD(rule, flagset);
1331 PF_MD5_UPD(rule, allow_opts);
1332 PF_MD5_UPD(rule, rt);
1333 PF_MD5_UPD(rule, tos);
1334 PF_MD5_UPD(rule, scrub_flags);
1335 PF_MD5_UPD(rule, min_ttl);
1336 PF_MD5_UPD(rule, set_tos);
1337 if (rule->anchor != NULL)
1338 PF_MD5_UPD_STR(rule, anchor->path);
1342 pf_hash_rule(struct pf_krule *rule)
1347 pf_hash_rule_rolling(&ctx, rule);
1348 MD5Final(rule->md5sum, &ctx);
1352 pf_krule_compare(struct pf_krule *a, struct pf_krule *b)
1355 return (memcmp(a->md5sum, b->md5sum, PF_MD5_DIGEST_LENGTH));
1359 pf_commit_rules(u_int32_t ticket, int rs_num, char *anchor)
1361 struct pf_kruleset *rs;
1362 struct pf_krule *rule, **old_array, *old_rule;
1363 struct pf_krulequeue *old_rules;
1364 struct pf_krule_global *old_tree;
1366 u_int32_t old_rcount;
1370 if (rs_num < 0 || rs_num >= PF_RULESET_MAX)
1372 rs = pf_find_kruleset(anchor);
1373 if (rs == NULL || !rs->rules[rs_num].inactive.open ||
1374 ticket != rs->rules[rs_num].inactive.ticket)
1377 /* Calculate checksum for the main ruleset */
1378 if (rs == &pf_main_ruleset) {
1379 error = pf_setup_pfsync_matching(rs);
1384 /* Swap rules, keep the old. */
1385 old_rules = rs->rules[rs_num].active.ptr;
1386 old_rcount = rs->rules[rs_num].active.rcount;
1387 old_array = rs->rules[rs_num].active.ptr_array;
1388 old_tree = rs->rules[rs_num].active.tree;
1390 rs->rules[rs_num].active.ptr =
1391 rs->rules[rs_num].inactive.ptr;
1392 rs->rules[rs_num].active.ptr_array =
1393 rs->rules[rs_num].inactive.ptr_array;
1394 rs->rules[rs_num].active.tree =
1395 rs->rules[rs_num].inactive.tree;
1396 rs->rules[rs_num].active.rcount =
1397 rs->rules[rs_num].inactive.rcount;
1399 /* Attempt to preserve counter information. */
1400 if (V_pf_status.keep_counters && old_tree != NULL) {
1401 TAILQ_FOREACH(rule, rs->rules[rs_num].active.ptr,
1403 old_rule = RB_FIND(pf_krule_global, old_tree, rule);
1404 if (old_rule == NULL) {
1407 pf_counter_u64_critical_enter();
1408 pf_counter_u64_add_protected(&rule->evaluations,
1409 pf_counter_u64_fetch(&old_rule->evaluations));
1410 pf_counter_u64_add_protected(&rule->packets[0],
1411 pf_counter_u64_fetch(&old_rule->packets[0]));
1412 pf_counter_u64_add_protected(&rule->packets[1],
1413 pf_counter_u64_fetch(&old_rule->packets[1]));
1414 pf_counter_u64_add_protected(&rule->bytes[0],
1415 pf_counter_u64_fetch(&old_rule->bytes[0]));
1416 pf_counter_u64_add_protected(&rule->bytes[1],
1417 pf_counter_u64_fetch(&old_rule->bytes[1]));
1418 pf_counter_u64_critical_exit();
1422 rs->rules[rs_num].inactive.ptr = old_rules;
1423 rs->rules[rs_num].inactive.ptr_array = old_array;
1424 rs->rules[rs_num].inactive.tree = NULL; /* important for pf_ioctl_addrule */
1425 rs->rules[rs_num].inactive.rcount = old_rcount;
1427 rs->rules[rs_num].active.ticket =
1428 rs->rules[rs_num].inactive.ticket;
1429 pf_calc_skip_steps(rs->rules[rs_num].active.ptr);
1431 /* Purge the old rule list. */
1432 PF_UNLNKDRULES_LOCK();
1433 while ((rule = TAILQ_FIRST(old_rules)) != NULL)
1434 pf_unlink_rule_locked(old_rules, rule);
1435 PF_UNLNKDRULES_UNLOCK();
1436 if (rs->rules[rs_num].inactive.ptr_array)
1437 free(rs->rules[rs_num].inactive.ptr_array, M_TEMP);
1438 rs->rules[rs_num].inactive.ptr_array = NULL;
1439 rs->rules[rs_num].inactive.rcount = 0;
1440 rs->rules[rs_num].inactive.open = 0;
1441 pf_remove_if_empty_kruleset(rs);
1442 free(old_tree, M_TEMP);
1448 pf_setup_pfsync_matching(struct pf_kruleset *rs)
1451 struct pf_krule *rule;
1453 u_int8_t digest[PF_MD5_DIGEST_LENGTH];
1456 for (rs_cnt = 0; rs_cnt < PF_RULESET_MAX; rs_cnt++) {
1457 /* XXX PF_RULESET_SCRUB as well? */
1458 if (rs_cnt == PF_RULESET_SCRUB)
1461 if (rs->rules[rs_cnt].inactive.ptr_array)
1462 free(rs->rules[rs_cnt].inactive.ptr_array, M_TEMP);
1463 rs->rules[rs_cnt].inactive.ptr_array = NULL;
1465 if (rs->rules[rs_cnt].inactive.rcount) {
1466 rs->rules[rs_cnt].inactive.ptr_array =
1467 mallocarray(rs->rules[rs_cnt].inactive.rcount,
1468 sizeof(struct pf_rule **),
1471 if (!rs->rules[rs_cnt].inactive.ptr_array)
1475 TAILQ_FOREACH(rule, rs->rules[rs_cnt].inactive.ptr,
1477 pf_hash_rule_rolling(&ctx, rule);
1478 (rs->rules[rs_cnt].inactive.ptr_array)[rule->nr] = rule;
1482 MD5Final(digest, &ctx);
1483 memcpy(V_pf_status.pf_chksum, digest, sizeof(V_pf_status.pf_chksum));
1488 pf_eth_addr_setup(struct pf_keth_ruleset *ruleset, struct pf_addr_wrap *addr)
1492 switch (addr->type) {
1494 addr->p.tbl = pfr_eth_attach_table(ruleset, addr->v.tblname);
1495 if (addr->p.tbl == NULL)
1506 pf_addr_setup(struct pf_kruleset *ruleset, struct pf_addr_wrap *addr,
1511 switch (addr->type) {
1513 addr->p.tbl = pfr_attach_table(ruleset, addr->v.tblname);
1514 if (addr->p.tbl == NULL)
1517 case PF_ADDR_DYNIFTL:
1518 error = pfi_dynaddr_setup(addr, af);
1526 pf_addr_copyout(struct pf_addr_wrap *addr)
1529 switch (addr->type) {
1530 case PF_ADDR_DYNIFTL:
1531 pfi_dynaddr_copyout(addr);
1534 pf_tbladdr_copyout(addr);
1540 pf_src_node_copy(const struct pf_ksrc_node *in, struct pf_src_node *out)
1542 int secs = time_uptime, diff;
1544 bzero(out, sizeof(struct pf_src_node));
1546 bcopy(&in->addr, &out->addr, sizeof(struct pf_addr));
1547 bcopy(&in->raddr, &out->raddr, sizeof(struct pf_addr));
1549 if (in->rule.ptr != NULL)
1550 out->rule.nr = in->rule.ptr->nr;
1552 for (int i = 0; i < 2; i++) {
1553 out->bytes[i] = counter_u64_fetch(in->bytes[i]);
1554 out->packets[i] = counter_u64_fetch(in->packets[i]);
1557 out->states = in->states;
1558 out->conn = in->conn;
1560 out->ruletype = in->ruletype;
1562 out->creation = secs - in->creation;
1563 if (out->expire > secs)
1564 out->expire -= secs;
1568 /* Adjust the connection rate estimate. */
1569 diff = secs - in->conn_rate.last;
1570 if (diff >= in->conn_rate.seconds)
1571 out->conn_rate.count = 0;
1573 out->conn_rate.count -=
1574 in->conn_rate.count * diff /
1575 in->conn_rate.seconds;
1580 * Handle export of struct pf_kaltq to user binaries that may be using any
1581 * version of struct pf_altq.
1584 pf_export_kaltq(struct pf_altq *q, struct pfioc_altq_v1 *pa, size_t ioc_size)
1588 if (ioc_size == sizeof(struct pfioc_altq_v0))
1591 version = pa->version;
1593 if (version > PFIOC_ALTQ_VERSION)
1596 #define ASSIGN(x) exported_q->x = q->x
1598 bcopy(&q->x, &exported_q->x, min(sizeof(q->x), sizeof(exported_q->x)))
1599 #define SATU16(x) (u_int32_t)uqmin((x), USHRT_MAX)
1600 #define SATU32(x) (u_int32_t)uqmin((x), UINT_MAX)
1604 struct pf_altq_v0 *exported_q =
1605 &((struct pfioc_altq_v0 *)pa)->altq;
1611 exported_q->tbrsize = SATU16(q->tbrsize);
1612 exported_q->ifbandwidth = SATU32(q->ifbandwidth);
1617 exported_q->bandwidth = SATU32(q->bandwidth);
1619 ASSIGN(local_flags);
1624 if (q->scheduler == ALTQT_HFSC) {
1625 #define ASSIGN_OPT(x) exported_q->pq_u.hfsc_opts.x = q->pq_u.hfsc_opts.x
1626 #define ASSIGN_OPT_SATU32(x) exported_q->pq_u.hfsc_opts.x = \
1627 SATU32(q->pq_u.hfsc_opts.x)
1629 ASSIGN_OPT_SATU32(rtsc_m1);
1631 ASSIGN_OPT_SATU32(rtsc_m2);
1633 ASSIGN_OPT_SATU32(lssc_m1);
1635 ASSIGN_OPT_SATU32(lssc_m2);
1637 ASSIGN_OPT_SATU32(ulsc_m1);
1639 ASSIGN_OPT_SATU32(ulsc_m2);
1644 #undef ASSIGN_OPT_SATU32
1652 struct pf_altq_v1 *exported_q =
1653 &((struct pfioc_altq_v1 *)pa)->altq;
1659 ASSIGN(ifbandwidth);
1666 ASSIGN(local_flags);
1676 panic("%s: unhandled struct pfioc_altq version", __func__);
1689 * Handle import to struct pf_kaltq of struct pf_altq from user binaries
1690 * that may be using any version of it.
1693 pf_import_kaltq(struct pfioc_altq_v1 *pa, struct pf_altq *q, size_t ioc_size)
1697 if (ioc_size == sizeof(struct pfioc_altq_v0))
1700 version = pa->version;
1702 if (version > PFIOC_ALTQ_VERSION)
1705 #define ASSIGN(x) q->x = imported_q->x
1707 bcopy(&imported_q->x, &q->x, min(sizeof(imported_q->x), sizeof(q->x)))
1711 struct pf_altq_v0 *imported_q =
1712 &((struct pfioc_altq_v0 *)pa)->altq;
1717 ASSIGN(tbrsize); /* 16-bit -> 32-bit */
1718 ASSIGN(ifbandwidth); /* 32-bit -> 64-bit */
1723 ASSIGN(bandwidth); /* 32-bit -> 64-bit */
1725 ASSIGN(local_flags);
1730 if (imported_q->scheduler == ALTQT_HFSC) {
1731 #define ASSIGN_OPT(x) q->pq_u.hfsc_opts.x = imported_q->pq_u.hfsc_opts.x
1734 * The m1 and m2 parameters are being copied from
1737 ASSIGN_OPT(rtsc_m1);
1739 ASSIGN_OPT(rtsc_m2);
1741 ASSIGN_OPT(lssc_m1);
1743 ASSIGN_OPT(lssc_m2);
1745 ASSIGN_OPT(ulsc_m1);
1747 ASSIGN_OPT(ulsc_m2);
1759 struct pf_altq_v1 *imported_q =
1760 &((struct pfioc_altq_v1 *)pa)->altq;
1766 ASSIGN(ifbandwidth);
1773 ASSIGN(local_flags);
1783 panic("%s: unhandled struct pfioc_altq version", __func__);
1793 static struct pf_altq *
1794 pf_altq_get_nth_active(u_int32_t n)
1796 struct pf_altq *altq;
1800 TAILQ_FOREACH(altq, V_pf_altq_ifs_active, entries) {
1806 TAILQ_FOREACH(altq, V_pf_altqs_active, entries) {
1817 pf_krule_alloc(void)
1819 struct pf_krule *rule;
1821 rule = malloc(sizeof(struct pf_krule), M_PFRULE, M_WAITOK | M_ZERO);
1822 mtx_init(&rule->rpool.mtx, "pf_krule_pool", NULL, MTX_DEF);
1823 rule->timestamp = uma_zalloc_pcpu(pf_timestamp_pcpu_zone,
1829 pf_krule_free(struct pf_krule *rule)
1831 #ifdef PF_WANT_32_TO_64_COUNTER
1838 #ifdef PF_WANT_32_TO_64_COUNTER
1839 if (rule->allrulelinked) {
1840 wowned = PF_RULES_WOWNED();
1843 LIST_REMOVE(rule, allrulelist);
1844 V_pf_allrulecount--;
1850 pf_counter_u64_deinit(&rule->evaluations);
1851 for (int i = 0; i < 2; i++) {
1852 pf_counter_u64_deinit(&rule->packets[i]);
1853 pf_counter_u64_deinit(&rule->bytes[i]);
1855 counter_u64_free(rule->states_cur);
1856 counter_u64_free(rule->states_tot);
1857 counter_u64_free(rule->src_nodes);
1858 uma_zfree_pcpu(pf_timestamp_pcpu_zone, rule->timestamp);
1860 mtx_destroy(&rule->rpool.mtx);
1861 free(rule, M_PFRULE);
1865 pf_kpooladdr_to_pooladdr(const struct pf_kpooladdr *kpool,
1866 struct pf_pooladdr *pool)
1869 bzero(pool, sizeof(*pool));
1870 bcopy(&kpool->addr, &pool->addr, sizeof(pool->addr));
1871 strlcpy(pool->ifname, kpool->ifname, sizeof(pool->ifname));
1875 pf_pooladdr_to_kpooladdr(const struct pf_pooladdr *pool,
1876 struct pf_kpooladdr *kpool)
1880 bzero(kpool, sizeof(*kpool));
1881 bcopy(&pool->addr, &kpool->addr, sizeof(kpool->addr));
1882 ret = pf_user_strcpy(kpool->ifname, pool->ifname,
1883 sizeof(kpool->ifname));
1888 pf_pool_to_kpool(const struct pf_pool *pool, struct pf_kpool *kpool)
1890 _Static_assert(sizeof(pool->key) == sizeof(kpool->key), "");
1891 _Static_assert(sizeof(pool->counter) == sizeof(kpool->counter), "");
1893 bcopy(&pool->key, &kpool->key, sizeof(kpool->key));
1894 bcopy(&pool->counter, &kpool->counter, sizeof(kpool->counter));
1896 kpool->tblidx = pool->tblidx;
1897 kpool->proxy_port[0] = pool->proxy_port[0];
1898 kpool->proxy_port[1] = pool->proxy_port[1];
1899 kpool->opts = pool->opts;
1903 pf_rule_to_krule(const struct pf_rule *rule, struct pf_krule *krule)
1908 if (rule->af == AF_INET) {
1909 return (EAFNOSUPPORT);
1913 if (rule->af == AF_INET6) {
1914 return (EAFNOSUPPORT);
1918 ret = pf_check_rule_addr(&rule->src);
1921 ret = pf_check_rule_addr(&rule->dst);
1925 bcopy(&rule->src, &krule->src, sizeof(rule->src));
1926 bcopy(&rule->dst, &krule->dst, sizeof(rule->dst));
1928 ret = pf_user_strcpy(krule->label[0], rule->label, sizeof(rule->label));
1931 ret = pf_user_strcpy(krule->ifname, rule->ifname, sizeof(rule->ifname));
1934 ret = pf_user_strcpy(krule->qname, rule->qname, sizeof(rule->qname));
1937 ret = pf_user_strcpy(krule->pqname, rule->pqname, sizeof(rule->pqname));
1940 ret = pf_user_strcpy(krule->tagname, rule->tagname,
1941 sizeof(rule->tagname));
1944 ret = pf_user_strcpy(krule->match_tagname, rule->match_tagname,
1945 sizeof(rule->match_tagname));
1948 ret = pf_user_strcpy(krule->overload_tblname, rule->overload_tblname,
1949 sizeof(rule->overload_tblname));
1953 pf_pool_to_kpool(&rule->rpool, &krule->rpool);
1955 /* Don't allow userspace to set evaluations, packets or bytes. */
1956 /* kif, anchor, overload_tbl are not copied over. */
1958 krule->os_fingerprint = rule->os_fingerprint;
1960 krule->rtableid = rule->rtableid;
1961 bcopy(rule->timeout, krule->timeout, sizeof(krule->timeout));
1962 krule->max_states = rule->max_states;
1963 krule->max_src_nodes = rule->max_src_nodes;
1964 krule->max_src_states = rule->max_src_states;
1965 krule->max_src_conn = rule->max_src_conn;
1966 krule->max_src_conn_rate.limit = rule->max_src_conn_rate.limit;
1967 krule->max_src_conn_rate.seconds = rule->max_src_conn_rate.seconds;
1968 krule->qid = rule->qid;
1969 krule->pqid = rule->pqid;
1970 krule->nr = rule->nr;
1971 krule->prob = rule->prob;
1972 krule->cuid = rule->cuid;
1973 krule->cpid = rule->cpid;
1975 krule->return_icmp = rule->return_icmp;
1976 krule->return_icmp6 = rule->return_icmp6;
1977 krule->max_mss = rule->max_mss;
1978 krule->tag = rule->tag;
1979 krule->match_tag = rule->match_tag;
1980 krule->scrub_flags = rule->scrub_flags;
1982 bcopy(&rule->uid, &krule->uid, sizeof(krule->uid));
1983 bcopy(&rule->gid, &krule->gid, sizeof(krule->gid));
1985 krule->rule_flag = rule->rule_flag;
1986 krule->action = rule->action;
1987 krule->direction = rule->direction;
1988 krule->log = rule->log;
1989 krule->logif = rule->logif;
1990 krule->quick = rule->quick;
1991 krule->ifnot = rule->ifnot;
1992 krule->match_tag_not = rule->match_tag_not;
1993 krule->natpass = rule->natpass;
1995 krule->keep_state = rule->keep_state;
1996 krule->af = rule->af;
1997 krule->proto = rule->proto;
1998 krule->type = rule->type;
1999 krule->code = rule->code;
2000 krule->flags = rule->flags;
2001 krule->flagset = rule->flagset;
2002 krule->min_ttl = rule->min_ttl;
2003 krule->allow_opts = rule->allow_opts;
2004 krule->rt = rule->rt;
2005 krule->return_ttl = rule->return_ttl;
2006 krule->tos = rule->tos;
2007 krule->set_tos = rule->set_tos;
2009 krule->flush = rule->flush;
2010 krule->prio = rule->prio;
2011 krule->set_prio[0] = rule->set_prio[0];
2012 krule->set_prio[1] = rule->set_prio[1];
2014 bcopy(&rule->divert, &krule->divert, sizeof(krule->divert));
2020 pf_ioctl_addrule(struct pf_krule *rule, uint32_t ticket,
2021 uint32_t pool_ticket, const char *anchor, const char *anchor_call,
2024 struct pf_kruleset *ruleset;
2025 struct pf_krule *tail;
2026 struct pf_kpooladdr *pa;
2027 struct pfi_kkif *kif = NULL;
2031 if ((rule->return_icmp >> 8) > ICMP_MAXTYPE) {
2033 goto errout_unlocked;
2036 #define ERROUT(x) ERROUT_FUNCTION(errout, x)
2038 if (rule->ifname[0])
2039 kif = pf_kkif_create(M_WAITOK);
2040 pf_counter_u64_init(&rule->evaluations, M_WAITOK);
2041 for (int i = 0; i < 2; i++) {
2042 pf_counter_u64_init(&rule->packets[i], M_WAITOK);
2043 pf_counter_u64_init(&rule->bytes[i], M_WAITOK);
2045 rule->states_cur = counter_u64_alloc(M_WAITOK);
2046 rule->states_tot = counter_u64_alloc(M_WAITOK);
2047 rule->src_nodes = counter_u64_alloc(M_WAITOK);
2048 rule->cuid = td->td_ucred->cr_ruid;
2049 rule->cpid = td->td_proc ? td->td_proc->p_pid : 0;
2050 TAILQ_INIT(&rule->rpool.list);
2054 #ifdef PF_WANT_32_TO_64_COUNTER
2055 LIST_INSERT_HEAD(&V_pf_allrulelist, rule, allrulelist);
2056 MPASS(!rule->allrulelinked);
2057 rule->allrulelinked = true;
2058 V_pf_allrulecount++;
2060 ruleset = pf_find_kruleset(anchor);
2061 if (ruleset == NULL)
2063 rs_num = pf_get_ruleset_number(rule->action);
2064 if (rs_num >= PF_RULESET_MAX)
2066 if (ticket != ruleset->rules[rs_num].inactive.ticket) {
2067 DPFPRINTF(PF_DEBUG_MISC,
2068 ("ticket: %d != [%d]%d\n", ticket, rs_num,
2069 ruleset->rules[rs_num].inactive.ticket));
2072 if (pool_ticket != V_ticket_pabuf) {
2073 DPFPRINTF(PF_DEBUG_MISC,
2074 ("pool_ticket: %d != %d\n", pool_ticket,
2079 * XXXMJG hack: there is no mechanism to ensure they started the
2080 * transaction. Ticket checked above may happen to match by accident,
2081 * even if nobody called DIOCXBEGIN, let alone this process.
2082 * Partially work around it by checking if the RB tree got allocated,
2083 * see pf_begin_rules.
2085 if (ruleset->rules[rs_num].inactive.tree == NULL) {
2089 tail = TAILQ_LAST(ruleset->rules[rs_num].inactive.ptr,
2092 rule->nr = tail->nr + 1;
2095 if (rule->ifname[0]) {
2096 rule->kif = pfi_kkif_attach(kif, rule->ifname);
2098 pfi_kkif_ref(rule->kif);
2102 if (rule->rtableid > 0 && rule->rtableid >= rt_numfibs)
2107 if (rule->qname[0] != 0) {
2108 if ((rule->qid = pf_qname2qid(rule->qname)) == 0)
2110 else if (rule->pqname[0] != 0) {
2112 pf_qname2qid(rule->pqname)) == 0)
2115 rule->pqid = rule->qid;
2118 if (rule->tagname[0])
2119 if ((rule->tag = pf_tagname2tag(rule->tagname)) == 0)
2121 if (rule->match_tagname[0])
2122 if ((rule->match_tag =
2123 pf_tagname2tag(rule->match_tagname)) == 0)
2125 if (rule->rt && !rule->direction)
2129 if (rule->logif >= PFLOGIFS_MAX)
2131 if (pf_addr_setup(ruleset, &rule->src.addr, rule->af))
2133 if (pf_addr_setup(ruleset, &rule->dst.addr, rule->af))
2135 if (pf_kanchor_setup(rule, ruleset, anchor_call))
2137 if (rule->scrub_flags & PFSTATE_SETPRIO &&
2138 (rule->set_prio[0] > PF_PRIO_MAX ||
2139 rule->set_prio[1] > PF_PRIO_MAX))
2141 TAILQ_FOREACH(pa, &V_pf_pabuf, entries)
2142 if (pa->addr.type == PF_ADDR_TABLE) {
2143 pa->addr.p.tbl = pfr_attach_table(ruleset,
2144 pa->addr.v.tblname);
2145 if (pa->addr.p.tbl == NULL)
2149 rule->overload_tbl = NULL;
2150 if (rule->overload_tblname[0]) {
2151 if ((rule->overload_tbl = pfr_attach_table(ruleset,
2152 rule->overload_tblname)) == NULL)
2155 rule->overload_tbl->pfrkt_flags |=
2159 pf_mv_kpool(&V_pf_pabuf, &rule->rpool.list);
2160 if (((((rule->action == PF_NAT) || (rule->action == PF_RDR) ||
2161 (rule->action == PF_BINAT)) && rule->anchor == NULL) ||
2162 (rule->rt > PF_NOPFROUTE)) &&
2163 (TAILQ_FIRST(&rule->rpool.list) == NULL))
2172 rule->rpool.cur = TAILQ_FIRST(&rule->rpool.list);
2173 TAILQ_INSERT_TAIL(ruleset->rules[rs_num].inactive.ptr,
2175 ruleset->rules[rs_num].inactive.rcount++;
2179 if (RB_INSERT(pf_krule_global, ruleset->rules[rs_num].inactive.tree, rule) != NULL) {
2181 TAILQ_REMOVE(ruleset->rules[rs_num].inactive.ptr, rule, entries);
2182 ruleset->rules[rs_num].inactive.rcount--;
2197 pf_krule_free(rule);
2202 pf_label_match(const struct pf_krule *rule, const char *label)
2206 while (*rule->label[i]) {
2207 if (strcmp(rule->label[i], label) == 0)
2216 pf_kill_matching_state(struct pf_state_key_cmp *key, int dir)
2218 struct pf_kstate *s;
2221 s = pf_find_state_all(key, dir, &more);
2235 pf_killstates_row(struct pf_kstate_kill *psk, struct pf_idhash *ih)
2237 struct pf_kstate *s;
2238 struct pf_state_key *sk;
2239 struct pf_addr *srcaddr, *dstaddr;
2240 struct pf_state_key_cmp match_key;
2241 int idx, killed = 0;
2243 u_int16_t srcport, dstport;
2244 struct pfi_kkif *kif;
2246 relock_DIOCKILLSTATES:
2247 PF_HASHROW_LOCK(ih);
2248 LIST_FOREACH(s, &ih->states, entry) {
2249 /* For floating states look at the original kif. */
2250 kif = s->kif == V_pfi_all ? s->orig_kif : s->kif;
2252 sk = s->key[PF_SK_WIRE];
2253 if (s->direction == PF_OUT) {
2254 srcaddr = &sk->addr[1];
2255 dstaddr = &sk->addr[0];
2256 srcport = sk->port[1];
2257 dstport = sk->port[0];
2259 srcaddr = &sk->addr[0];
2260 dstaddr = &sk->addr[1];
2261 srcport = sk->port[0];
2262 dstport = sk->port[1];
2265 if (psk->psk_af && sk->af != psk->psk_af)
2268 if (psk->psk_proto && psk->psk_proto != sk->proto)
2271 if (! PF_MATCHA(psk->psk_src.neg, &psk->psk_src.addr.v.a.addr,
2272 &psk->psk_src.addr.v.a.mask, srcaddr, sk->af))
2275 if (! PF_MATCHA(psk->psk_dst.neg, &psk->psk_dst.addr.v.a.addr,
2276 &psk->psk_dst.addr.v.a.mask, dstaddr, sk->af))
2279 if (! PF_MATCHA(psk->psk_rt_addr.neg,
2280 &psk->psk_rt_addr.addr.v.a.addr,
2281 &psk->psk_rt_addr.addr.v.a.mask,
2282 &s->rt_addr, sk->af))
2285 if (psk->psk_src.port_op != 0 &&
2286 ! pf_match_port(psk->psk_src.port_op,
2287 psk->psk_src.port[0], psk->psk_src.port[1], srcport))
2290 if (psk->psk_dst.port_op != 0 &&
2291 ! pf_match_port(psk->psk_dst.port_op,
2292 psk->psk_dst.port[0], psk->psk_dst.port[1], dstport))
2295 if (psk->psk_label[0] &&
2296 ! pf_label_match(s->rule.ptr, psk->psk_label))
2299 if (psk->psk_ifname[0] && strcmp(psk->psk_ifname,
2303 if (psk->psk_kill_match) {
2304 /* Create the key to find matching states, with lock
2307 bzero(&match_key, sizeof(match_key));
2309 if (s->direction == PF_OUT) {
2317 match_key.af = s->key[idx]->af;
2318 match_key.proto = s->key[idx]->proto;
2319 PF_ACPY(&match_key.addr[0],
2320 &s->key[idx]->addr[1], match_key.af);
2321 match_key.port[0] = s->key[idx]->port[1];
2322 PF_ACPY(&match_key.addr[1],
2323 &s->key[idx]->addr[0], match_key.af);
2324 match_key.port[1] = s->key[idx]->port[0];
2330 if (psk->psk_kill_match)
2331 killed += pf_kill_matching_state(&match_key, dir);
2333 goto relock_DIOCKILLSTATES;
2335 PF_HASHROW_UNLOCK(ih);
2341 pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td)
2344 PF_RULES_RLOCK_TRACKER;
2346 #define ERROUT_IOCTL(target, x) \
2349 SDT_PROBE3(pf, ioctl, ioctl, error, cmd, error, __LINE__); \
2354 /* XXX keep in sync with switch() below */
2355 if (securelevel_gt(td->td_ucred, 2))
2362 case DIOCGETSTATENV:
2363 case DIOCSETSTATUSIF:
2364 case DIOCGETSTATUSNV:
2369 case DIOCGETSTATESV2:
2370 case DIOCGETTIMEOUT:
2371 case DIOCCLRRULECTRS:
2373 case DIOCGETALTQSV0:
2374 case DIOCGETALTQSV1:
2377 case DIOCGETQSTATSV0:
2378 case DIOCGETQSTATSV1:
2379 case DIOCGETRULESETS:
2380 case DIOCGETRULESET:
2381 case DIOCRGETTABLES:
2382 case DIOCRGETTSTATS:
2383 case DIOCRCLRTSTATS:
2389 case DIOCRGETASTATS:
2390 case DIOCRCLRASTATS:
2393 case DIOCGETSRCNODES:
2394 case DIOCCLRSRCNODES:
2395 case DIOCGETSYNCOOKIES:
2396 case DIOCIGETIFACES:
2397 case DIOCGIFSPEEDV0:
2398 case DIOCGIFSPEEDV1:
2401 case DIOCGETETHRULES:
2402 case DIOCGETETHRULE:
2403 case DIOCGETETHRULESETS:
2404 case DIOCGETETHRULESET:
2406 case DIOCRCLRTABLES:
2407 case DIOCRADDTABLES:
2408 case DIOCRDELTABLES:
2409 case DIOCRSETTFLAGS:
2410 if (((struct pfioc_table *)addr)->pfrio_flags &
2412 break; /* dummy operation ok */
2418 if (!(flags & FWRITE))
2424 case DIOCGETSTATENV:
2425 case DIOCGETSTATUSNV:
2427 case DIOCGETSTATESV2:
2428 case DIOCGETTIMEOUT:
2430 case DIOCGETALTQSV0:
2431 case DIOCGETALTQSV1:
2434 case DIOCGETQSTATSV0:
2435 case DIOCGETQSTATSV1:
2436 case DIOCGETRULESETS:
2437 case DIOCGETRULESET:
2439 case DIOCRGETTABLES:
2440 case DIOCRGETTSTATS:
2442 case DIOCRGETASTATS:
2445 case DIOCGETSRCNODES:
2446 case DIOCGETSYNCOOKIES:
2447 case DIOCIGETIFACES:
2448 case DIOCGIFSPEEDV1:
2449 case DIOCGIFSPEEDV0:
2451 case DIOCGETETHRULES:
2452 case DIOCGETETHRULE:
2453 case DIOCGETETHRULESETS:
2454 case DIOCGETETHRULESET:
2456 case DIOCRCLRTABLES:
2457 case DIOCRADDTABLES:
2458 case DIOCRDELTABLES:
2459 case DIOCRCLRTSTATS:
2464 case DIOCRSETTFLAGS:
2465 if (((struct pfioc_table *)addr)->pfrio_flags &
2467 flags |= FWRITE; /* need write lock for dummy */
2468 break; /* dummy operation ok */
2475 CURVNET_SET(TD_TO_VNET(td));
2479 sx_xlock(&V_pf_ioctl_lock);
2480 if (V_pf_status.running)
2484 if (! TAILQ_EMPTY(V_pf_keth->active.rules))
2486 V_pf_status.running = 1;
2487 V_pf_status.since = time_second;
2488 new_unrhdr64(&V_pf_stateid, time_second);
2490 DPFPRINTF(PF_DEBUG_MISC, ("pf: started\n"));
2495 sx_xlock(&V_pf_ioctl_lock);
2496 if (!V_pf_status.running)
2499 V_pf_status.running = 0;
2502 V_pf_status.since = time_second;
2503 DPFPRINTF(PF_DEBUG_MISC, ("pf: stopped\n"));
2507 case DIOCGETETHRULES: {
2508 struct pfioc_nv *nv = (struct pfioc_nv *)addr;
2511 struct pf_keth_rule *tail;
2512 struct pf_keth_ruleset *rs;
2513 u_int32_t ticket, nr;
2514 const char *anchor = "";
2519 #define ERROUT(x) ERROUT_IOCTL(DIOCGETETHRULES_error, x)
2521 if (nv->len > pf_ioctl_maxcount)
2524 /* Copy the request in */
2525 packed = malloc(nv->len, M_NVLIST, M_WAITOK);
2529 error = copyin(nv->data, packed, nv->len);
2533 nvl = nvlist_unpack(packed, nv->len, 0);
2537 if (! nvlist_exists_string(nvl, "anchor"))
2540 anchor = nvlist_get_string(nvl, "anchor");
2542 rs = pf_find_keth_ruleset(anchor);
2544 nvlist_destroy(nvl);
2546 free(packed, M_NVLIST);
2553 nvl = nvlist_create(0);
2559 ticket = rs->active.ticket;
2560 tail = TAILQ_LAST(rs->active.rules, pf_keth_ruleq);
2568 nvlist_add_number(nvl, "ticket", ticket);
2569 nvlist_add_number(nvl, "nr", nr);
2571 packed = nvlist_pack(nvl, &nv->len);
2577 else if (nv->size < nv->len)
2580 error = copyout(packed, nv->data, nv->len);
2583 DIOCGETETHRULES_error:
2584 free(packed, M_NVLIST);
2585 nvlist_destroy(nvl);
2589 case DIOCGETETHRULE: {
2590 struct epoch_tracker et;
2591 struct pfioc_nv *nv = (struct pfioc_nv *)addr;
2592 nvlist_t *nvl = NULL;
2593 void *nvlpacked = NULL;
2594 struct pf_keth_rule *rule = NULL;
2595 struct pf_keth_ruleset *rs;
2596 u_int32_t ticket, nr;
2600 #define ERROUT(x) ERROUT_IOCTL(DIOCGETETHRULE_error, x)
2602 if (nv->len > pf_ioctl_maxcount)
2605 nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK);
2606 if (nvlpacked == NULL)
2609 error = copyin(nv->data, nvlpacked, nv->len);
2613 nvl = nvlist_unpack(nvlpacked, nv->len, 0);
2616 if (! nvlist_exists_number(nvl, "ticket"))
2618 ticket = nvlist_get_number(nvl, "ticket");
2619 if (! nvlist_exists_string(nvl, "anchor"))
2621 anchor = nvlist_get_string(nvl, "anchor");
2623 if (nvlist_exists_bool(nvl, "clear"))
2624 clear = nvlist_get_bool(nvl, "clear");
2626 if (clear && !(flags & FWRITE))
2629 if (! nvlist_exists_number(nvl, "nr"))
2631 nr = nvlist_get_number(nvl, "nr");
2634 rs = pf_find_keth_ruleset(anchor);
2639 if (ticket != rs->active.ticket) {
2644 nvlist_destroy(nvl);
2646 free(nvlpacked, M_NVLIST);
2649 rule = TAILQ_FIRST(rs->active.rules);
2650 while ((rule != NULL) && (rule->nr != nr))
2651 rule = TAILQ_NEXT(rule, entries);
2656 /* Make sure rule can't go away. */
2657 NET_EPOCH_ENTER(et);
2659 nvl = pf_keth_rule_to_nveth_rule(rule);
2660 if (pf_keth_anchor_nvcopyout(rs, rule, nvl))
2666 nvlpacked = nvlist_pack(nvl, &nv->len);
2667 if (nvlpacked == NULL)
2672 else if (nv->size < nv->len)
2675 error = copyout(nvlpacked, nv->data, nv->len);
2676 if (error == 0 && clear) {
2677 counter_u64_zero(rule->evaluations);
2678 for (int i = 0; i < 2; i++) {
2679 counter_u64_zero(rule->packets[i]);
2680 counter_u64_zero(rule->bytes[i]);
2685 DIOCGETETHRULE_error:
2686 free(nvlpacked, M_NVLIST);
2687 nvlist_destroy(nvl);
2691 case DIOCADDETHRULE: {
2692 struct pfioc_nv *nv = (struct pfioc_nv *)addr;
2693 nvlist_t *nvl = NULL;
2694 void *nvlpacked = NULL;
2695 struct pf_keth_rule *rule = NULL, *tail = NULL;
2696 struct pf_keth_ruleset *ruleset = NULL;
2697 struct pfi_kkif *kif = NULL, *bridge_to_kif = NULL;
2698 const char *anchor = "", *anchor_call = "";
2700 #define ERROUT(x) ERROUT_IOCTL(DIOCADDETHRULE_error, x)
2702 if (nv->len > pf_ioctl_maxcount)
2705 nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK);
2706 if (nvlpacked == NULL)
2709 error = copyin(nv->data, nvlpacked, nv->len);
2713 nvl = nvlist_unpack(nvlpacked, nv->len, 0);
2717 if (! nvlist_exists_number(nvl, "ticket"))
2720 if (nvlist_exists_string(nvl, "anchor"))
2721 anchor = nvlist_get_string(nvl, "anchor");
2722 if (nvlist_exists_string(nvl, "anchor_call"))
2723 anchor_call = nvlist_get_string(nvl, "anchor_call");
2725 ruleset = pf_find_keth_ruleset(anchor);
2726 if (ruleset == NULL)
2729 if (nvlist_get_number(nvl, "ticket") !=
2730 ruleset->inactive.ticket) {
2731 DPFPRINTF(PF_DEBUG_MISC,
2732 ("ticket: %d != %d\n",
2733 (u_int32_t)nvlist_get_number(nvl, "ticket"),
2734 ruleset->inactive.ticket));
2738 rule = malloc(sizeof(*rule), M_PFRULE, M_WAITOK);
2741 rule->timestamp = NULL;
2743 error = pf_nveth_rule_to_keth_rule(nvl, rule);
2747 if (rule->ifname[0])
2748 kif = pf_kkif_create(M_WAITOK);
2749 if (rule->bridge_to_name[0])
2750 bridge_to_kif = pf_kkif_create(M_WAITOK);
2751 rule->evaluations = counter_u64_alloc(M_WAITOK);
2752 for (int i = 0; i < 2; i++) {
2753 rule->packets[i] = counter_u64_alloc(M_WAITOK);
2754 rule->bytes[i] = counter_u64_alloc(M_WAITOK);
2756 rule->timestamp = uma_zalloc_pcpu(pf_timestamp_pcpu_zone,
2761 if (rule->ifname[0]) {
2762 rule->kif = pfi_kkif_attach(kif, rule->ifname);
2763 pfi_kkif_ref(rule->kif);
2766 if (rule->bridge_to_name[0]) {
2767 rule->bridge_to = pfi_kkif_attach(bridge_to_kif,
2768 rule->bridge_to_name);
2769 pfi_kkif_ref(rule->bridge_to);
2771 rule->bridge_to = NULL;
2775 if (rule->qname[0] != 0) {
2776 if ((rule->qid = pf_qname2qid(rule->qname)) == 0)
2779 rule->qid = rule->qid;
2782 if (rule->tagname[0])
2783 if ((rule->tag = pf_tagname2tag(rule->tagname)) == 0)
2785 if (rule->match_tagname[0])
2786 if ((rule->match_tag = pf_tagname2tag(
2787 rule->match_tagname)) == 0)
2790 if (error == 0 && rule->ipdst.addr.type == PF_ADDR_TABLE)
2791 error = pf_eth_addr_setup(ruleset, &rule->ipdst.addr);
2792 if (error == 0 && rule->ipsrc.addr.type == PF_ADDR_TABLE)
2793 error = pf_eth_addr_setup(ruleset, &rule->ipsrc.addr);
2796 pf_free_eth_rule(rule);
2801 if (pf_keth_anchor_setup(rule, ruleset, anchor_call)) {
2802 pf_free_eth_rule(rule);
2807 tail = TAILQ_LAST(ruleset->inactive.rules, pf_keth_ruleq);
2809 rule->nr = tail->nr + 1;
2813 TAILQ_INSERT_TAIL(ruleset->inactive.rules, rule, entries);
2818 DIOCADDETHRULE_error:
2819 nvlist_destroy(nvl);
2820 free(nvlpacked, M_NVLIST);
2824 case DIOCGETETHRULESETS: {
2825 struct epoch_tracker et;
2826 struct pfioc_nv *nv = (struct pfioc_nv *)addr;
2827 nvlist_t *nvl = NULL;
2828 void *nvlpacked = NULL;
2829 struct pf_keth_ruleset *ruleset;
2830 struct pf_keth_anchor *anchor;
2833 #define ERROUT(x) ERROUT_IOCTL(DIOCGETETHRULESETS_error, x)
2835 if (nv->len > pf_ioctl_maxcount)
2838 nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK);
2839 if (nvlpacked == NULL)
2842 error = copyin(nv->data, nvlpacked, nv->len);
2846 nvl = nvlist_unpack(nvlpacked, nv->len, 0);
2849 if (! nvlist_exists_string(nvl, "path"))
2852 NET_EPOCH_ENTER(et);
2854 if ((ruleset = pf_find_keth_ruleset(
2855 nvlist_get_string(nvl, "path"))) == NULL) {
2860 if (ruleset->anchor == NULL) {
2861 RB_FOREACH(anchor, pf_keth_anchor_global, &V_pf_keth_anchors)
2862 if (anchor->parent == NULL)
2865 RB_FOREACH(anchor, pf_keth_anchor_node,
2866 &ruleset->anchor->children)
2872 nvlist_destroy(nvl);
2874 free(nvlpacked, M_NVLIST);
2877 nvl = nvlist_create(0);
2881 nvlist_add_number(nvl, "nr", nr);
2883 nvlpacked = nvlist_pack(nvl, &nv->len);
2884 if (nvlpacked == NULL)
2889 else if (nv->size < nv->len)
2892 error = copyout(nvlpacked, nv->data, nv->len);
2895 DIOCGETETHRULESETS_error:
2896 free(nvlpacked, M_NVLIST);
2897 nvlist_destroy(nvl);
2901 case DIOCGETETHRULESET: {
2902 struct epoch_tracker et;
2903 struct pfioc_nv *nv = (struct pfioc_nv *)addr;
2904 nvlist_t *nvl = NULL;
2905 void *nvlpacked = NULL;
2906 struct pf_keth_ruleset *ruleset;
2907 struct pf_keth_anchor *anchor;
2908 int nr = 0, req_nr = 0;
2911 #define ERROUT(x) ERROUT_IOCTL(DIOCGETETHRULESET_error, x)
2913 if (nv->len > pf_ioctl_maxcount)
2916 nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK);
2917 if (nvlpacked == NULL)
2920 error = copyin(nv->data, nvlpacked, nv->len);
2924 nvl = nvlist_unpack(nvlpacked, nv->len, 0);
2927 if (! nvlist_exists_string(nvl, "path"))
2929 if (! nvlist_exists_number(nvl, "nr"))
2932 req_nr = nvlist_get_number(nvl, "nr");
2934 NET_EPOCH_ENTER(et);
2936 if ((ruleset = pf_find_keth_ruleset(
2937 nvlist_get_string(nvl, "path"))) == NULL) {
2942 nvlist_destroy(nvl);
2944 free(nvlpacked, M_NVLIST);
2947 nvl = nvlist_create(0);
2953 if (ruleset->anchor == NULL) {
2954 RB_FOREACH(anchor, pf_keth_anchor_global,
2955 &V_pf_keth_anchors) {
2956 if (anchor->parent == NULL && nr++ == req_nr) {
2962 RB_FOREACH(anchor, pf_keth_anchor_node,
2963 &ruleset->anchor->children) {
2964 if (nr++ == req_nr) {
2973 nvlist_add_number(nvl, "nr", nr);
2974 nvlist_add_string(nvl, "name", anchor->name);
2975 if (ruleset->anchor)
2976 nvlist_add_string(nvl, "path",
2977 ruleset->anchor->path);
2979 nvlist_add_string(nvl, "path", "");
2984 nvlpacked = nvlist_pack(nvl, &nv->len);
2985 if (nvlpacked == NULL)
2990 else if (nv->size < nv->len)
2993 error = copyout(nvlpacked, nv->data, nv->len);
2996 DIOCGETETHRULESET_error:
2997 free(nvlpacked, M_NVLIST);
2998 nvlist_destroy(nvl);
3002 case DIOCADDRULENV: {
3003 struct pfioc_nv *nv = (struct pfioc_nv *)addr;
3004 nvlist_t *nvl = NULL;
3005 void *nvlpacked = NULL;
3006 struct pf_krule *rule = NULL;
3007 const char *anchor = "", *anchor_call = "";
3008 uint32_t ticket = 0, pool_ticket = 0;
3010 #define ERROUT(x) ERROUT_IOCTL(DIOCADDRULENV_error, x)
3012 if (nv->len > pf_ioctl_maxcount)
3015 nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK);
3016 error = copyin(nv->data, nvlpacked, nv->len);
3020 nvl = nvlist_unpack(nvlpacked, nv->len, 0);
3024 if (! nvlist_exists_number(nvl, "ticket"))
3026 ticket = nvlist_get_number(nvl, "ticket");
3028 if (! nvlist_exists_number(nvl, "pool_ticket"))
3030 pool_ticket = nvlist_get_number(nvl, "pool_ticket");
3032 if (! nvlist_exists_nvlist(nvl, "rule"))
3035 rule = pf_krule_alloc();
3036 error = pf_nvrule_to_krule(nvlist_get_nvlist(nvl, "rule"),
3041 if (nvlist_exists_string(nvl, "anchor"))
3042 anchor = nvlist_get_string(nvl, "anchor");
3043 if (nvlist_exists_string(nvl, "anchor_call"))
3044 anchor_call = nvlist_get_string(nvl, "anchor_call");
3046 if ((error = nvlist_error(nvl)))
3049 /* Frees rule on error */
3050 error = pf_ioctl_addrule(rule, ticket, pool_ticket, anchor,
3053 nvlist_destroy(nvl);
3054 free(nvlpacked, M_NVLIST);
3057 DIOCADDRULENV_error:
3058 pf_krule_free(rule);
3059 nvlist_destroy(nvl);
3060 free(nvlpacked, M_NVLIST);
3065 struct pfioc_rule *pr = (struct pfioc_rule *)addr;
3066 struct pf_krule *rule;
3068 rule = pf_krule_alloc();
3069 error = pf_rule_to_krule(&pr->rule, rule);
3071 pf_krule_free(rule);
3075 pr->anchor[sizeof(pr->anchor) - 1] = 0;
3077 /* Frees rule on error */
3078 error = pf_ioctl_addrule(rule, pr->ticket, pr->pool_ticket,
3079 pr->anchor, pr->anchor_call, td);
3083 case DIOCGETRULES: {
3084 struct pfioc_rule *pr = (struct pfioc_rule *)addr;
3085 struct pf_kruleset *ruleset;
3086 struct pf_krule *tail;
3089 pr->anchor[sizeof(pr->anchor) - 1] = 0;
3092 ruleset = pf_find_kruleset(pr->anchor);
3093 if (ruleset == NULL) {
3098 rs_num = pf_get_ruleset_number(pr->rule.action);
3099 if (rs_num >= PF_RULESET_MAX) {
3104 tail = TAILQ_LAST(ruleset->rules[rs_num].active.ptr,
3107 pr->nr = tail->nr + 1;
3110 pr->ticket = ruleset->rules[rs_num].active.ticket;
3115 case DIOCGETRULENV: {
3116 struct pfioc_nv *nv = (struct pfioc_nv *)addr;
3117 nvlist_t *nvrule = NULL;
3118 nvlist_t *nvl = NULL;
3119 struct pf_kruleset *ruleset;
3120 struct pf_krule *rule;
3121 void *nvlpacked = NULL;
3123 bool clear_counter = false;
3125 #define ERROUT(x) ERROUT_IOCTL(DIOCGETRULENV_error, x)
3127 if (nv->len > pf_ioctl_maxcount)
3130 /* Copy the request in */
3131 nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK);
3132 if (nvlpacked == NULL)
3135 error = copyin(nv->data, nvlpacked, nv->len);
3139 nvl = nvlist_unpack(nvlpacked, nv->len, 0);
3143 if (! nvlist_exists_string(nvl, "anchor"))
3145 if (! nvlist_exists_number(nvl, "ruleset"))
3147 if (! nvlist_exists_number(nvl, "ticket"))
3149 if (! nvlist_exists_number(nvl, "nr"))
3152 if (nvlist_exists_bool(nvl, "clear_counter"))
3153 clear_counter = nvlist_get_bool(nvl, "clear_counter");
3155 if (clear_counter && !(flags & FWRITE))
3158 nr = nvlist_get_number(nvl, "nr");
3161 ruleset = pf_find_kruleset(nvlist_get_string(nvl, "anchor"));
3162 if (ruleset == NULL) {
3167 rs_num = pf_get_ruleset_number(nvlist_get_number(nvl, "ruleset"));
3168 if (rs_num >= PF_RULESET_MAX) {
3173 if (nvlist_get_number(nvl, "ticket") !=
3174 ruleset->rules[rs_num].active.ticket) {
3179 if ((error = nvlist_error(nvl))) {
3184 rule = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr);
3185 while ((rule != NULL) && (rule->nr != nr))
3186 rule = TAILQ_NEXT(rule, entries);
3192 nvrule = pf_krule_to_nvrule(rule);
3194 nvlist_destroy(nvl);
3195 nvl = nvlist_create(0);
3200 nvlist_add_number(nvl, "nr", nr);
3201 nvlist_add_nvlist(nvl, "rule", nvrule);
3202 nvlist_destroy(nvrule);
3204 if (pf_kanchor_nvcopyout(ruleset, rule, nvl)) {
3209 free(nvlpacked, M_NVLIST);
3210 nvlpacked = nvlist_pack(nvl, &nv->len);
3211 if (nvlpacked == NULL) {
3216 if (nv->size == 0) {
3220 else if (nv->size < nv->len) {
3225 if (clear_counter) {
3226 pf_counter_u64_zero(&rule->evaluations);
3227 for (int i = 0; i < 2; i++) {
3228 pf_counter_u64_zero(&rule->packets[i]);
3229 pf_counter_u64_zero(&rule->bytes[i]);
3231 counter_u64_zero(rule->states_tot);
3235 error = copyout(nvlpacked, nv->data, nv->len);
3238 DIOCGETRULENV_error:
3239 free(nvlpacked, M_NVLIST);
3240 nvlist_destroy(nvrule);
3241 nvlist_destroy(nvl);
3246 case DIOCCHANGERULE: {
3247 struct pfioc_rule *pcr = (struct pfioc_rule *)addr;
3248 struct pf_kruleset *ruleset;
3249 struct pf_krule *oldrule = NULL, *newrule = NULL;
3250 struct pfi_kkif *kif = NULL;
3251 struct pf_kpooladdr *pa;
3255 pcr->anchor[sizeof(pcr->anchor) - 1] = 0;
3257 if (pcr->action < PF_CHANGE_ADD_HEAD ||
3258 pcr->action > PF_CHANGE_GET_TICKET) {
3262 if (pcr->rule.return_icmp >> 8 > ICMP_MAXTYPE) {
3267 if (pcr->action != PF_CHANGE_REMOVE) {
3268 newrule = pf_krule_alloc();
3269 error = pf_rule_to_krule(&pcr->rule, newrule);
3271 pf_krule_free(newrule);
3275 if (newrule->ifname[0])
3276 kif = pf_kkif_create(M_WAITOK);
3277 pf_counter_u64_init(&newrule->evaluations, M_WAITOK);
3278 for (int i = 0; i < 2; i++) {
3279 pf_counter_u64_init(&newrule->packets[i], M_WAITOK);
3280 pf_counter_u64_init(&newrule->bytes[i], M_WAITOK);
3282 newrule->states_cur = counter_u64_alloc(M_WAITOK);
3283 newrule->states_tot = counter_u64_alloc(M_WAITOK);
3284 newrule->src_nodes = counter_u64_alloc(M_WAITOK);
3285 newrule->cuid = td->td_ucred->cr_ruid;
3286 newrule->cpid = td->td_proc ? td->td_proc->p_pid : 0;
3287 TAILQ_INIT(&newrule->rpool.list);
3289 #define ERROUT(x) ERROUT_IOCTL(DIOCCHANGERULE_error, x)
3293 #ifdef PF_WANT_32_TO_64_COUNTER
3294 if (newrule != NULL) {
3295 LIST_INSERT_HEAD(&V_pf_allrulelist, newrule, allrulelist);
3296 newrule->allrulelinked = true;
3297 V_pf_allrulecount++;
3301 if (!(pcr->action == PF_CHANGE_REMOVE ||
3302 pcr->action == PF_CHANGE_GET_TICKET) &&
3303 pcr->pool_ticket != V_ticket_pabuf)
3306 ruleset = pf_find_kruleset(pcr->anchor);
3307 if (ruleset == NULL)
3310 rs_num = pf_get_ruleset_number(pcr->rule.action);
3311 if (rs_num >= PF_RULESET_MAX)
3315 * XXXMJG: there is no guarantee that the ruleset was
3316 * created by the usual route of calling DIOCXBEGIN.
3317 * As a result it is possible the rule tree will not
3318 * be allocated yet. Hack around it by doing it here.
3319 * Note it is fine to let the tree persist in case of
3320 * error as it will be freed down the road on future
3321 * updates (if need be).
3323 if (ruleset->rules[rs_num].active.tree == NULL) {
3324 ruleset->rules[rs_num].active.tree = pf_rule_tree_alloc(M_NOWAIT);
3325 if (ruleset->rules[rs_num].active.tree == NULL) {
3330 if (pcr->action == PF_CHANGE_GET_TICKET) {
3331 pcr->ticket = ++ruleset->rules[rs_num].active.ticket;
3333 } else if (pcr->ticket !=
3334 ruleset->rules[rs_num].active.ticket)
3337 if (pcr->action != PF_CHANGE_REMOVE) {
3338 if (newrule->ifname[0]) {
3339 newrule->kif = pfi_kkif_attach(kif,
3342 pfi_kkif_ref(newrule->kif);
3344 newrule->kif = NULL;
3346 if (newrule->rtableid > 0 &&
3347 newrule->rtableid >= rt_numfibs)
3352 if (newrule->qname[0] != 0) {
3354 pf_qname2qid(newrule->qname)) == 0)
3356 else if (newrule->pqname[0] != 0) {
3357 if ((newrule->pqid =
3358 pf_qname2qid(newrule->pqname)) == 0)
3361 newrule->pqid = newrule->qid;
3364 if (newrule->tagname[0])
3366 pf_tagname2tag(newrule->tagname)) == 0)
3368 if (newrule->match_tagname[0])
3369 if ((newrule->match_tag = pf_tagname2tag(
3370 newrule->match_tagname)) == 0)
3372 if (newrule->rt && !newrule->direction)
3376 if (newrule->logif >= PFLOGIFS_MAX)
3378 if (pf_addr_setup(ruleset, &newrule->src.addr, newrule->af))
3380 if (pf_addr_setup(ruleset, &newrule->dst.addr, newrule->af))
3382 if (pf_kanchor_setup(newrule, ruleset, pcr->anchor_call))
3384 TAILQ_FOREACH(pa, &V_pf_pabuf, entries)
3385 if (pa->addr.type == PF_ADDR_TABLE) {
3387 pfr_attach_table(ruleset,
3388 pa->addr.v.tblname);
3389 if (pa->addr.p.tbl == NULL)
3393 newrule->overload_tbl = NULL;
3394 if (newrule->overload_tblname[0]) {
3395 if ((newrule->overload_tbl = pfr_attach_table(
3396 ruleset, newrule->overload_tblname)) ==
3400 newrule->overload_tbl->pfrkt_flags |=
3404 pf_mv_kpool(&V_pf_pabuf, &newrule->rpool.list);
3405 if (((((newrule->action == PF_NAT) ||
3406 (newrule->action == PF_RDR) ||
3407 (newrule->action == PF_BINAT) ||
3408 (newrule->rt > PF_NOPFROUTE)) &&
3409 !newrule->anchor)) &&
3410 (TAILQ_FIRST(&newrule->rpool.list) == NULL))
3414 pf_free_rule(newrule);
3420 newrule->rpool.cur = TAILQ_FIRST(&newrule->rpool.list);
3422 pf_empty_kpool(&V_pf_pabuf);
3424 if (pcr->action == PF_CHANGE_ADD_HEAD)
3425 oldrule = TAILQ_FIRST(
3426 ruleset->rules[rs_num].active.ptr);
3427 else if (pcr->action == PF_CHANGE_ADD_TAIL)
3428 oldrule = TAILQ_LAST(
3429 ruleset->rules[rs_num].active.ptr, pf_krulequeue);
3431 oldrule = TAILQ_FIRST(
3432 ruleset->rules[rs_num].active.ptr);
3433 while ((oldrule != NULL) && (oldrule->nr != pcr->nr))
3434 oldrule = TAILQ_NEXT(oldrule, entries);
3435 if (oldrule == NULL) {
3436 if (newrule != NULL)
3437 pf_free_rule(newrule);
3445 if (pcr->action == PF_CHANGE_REMOVE) {
3446 pf_unlink_rule(ruleset->rules[rs_num].active.ptr,
3448 RB_REMOVE(pf_krule_global,
3449 ruleset->rules[rs_num].active.tree, oldrule);
3450 ruleset->rules[rs_num].active.rcount--;
3452 pf_hash_rule(newrule);
3453 if (RB_INSERT(pf_krule_global,
3454 ruleset->rules[rs_num].active.tree, newrule) != NULL) {
3455 pf_free_rule(newrule);
3462 if (oldrule == NULL)
3464 ruleset->rules[rs_num].active.ptr,
3466 else if (pcr->action == PF_CHANGE_ADD_HEAD ||
3467 pcr->action == PF_CHANGE_ADD_BEFORE)
3468 TAILQ_INSERT_BEFORE(oldrule, newrule, entries);
3471 ruleset->rules[rs_num].active.ptr,
3472 oldrule, newrule, entries);
3473 ruleset->rules[rs_num].active.rcount++;
3477 TAILQ_FOREACH(oldrule,
3478 ruleset->rules[rs_num].active.ptr, entries)
3481 ruleset->rules[rs_num].active.ticket++;
3483 pf_calc_skip_steps(ruleset->rules[rs_num].active.ptr);
3484 pf_remove_if_empty_kruleset(ruleset);
3491 DIOCCHANGERULE_error:
3494 pf_krule_free(newrule);
3499 case DIOCCLRSTATESNV: {
3500 error = pf_clearstates_nv((struct pfioc_nv *)addr);
3504 case DIOCKILLSTATESNV: {
3505 error = pf_killstates_nv((struct pfioc_nv *)addr);
3509 case DIOCADDSTATE: {
3510 struct pfioc_state *ps = (struct pfioc_state *)addr;
3511 struct pfsync_state_1301 *sp = &ps->state;
3513 if (sp->timeout >= PFTM_MAX) {
3517 if (V_pfsync_state_import_ptr != NULL) {
3519 error = V_pfsync_state_import_ptr(
3520 (union pfsync_state_union *)sp, PFSYNC_SI_IOCTL,
3521 PFSYNC_MSG_VERSION_1301);
3528 case DIOCGETSTATE: {
3529 struct pfioc_state *ps = (struct pfioc_state *)addr;
3530 struct pf_kstate *s;
3532 s = pf_find_state_byid(ps->state.id, ps->state.creatorid);
3538 pfsync_state_export((union pfsync_state_union*)&ps->state,
3539 s, PFSYNC_MSG_VERSION_1301);
3544 case DIOCGETSTATENV: {
3545 error = pf_getstate((struct pfioc_nv *)addr);
3549 case DIOCGETSTATES: {
3550 struct pfioc_states *ps = (struct pfioc_states *)addr;
3551 struct pf_kstate *s;
3552 struct pfsync_state_1301 *pstore, *p;
3554 size_t slice_count = 16, count;
3557 if (ps->ps_len <= 0) {
3558 nr = uma_zone_get_cur(V_pf_state_z);
3559 ps->ps_len = sizeof(struct pfsync_state_1301) * nr;
3563 out = ps->ps_states;
3564 pstore = mallocarray(slice_count,
3565 sizeof(struct pfsync_state_1301), M_TEMP, M_WAITOK | M_ZERO);
3568 for (i = 0; i <= pf_hashmask; i++) {
3569 struct pf_idhash *ih = &V_pf_idhash[i];
3571 DIOCGETSTATES_retry:
3574 if (LIST_EMPTY(&ih->states))
3577 PF_HASHROW_LOCK(ih);
3579 LIST_FOREACH(s, &ih->states, entry) {
3580 if (s->timeout == PFTM_UNLINKED)
3585 if (count > slice_count) {
3586 PF_HASHROW_UNLOCK(ih);
3587 free(pstore, M_TEMP);
3588 slice_count = count * 2;
3589 pstore = mallocarray(slice_count,
3590 sizeof(struct pfsync_state_1301), M_TEMP,
3592 goto DIOCGETSTATES_retry;
3595 if ((nr+count) * sizeof(*p) > ps->ps_len) {
3596 PF_HASHROW_UNLOCK(ih);
3597 goto DIOCGETSTATES_full;
3600 LIST_FOREACH(s, &ih->states, entry) {
3601 if (s->timeout == PFTM_UNLINKED)
3604 pfsync_state_export((union pfsync_state_union*)p,
3605 s, PFSYNC_MSG_VERSION_1301);
3609 PF_HASHROW_UNLOCK(ih);
3610 error = copyout(pstore, out,
3611 sizeof(struct pfsync_state_1301) * count);
3614 out = ps->ps_states + nr;
3617 ps->ps_len = sizeof(struct pfsync_state_1301) * nr;
3618 free(pstore, M_TEMP);
3623 case DIOCGETSTATESV2: {
3624 struct pfioc_states_v2 *ps = (struct pfioc_states_v2 *)addr;
3625 struct pf_kstate *s;
3626 struct pf_state_export *pstore, *p;
3628 size_t slice_count = 16, count;
3631 if (ps->ps_req_version > PF_STATE_VERSION) {
3636 if (ps->ps_len <= 0) {
3637 nr = uma_zone_get_cur(V_pf_state_z);
3638 ps->ps_len = sizeof(struct pf_state_export) * nr;
3642 out = ps->ps_states;
3643 pstore = mallocarray(slice_count,
3644 sizeof(struct pf_state_export), M_TEMP, M_WAITOK | M_ZERO);
3647 for (i = 0; i <= pf_hashmask; i++) {
3648 struct pf_idhash *ih = &V_pf_idhash[i];
3650 DIOCGETSTATESV2_retry:
3653 if (LIST_EMPTY(&ih->states))
3656 PF_HASHROW_LOCK(ih);
3658 LIST_FOREACH(s, &ih->states, entry) {
3659 if (s->timeout == PFTM_UNLINKED)
3664 if (count > slice_count) {
3665 PF_HASHROW_UNLOCK(ih);
3666 free(pstore, M_TEMP);
3667 slice_count = count * 2;
3668 pstore = mallocarray(slice_count,
3669 sizeof(struct pf_state_export), M_TEMP,
3671 goto DIOCGETSTATESV2_retry;
3674 if ((nr+count) * sizeof(*p) > ps->ps_len) {
3675 PF_HASHROW_UNLOCK(ih);
3676 goto DIOCGETSTATESV2_full;
3679 LIST_FOREACH(s, &ih->states, entry) {
3680 if (s->timeout == PFTM_UNLINKED)
3683 pf_state_export(p, s);
3687 PF_HASHROW_UNLOCK(ih);
3688 error = copyout(pstore, out,
3689 sizeof(struct pf_state_export) * count);
3692 out = ps->ps_states + nr;
3694 DIOCGETSTATESV2_full:
3695 ps->ps_len = nr * sizeof(struct pf_state_export);
3696 free(pstore, M_TEMP);
3701 case DIOCGETSTATUSNV: {
3702 error = pf_getstatus((struct pfioc_nv *)addr);
3706 case DIOCSETSTATUSIF: {
3707 struct pfioc_if *pi = (struct pfioc_if *)addr;
3709 if (pi->ifname[0] == 0) {
3710 bzero(V_pf_status.ifname, IFNAMSIZ);
3714 error = pf_user_strcpy(V_pf_status.ifname, pi->ifname, IFNAMSIZ);
3719 case DIOCCLRSTATUS: {
3721 for (int i = 0; i < PFRES_MAX; i++)
3722 counter_u64_zero(V_pf_status.counters[i]);
3723 for (int i = 0; i < FCNT_MAX; i++)
3724 pf_counter_u64_zero(&V_pf_status.fcounters[i]);
3725 for (int i = 0; i < SCNT_MAX; i++)
3726 counter_u64_zero(V_pf_status.scounters[i]);
3727 for (int i = 0; i < KLCNT_MAX; i++)
3728 counter_u64_zero(V_pf_status.lcounters[i]);
3729 V_pf_status.since = time_second;
3730 if (*V_pf_status.ifname)
3731 pfi_update_status(V_pf_status.ifname, NULL);
3737 struct pfioc_natlook *pnl = (struct pfioc_natlook *)addr;
3738 struct pf_state_key *sk;
3739 struct pf_kstate *state;
3740 struct pf_state_key_cmp key;
3741 int m = 0, direction = pnl->direction;
3744 /* NATLOOK src and dst are reversed, so reverse sidx/didx */
3745 sidx = (direction == PF_IN) ? 1 : 0;
3746 didx = (direction == PF_IN) ? 0 : 1;
3749 PF_AZERO(&pnl->saddr, pnl->af) ||
3750 PF_AZERO(&pnl->daddr, pnl->af) ||
3751 ((pnl->proto == IPPROTO_TCP ||
3752 pnl->proto == IPPROTO_UDP) &&
3753 (!pnl->dport || !pnl->sport)))
3756 bzero(&key, sizeof(key));
3758 key.proto = pnl->proto;
3759 PF_ACPY(&key.addr[sidx], &pnl->saddr, pnl->af);
3760 key.port[sidx] = pnl->sport;
3761 PF_ACPY(&key.addr[didx], &pnl->daddr, pnl->af);
3762 key.port[didx] = pnl->dport;
3764 state = pf_find_state_all(&key, direction, &m);
3765 if (state == NULL) {
3769 PF_STATE_UNLOCK(state);
3770 error = E2BIG; /* more than one state */
3772 sk = state->key[sidx];
3773 PF_ACPY(&pnl->rsaddr, &sk->addr[sidx], sk->af);
3774 pnl->rsport = sk->port[sidx];
3775 PF_ACPY(&pnl->rdaddr, &sk->addr[didx], sk->af);
3776 pnl->rdport = sk->port[didx];
3777 PF_STATE_UNLOCK(state);
3784 case DIOCSETTIMEOUT: {
3785 struct pfioc_tm *pt = (struct pfioc_tm *)addr;
3788 if (pt->timeout < 0 || pt->timeout >= PFTM_MAX ||
3794 old = V_pf_default_rule.timeout[pt->timeout];
3795 if (pt->timeout == PFTM_INTERVAL && pt->seconds == 0)
3797 V_pf_default_rule.timeout[pt->timeout] = pt->seconds;
3798 if (pt->timeout == PFTM_INTERVAL && pt->seconds < old)
3799 wakeup(pf_purge_thread);
3805 case DIOCGETTIMEOUT: {
3806 struct pfioc_tm *pt = (struct pfioc_tm *)addr;
3808 if (pt->timeout < 0 || pt->timeout >= PFTM_MAX) {
3813 pt->seconds = V_pf_default_rule.timeout[pt->timeout];
3818 case DIOCGETLIMIT: {
3819 struct pfioc_limit *pl = (struct pfioc_limit *)addr;
3821 if (pl->index < 0 || pl->index >= PF_LIMIT_MAX) {
3826 pl->limit = V_pf_limits[pl->index].limit;
3831 case DIOCSETLIMIT: {
3832 struct pfioc_limit *pl = (struct pfioc_limit *)addr;
3836 if (pl->index < 0 || pl->index >= PF_LIMIT_MAX ||
3837 V_pf_limits[pl->index].zone == NULL) {
3842 uma_zone_set_max(V_pf_limits[pl->index].zone, pl->limit);
3843 old_limit = V_pf_limits[pl->index].limit;
3844 V_pf_limits[pl->index].limit = pl->limit;
3845 pl->limit = old_limit;
3850 case DIOCSETDEBUG: {
3851 u_int32_t *level = (u_int32_t *)addr;
3854 V_pf_status.debug = *level;
3859 case DIOCCLRRULECTRS: {
3860 /* obsoleted by DIOCGETRULE with action=PF_GET_CLR_CNTR */
3861 struct pf_kruleset *ruleset = &pf_main_ruleset;
3862 struct pf_krule *rule;
3866 ruleset->rules[PF_RULESET_FILTER].active.ptr, entries) {
3867 pf_counter_u64_zero(&rule->evaluations);
3868 for (int i = 0; i < 2; i++) {
3869 pf_counter_u64_zero(&rule->packets[i]);
3870 pf_counter_u64_zero(&rule->bytes[i]);
3877 case DIOCGIFSPEEDV0:
3878 case DIOCGIFSPEEDV1: {
3879 struct pf_ifspeed_v1 *psp = (struct pf_ifspeed_v1 *)addr;
3880 struct pf_ifspeed_v1 ps;
3883 if (psp->ifname[0] == '\0') {
3888 error = pf_user_strcpy(ps.ifname, psp->ifname, IFNAMSIZ);
3891 ifp = ifunit(ps.ifname);
3894 (u_int32_t)uqmin(ifp->if_baudrate, UINT_MAX);
3895 if (cmd == DIOCGIFSPEEDV1)
3896 psp->baudrate = ifp->if_baudrate;
3904 case DIOCSTARTALTQ: {
3905 struct pf_altq *altq;
3908 /* enable all altq interfaces on active list */
3909 TAILQ_FOREACH(altq, V_pf_altq_ifs_active, entries) {
3910 if ((altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
3911 error = pf_enable_altq(altq);
3917 V_pf_altq_running = 1;
3919 DPFPRINTF(PF_DEBUG_MISC, ("altq: started\n"));
3923 case DIOCSTOPALTQ: {
3924 struct pf_altq *altq;
3927 /* disable all altq interfaces on active list */
3928 TAILQ_FOREACH(altq, V_pf_altq_ifs_active, entries) {
3929 if ((altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
3930 error = pf_disable_altq(altq);
3936 V_pf_altq_running = 0;
3938 DPFPRINTF(PF_DEBUG_MISC, ("altq: stopped\n"));
3943 case DIOCADDALTQV1: {
3944 struct pfioc_altq_v1 *pa = (struct pfioc_altq_v1 *)addr;
3945 struct pf_altq *altq, *a;
3948 altq = malloc(sizeof(*altq), M_PFALTQ, M_WAITOK | M_ZERO);
3949 error = pf_import_kaltq(pa, altq, IOCPARM_LEN(cmd));
3952 altq->local_flags = 0;
3955 if (pa->ticket != V_ticket_altqs_inactive) {
3957 free(altq, M_PFALTQ);
3963 * if this is for a queue, find the discipline and
3964 * copy the necessary fields
3966 if (altq->qname[0] != 0) {
3967 if ((altq->qid = pf_qname2qid(altq->qname)) == 0) {
3970 free(altq, M_PFALTQ);
3973 altq->altq_disc = NULL;
3974 TAILQ_FOREACH(a, V_pf_altq_ifs_inactive, entries) {
3975 if (strncmp(a->ifname, altq->ifname,
3977 altq->altq_disc = a->altq_disc;
3983 if ((ifp = ifunit(altq->ifname)) == NULL)
3984 altq->local_flags |= PFALTQ_FLAG_IF_REMOVED;
3986 error = altq_add(ifp, altq);
3990 free(altq, M_PFALTQ);
3994 if (altq->qname[0] != 0)
3995 TAILQ_INSERT_TAIL(V_pf_altqs_inactive, altq, entries);
3997 TAILQ_INSERT_TAIL(V_pf_altq_ifs_inactive, altq, entries);
3998 /* version error check done on import above */
3999 pf_export_kaltq(altq, pa, IOCPARM_LEN(cmd));
4004 case DIOCGETALTQSV0:
4005 case DIOCGETALTQSV1: {
4006 struct pfioc_altq_v1 *pa = (struct pfioc_altq_v1 *)addr;
4007 struct pf_altq *altq;
4011 TAILQ_FOREACH(altq, V_pf_altq_ifs_active, entries)
4013 TAILQ_FOREACH(altq, V_pf_altqs_active, entries)
4015 pa->ticket = V_ticket_altqs_active;
4021 case DIOCGETALTQV1: {
4022 struct pfioc_altq_v1 *pa = (struct pfioc_altq_v1 *)addr;
4023 struct pf_altq *altq;
4026 if (pa->ticket != V_ticket_altqs_active) {
4031 altq = pf_altq_get_nth_active(pa->nr);
4037 pf_export_kaltq(altq, pa, IOCPARM_LEN(cmd));
4042 case DIOCCHANGEALTQV0:
4043 case DIOCCHANGEALTQV1:
4044 /* CHANGEALTQ not supported yet! */
4048 case DIOCGETQSTATSV0:
4049 case DIOCGETQSTATSV1: {
4050 struct pfioc_qstats_v1 *pq = (struct pfioc_qstats_v1 *)addr;
4051 struct pf_altq *altq;
4056 if (pq->ticket != V_ticket_altqs_active) {
4061 nbytes = pq->nbytes;
4062 altq = pf_altq_get_nth_active(pq->nr);
4069 if ((altq->local_flags & PFALTQ_FLAG_IF_REMOVED) != 0) {
4075 if (cmd == DIOCGETQSTATSV0)
4076 version = 0; /* DIOCGETQSTATSV0 means stats struct v0 */
4078 version = pq->version;
4079 error = altq_getqstats(altq, pq->buf, &nbytes, version);
4081 pq->scheduler = altq->scheduler;
4082 pq->nbytes = nbytes;
4088 case DIOCBEGINADDRS: {
4089 struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr;
4092 pf_empty_kpool(&V_pf_pabuf);
4093 pp->ticket = ++V_ticket_pabuf;
4099 struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr;
4100 struct pf_kpooladdr *pa;
4101 struct pfi_kkif *kif = NULL;
4104 if (pp->af == AF_INET) {
4105 error = EAFNOSUPPORT;
4110 if (pp->af == AF_INET6) {
4111 error = EAFNOSUPPORT;
4115 if (pp->addr.addr.type != PF_ADDR_ADDRMASK &&
4116 pp->addr.addr.type != PF_ADDR_DYNIFTL &&
4117 pp->addr.addr.type != PF_ADDR_TABLE) {
4121 if (pp->addr.addr.p.dyn != NULL) {
4125 pa = malloc(sizeof(*pa), M_PFRULE, M_WAITOK);
4126 error = pf_pooladdr_to_kpooladdr(&pp->addr, pa);
4130 kif = pf_kkif_create(M_WAITOK);
4132 if (pp->ticket != V_ticket_pabuf) {
4140 if (pa->ifname[0]) {
4141 pa->kif = pfi_kkif_attach(kif, pa->ifname);
4143 pfi_kkif_ref(pa->kif);
4146 if (pa->addr.type == PF_ADDR_DYNIFTL && ((error =
4147 pfi_dynaddr_setup(&pa->addr, pp->af)) != 0)) {
4149 pfi_kkif_unref(pa->kif);
4154 TAILQ_INSERT_TAIL(&V_pf_pabuf, pa, entries);
4159 case DIOCGETADDRS: {
4160 struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr;
4161 struct pf_kpool *pool;
4162 struct pf_kpooladdr *pa;
4164 pp->anchor[sizeof(pp->anchor) - 1] = 0;
4168 pool = pf_get_kpool(pp->anchor, pp->ticket, pp->r_action,
4169 pp->r_num, 0, 1, 0);
4175 TAILQ_FOREACH(pa, &pool->list, entries)
4182 struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr;
4183 struct pf_kpool *pool;
4184 struct pf_kpooladdr *pa;
4187 pp->anchor[sizeof(pp->anchor) - 1] = 0;
4190 pool = pf_get_kpool(pp->anchor, pp->ticket, pp->r_action,
4191 pp->r_num, 0, 1, 1);
4197 pa = TAILQ_FIRST(&pool->list);
4198 while ((pa != NULL) && (nr < pp->nr)) {
4199 pa = TAILQ_NEXT(pa, entries);
4207 pf_kpooladdr_to_pooladdr(pa, &pp->addr);
4208 pf_addr_copyout(&pp->addr.addr);
4213 case DIOCCHANGEADDR: {
4214 struct pfioc_pooladdr *pca = (struct pfioc_pooladdr *)addr;
4215 struct pf_kpool *pool;
4216 struct pf_kpooladdr *oldpa = NULL, *newpa = NULL;
4217 struct pf_kruleset *ruleset;
4218 struct pfi_kkif *kif = NULL;
4220 pca->anchor[sizeof(pca->anchor) - 1] = 0;
4222 if (pca->action < PF_CHANGE_ADD_HEAD ||
4223 pca->action > PF_CHANGE_REMOVE) {
4227 if (pca->addr.addr.type != PF_ADDR_ADDRMASK &&
4228 pca->addr.addr.type != PF_ADDR_DYNIFTL &&
4229 pca->addr.addr.type != PF_ADDR_TABLE) {
4233 if (pca->addr.addr.p.dyn != NULL) {
4238 if (pca->action != PF_CHANGE_REMOVE) {
4240 if (pca->af == AF_INET) {
4241 error = EAFNOSUPPORT;
4246 if (pca->af == AF_INET6) {
4247 error = EAFNOSUPPORT;
4251 newpa = malloc(sizeof(*newpa), M_PFRULE, M_WAITOK);
4252 bcopy(&pca->addr, newpa, sizeof(struct pf_pooladdr));
4253 if (newpa->ifname[0])
4254 kif = pf_kkif_create(M_WAITOK);
4257 #define ERROUT(x) ERROUT_IOCTL(DIOCCHANGEADDR_error, x)
4259 ruleset = pf_find_kruleset(pca->anchor);
4260 if (ruleset == NULL)
4263 pool = pf_get_kpool(pca->anchor, pca->ticket, pca->r_action,
4264 pca->r_num, pca->r_last, 1, 1);
4268 if (pca->action != PF_CHANGE_REMOVE) {
4269 if (newpa->ifname[0]) {
4270 newpa->kif = pfi_kkif_attach(kif, newpa->ifname);
4271 pfi_kkif_ref(newpa->kif);
4275 switch (newpa->addr.type) {
4276 case PF_ADDR_DYNIFTL:
4277 error = pfi_dynaddr_setup(&newpa->addr,
4281 newpa->addr.p.tbl = pfr_attach_table(ruleset,
4282 newpa->addr.v.tblname);
4283 if (newpa->addr.p.tbl == NULL)
4288 goto DIOCCHANGEADDR_error;
4291 switch (pca->action) {
4292 case PF_CHANGE_ADD_HEAD:
4293 oldpa = TAILQ_FIRST(&pool->list);
4295 case PF_CHANGE_ADD_TAIL:
4296 oldpa = TAILQ_LAST(&pool->list, pf_kpalist);
4299 oldpa = TAILQ_FIRST(&pool->list);
4300 for (int i = 0; oldpa && i < pca->nr; i++)
4301 oldpa = TAILQ_NEXT(oldpa, entries);
4307 if (pca->action == PF_CHANGE_REMOVE) {
4308 TAILQ_REMOVE(&pool->list, oldpa, entries);
4309 switch (oldpa->addr.type) {
4310 case PF_ADDR_DYNIFTL:
4311 pfi_dynaddr_remove(oldpa->addr.p.dyn);
4314 pfr_detach_table(oldpa->addr.p.tbl);
4318 pfi_kkif_unref(oldpa->kif);
4319 free(oldpa, M_PFRULE);
4322 TAILQ_INSERT_TAIL(&pool->list, newpa, entries);
4323 else if (pca->action == PF_CHANGE_ADD_HEAD ||
4324 pca->action == PF_CHANGE_ADD_BEFORE)
4325 TAILQ_INSERT_BEFORE(oldpa, newpa, entries);
4327 TAILQ_INSERT_AFTER(&pool->list, oldpa,
4331 pool->cur = TAILQ_FIRST(&pool->list);
4332 PF_ACPY(&pool->counter, &pool->cur->addr.v.a.addr, pca->af);
4337 DIOCCHANGEADDR_error:
4338 if (newpa != NULL) {
4340 pfi_kkif_unref(newpa->kif);
4341 free(newpa, M_PFRULE);
4348 case DIOCGETRULESETS: {
4349 struct pfioc_ruleset *pr = (struct pfioc_ruleset *)addr;
4350 struct pf_kruleset *ruleset;
4351 struct pf_kanchor *anchor;
4353 pr->path[sizeof(pr->path) - 1] = 0;
4356 if ((ruleset = pf_find_kruleset(pr->path)) == NULL) {
4362 if (ruleset->anchor == NULL) {
4363 /* XXX kludge for pf_main_ruleset */
4364 RB_FOREACH(anchor, pf_kanchor_global, &V_pf_anchors)
4365 if (anchor->parent == NULL)
4368 RB_FOREACH(anchor, pf_kanchor_node,
4369 &ruleset->anchor->children)
4376 case DIOCGETRULESET: {
4377 struct pfioc_ruleset *pr = (struct pfioc_ruleset *)addr;
4378 struct pf_kruleset *ruleset;
4379 struct pf_kanchor *anchor;
4382 pr->path[sizeof(pr->path) - 1] = 0;
4385 if ((ruleset = pf_find_kruleset(pr->path)) == NULL) {
4391 if (ruleset->anchor == NULL) {
4392 /* XXX kludge for pf_main_ruleset */
4393 RB_FOREACH(anchor, pf_kanchor_global, &V_pf_anchors)
4394 if (anchor->parent == NULL && nr++ == pr->nr) {
4395 strlcpy(pr->name, anchor->name,
4400 RB_FOREACH(anchor, pf_kanchor_node,
4401 &ruleset->anchor->children)
4402 if (nr++ == pr->nr) {
4403 strlcpy(pr->name, anchor->name,
4414 case DIOCRCLRTABLES: {
4415 struct pfioc_table *io = (struct pfioc_table *)addr;
4417 if (io->pfrio_esize != 0) {
4422 error = pfr_clr_tables(&io->pfrio_table, &io->pfrio_ndel,
4423 io->pfrio_flags | PFR_FLAG_USERIOCTL);
4428 case DIOCRADDTABLES: {
4429 struct pfioc_table *io = (struct pfioc_table *)addr;
4430 struct pfr_table *pfrts;
4433 if (io->pfrio_esize != sizeof(struct pfr_table)) {
4438 if (io->pfrio_size < 0 || io->pfrio_size > pf_ioctl_maxcount ||
4439 WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_table))) {
4444 totlen = io->pfrio_size * sizeof(struct pfr_table);
4445 pfrts = mallocarray(io->pfrio_size, sizeof(struct pfr_table),
4447 error = copyin(io->pfrio_buffer, pfrts, totlen);
4449 free(pfrts, M_TEMP);
4453 error = pfr_add_tables(pfrts, io->pfrio_size,
4454 &io->pfrio_nadd, io->pfrio_flags | PFR_FLAG_USERIOCTL);
4456 free(pfrts, M_TEMP);
4460 case DIOCRDELTABLES: {
4461 struct pfioc_table *io = (struct pfioc_table *)addr;
4462 struct pfr_table *pfrts;
4465 if (io->pfrio_esize != sizeof(struct pfr_table)) {
4470 if (io->pfrio_size < 0 || io->pfrio_size > pf_ioctl_maxcount ||
4471 WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_table))) {
4476 totlen = io->pfrio_size * sizeof(struct pfr_table);
4477 pfrts = mallocarray(io->pfrio_size, sizeof(struct pfr_table),
4479 error = copyin(io->pfrio_buffer, pfrts, totlen);
4481 free(pfrts, M_TEMP);
4485 error = pfr_del_tables(pfrts, io->pfrio_size,
4486 &io->pfrio_ndel, io->pfrio_flags | PFR_FLAG_USERIOCTL);
4488 free(pfrts, M_TEMP);
4492 case DIOCRGETTABLES: {
4493 struct pfioc_table *io = (struct pfioc_table *)addr;
4494 struct pfr_table *pfrts;
4498 if (io->pfrio_esize != sizeof(struct pfr_table)) {
4503 n = pfr_table_count(&io->pfrio_table, io->pfrio_flags);
4509 io->pfrio_size = min(io->pfrio_size, n);
4511 totlen = io->pfrio_size * sizeof(struct pfr_table);
4513 pfrts = mallocarray(io->pfrio_size, sizeof(struct pfr_table),
4514 M_TEMP, M_NOWAIT | M_ZERO);
4515 if (pfrts == NULL) {
4520 error = pfr_get_tables(&io->pfrio_table, pfrts,
4521 &io->pfrio_size, io->pfrio_flags | PFR_FLAG_USERIOCTL);
4524 error = copyout(pfrts, io->pfrio_buffer, totlen);
4525 free(pfrts, M_TEMP);
4529 case DIOCRGETTSTATS: {
4530 struct pfioc_table *io = (struct pfioc_table *)addr;
4531 struct pfr_tstats *pfrtstats;
4535 if (io->pfrio_esize != sizeof(struct pfr_tstats)) {
4539 PF_TABLE_STATS_LOCK();
4541 n = pfr_table_count(&io->pfrio_table, io->pfrio_flags);
4544 PF_TABLE_STATS_UNLOCK();
4548 io->pfrio_size = min(io->pfrio_size, n);
4550 totlen = io->pfrio_size * sizeof(struct pfr_tstats);
4551 pfrtstats = mallocarray(io->pfrio_size,
4552 sizeof(struct pfr_tstats), M_TEMP, M_NOWAIT | M_ZERO);
4553 if (pfrtstats == NULL) {
4556 PF_TABLE_STATS_UNLOCK();
4559 error = pfr_get_tstats(&io->pfrio_table, pfrtstats,
4560 &io->pfrio_size, io->pfrio_flags | PFR_FLAG_USERIOCTL);
4562 PF_TABLE_STATS_UNLOCK();
4564 error = copyout(pfrtstats, io->pfrio_buffer, totlen);
4565 free(pfrtstats, M_TEMP);
4569 case DIOCRCLRTSTATS: {
4570 struct pfioc_table *io = (struct pfioc_table *)addr;
4571 struct pfr_table *pfrts;
4574 if (io->pfrio_esize != sizeof(struct pfr_table)) {
4579 if (io->pfrio_size < 0 || io->pfrio_size > pf_ioctl_maxcount ||
4580 WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_table))) {
4581 /* We used to count tables and use the minimum required
4582 * size, so we didn't fail on overly large requests.
4584 io->pfrio_size = pf_ioctl_maxcount;
4588 totlen = io->pfrio_size * sizeof(struct pfr_table);
4589 pfrts = mallocarray(io->pfrio_size, sizeof(struct pfr_table),
4591 error = copyin(io->pfrio_buffer, pfrts, totlen);
4593 free(pfrts, M_TEMP);
4597 PF_TABLE_STATS_LOCK();
4599 error = pfr_clr_tstats(pfrts, io->pfrio_size,
4600 &io->pfrio_nzero, io->pfrio_flags | PFR_FLAG_USERIOCTL);
4602 PF_TABLE_STATS_UNLOCK();
4603 free(pfrts, M_TEMP);
4607 case DIOCRSETTFLAGS: {
4608 struct pfioc_table *io = (struct pfioc_table *)addr;
4609 struct pfr_table *pfrts;
4613 if (io->pfrio_esize != sizeof(struct pfr_table)) {
4619 n = pfr_table_count(&io->pfrio_table, io->pfrio_flags);
4626 io->pfrio_size = min(io->pfrio_size, n);
4629 totlen = io->pfrio_size * sizeof(struct pfr_table);
4630 pfrts = mallocarray(io->pfrio_size, sizeof(struct pfr_table),
4632 error = copyin(io->pfrio_buffer, pfrts, totlen);
4634 free(pfrts, M_TEMP);
4638 error = pfr_set_tflags(pfrts, io->pfrio_size,
4639 io->pfrio_setflag, io->pfrio_clrflag, &io->pfrio_nchange,
4640 &io->pfrio_ndel, io->pfrio_flags | PFR_FLAG_USERIOCTL);
4642 free(pfrts, M_TEMP);
4646 case DIOCRCLRADDRS: {
4647 struct pfioc_table *io = (struct pfioc_table *)addr;
4649 if (io->pfrio_esize != 0) {
4654 error = pfr_clr_addrs(&io->pfrio_table, &io->pfrio_ndel,
4655 io->pfrio_flags | PFR_FLAG_USERIOCTL);
4660 case DIOCRADDADDRS: {
4661 struct pfioc_table *io = (struct pfioc_table *)addr;
4662 struct pfr_addr *pfras;
4665 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
4669 if (io->pfrio_size < 0 ||
4670 io->pfrio_size > pf_ioctl_maxcount ||
4671 WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_addr))) {
4675 totlen = io->pfrio_size * sizeof(struct pfr_addr);
4676 pfras = mallocarray(io->pfrio_size, sizeof(struct pfr_addr),
4678 error = copyin(io->pfrio_buffer, pfras, totlen);
4680 free(pfras, M_TEMP);
4684 error = pfr_add_addrs(&io->pfrio_table, pfras,
4685 io->pfrio_size, &io->pfrio_nadd, io->pfrio_flags |
4686 PFR_FLAG_USERIOCTL);
4688 if (error == 0 && io->pfrio_flags & PFR_FLAG_FEEDBACK)
4689 error = copyout(pfras, io->pfrio_buffer, totlen);
4690 free(pfras, M_TEMP);
4694 case DIOCRDELADDRS: {
4695 struct pfioc_table *io = (struct pfioc_table *)addr;
4696 struct pfr_addr *pfras;
4699 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
4703 if (io->pfrio_size < 0 ||
4704 io->pfrio_size > pf_ioctl_maxcount ||
4705 WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_addr))) {
4709 totlen = io->pfrio_size * sizeof(struct pfr_addr);
4710 pfras = mallocarray(io->pfrio_size, sizeof(struct pfr_addr),
4712 error = copyin(io->pfrio_buffer, pfras, totlen);
4714 free(pfras, M_TEMP);
4718 error = pfr_del_addrs(&io->pfrio_table, pfras,
4719 io->pfrio_size, &io->pfrio_ndel, io->pfrio_flags |
4720 PFR_FLAG_USERIOCTL);
4722 if (error == 0 && io->pfrio_flags & PFR_FLAG_FEEDBACK)
4723 error = copyout(pfras, io->pfrio_buffer, totlen);
4724 free(pfras, M_TEMP);
4728 case DIOCRSETADDRS: {
4729 struct pfioc_table *io = (struct pfioc_table *)addr;
4730 struct pfr_addr *pfras;
4731 size_t totlen, count;
4733 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
4737 if (io->pfrio_size < 0 || io->pfrio_size2 < 0) {
4741 count = max(io->pfrio_size, io->pfrio_size2);
4742 if (count > pf_ioctl_maxcount ||
4743 WOULD_OVERFLOW(count, sizeof(struct pfr_addr))) {
4747 totlen = count * sizeof(struct pfr_addr);
4748 pfras = mallocarray(count, sizeof(struct pfr_addr), M_TEMP,
4750 error = copyin(io->pfrio_buffer, pfras, totlen);
4752 free(pfras, M_TEMP);
4756 error = pfr_set_addrs(&io->pfrio_table, pfras,
4757 io->pfrio_size, &io->pfrio_size2, &io->pfrio_nadd,
4758 &io->pfrio_ndel, &io->pfrio_nchange, io->pfrio_flags |
4759 PFR_FLAG_USERIOCTL, 0);
4761 if (error == 0 && io->pfrio_flags & PFR_FLAG_FEEDBACK)
4762 error = copyout(pfras, io->pfrio_buffer, totlen);
4763 free(pfras, M_TEMP);
4767 case DIOCRGETADDRS: {
4768 struct pfioc_table *io = (struct pfioc_table *)addr;
4769 struct pfr_addr *pfras;
4772 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
4776 if (io->pfrio_size < 0 ||
4777 io->pfrio_size > pf_ioctl_maxcount ||
4778 WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_addr))) {
4782 totlen = io->pfrio_size * sizeof(struct pfr_addr);
4783 pfras = mallocarray(io->pfrio_size, sizeof(struct pfr_addr),
4784 M_TEMP, M_WAITOK | M_ZERO);
4786 error = pfr_get_addrs(&io->pfrio_table, pfras,
4787 &io->pfrio_size, io->pfrio_flags | PFR_FLAG_USERIOCTL);
4790 error = copyout(pfras, io->pfrio_buffer, totlen);
4791 free(pfras, M_TEMP);
4795 case DIOCRGETASTATS: {
4796 struct pfioc_table *io = (struct pfioc_table *)addr;
4797 struct pfr_astats *pfrastats;
4800 if (io->pfrio_esize != sizeof(struct pfr_astats)) {
4804 if (io->pfrio_size < 0 ||
4805 io->pfrio_size > pf_ioctl_maxcount ||
4806 WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_astats))) {
4810 totlen = io->pfrio_size * sizeof(struct pfr_astats);
4811 pfrastats = mallocarray(io->pfrio_size,
4812 sizeof(struct pfr_astats), M_TEMP, M_WAITOK | M_ZERO);
4814 error = pfr_get_astats(&io->pfrio_table, pfrastats,
4815 &io->pfrio_size, io->pfrio_flags | PFR_FLAG_USERIOCTL);
4818 error = copyout(pfrastats, io->pfrio_buffer, totlen);
4819 free(pfrastats, M_TEMP);
4823 case DIOCRCLRASTATS: {
4824 struct pfioc_table *io = (struct pfioc_table *)addr;
4825 struct pfr_addr *pfras;
4828 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
4832 if (io->pfrio_size < 0 ||
4833 io->pfrio_size > pf_ioctl_maxcount ||
4834 WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_addr))) {
4838 totlen = io->pfrio_size * sizeof(struct pfr_addr);
4839 pfras = mallocarray(io->pfrio_size, sizeof(struct pfr_addr),
4841 error = copyin(io->pfrio_buffer, pfras, totlen);
4843 free(pfras, M_TEMP);
4847 error = pfr_clr_astats(&io->pfrio_table, pfras,
4848 io->pfrio_size, &io->pfrio_nzero, io->pfrio_flags |
4849 PFR_FLAG_USERIOCTL);
4851 if (error == 0 && io->pfrio_flags & PFR_FLAG_FEEDBACK)
4852 error = copyout(pfras, io->pfrio_buffer, totlen);
4853 free(pfras, M_TEMP);
4857 case DIOCRTSTADDRS: {
4858 struct pfioc_table *io = (struct pfioc_table *)addr;
4859 struct pfr_addr *pfras;
4862 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
4866 if (io->pfrio_size < 0 ||
4867 io->pfrio_size > pf_ioctl_maxcount ||
4868 WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_addr))) {
4872 totlen = io->pfrio_size * sizeof(struct pfr_addr);
4873 pfras = mallocarray(io->pfrio_size, sizeof(struct pfr_addr),
4875 error = copyin(io->pfrio_buffer, pfras, totlen);
4877 free(pfras, M_TEMP);
4881 error = pfr_tst_addrs(&io->pfrio_table, pfras,
4882 io->pfrio_size, &io->pfrio_nmatch, io->pfrio_flags |
4883 PFR_FLAG_USERIOCTL);
4886 error = copyout(pfras, io->pfrio_buffer, totlen);
4887 free(pfras, M_TEMP);
4891 case DIOCRINADEFINE: {
4892 struct pfioc_table *io = (struct pfioc_table *)addr;
4893 struct pfr_addr *pfras;
4896 if (io->pfrio_esize != sizeof(struct pfr_addr)) {
4900 if (io->pfrio_size < 0 ||
4901 io->pfrio_size > pf_ioctl_maxcount ||
4902 WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_addr))) {
4906 totlen = io->pfrio_size * sizeof(struct pfr_addr);
4907 pfras = mallocarray(io->pfrio_size, sizeof(struct pfr_addr),
4909 error = copyin(io->pfrio_buffer, pfras, totlen);
4911 free(pfras, M_TEMP);
4915 error = pfr_ina_define(&io->pfrio_table, pfras,
4916 io->pfrio_size, &io->pfrio_nadd, &io->pfrio_naddr,
4917 io->pfrio_ticket, io->pfrio_flags | PFR_FLAG_USERIOCTL);
4919 free(pfras, M_TEMP);
4924 struct pf_osfp_ioctl *io = (struct pf_osfp_ioctl *)addr;
4926 error = pf_osfp_add(io);
4932 struct pf_osfp_ioctl *io = (struct pf_osfp_ioctl *)addr;
4934 error = pf_osfp_get(io);
4940 struct pfioc_trans *io = (struct pfioc_trans *)addr;
4941 struct pfioc_trans_e *ioes, *ioe;
4945 if (io->esize != sizeof(*ioe)) {
4950 io->size > pf_ioctl_maxcount ||
4951 WOULD_OVERFLOW(io->size, sizeof(struct pfioc_trans_e))) {
4955 totlen = sizeof(struct pfioc_trans_e) * io->size;
4956 ioes = mallocarray(io->size, sizeof(struct pfioc_trans_e),
4958 error = copyin(io->array, ioes, totlen);
4963 /* Ensure there's no more ethernet rules to clean up. */
4964 NET_EPOCH_DRAIN_CALLBACKS();
4966 for (i = 0, ioe = ioes; i < io->size; i++, ioe++) {
4967 ioe->anchor[sizeof(ioe->anchor) - 1] = '\0';
4968 switch (ioe->rs_num) {
4969 case PF_RULESET_ETH:
4970 if ((error = pf_begin_eth(&ioe->ticket, ioe->anchor))) {
4977 case PF_RULESET_ALTQ:
4978 if (ioe->anchor[0]) {
4984 if ((error = pf_begin_altq(&ioe->ticket))) {
4991 case PF_RULESET_TABLE:
4993 struct pfr_table table;
4995 bzero(&table, sizeof(table));
4996 strlcpy(table.pfrt_anchor, ioe->anchor,
4997 sizeof(table.pfrt_anchor));
4998 if ((error = pfr_ina_begin(&table,
4999 &ioe->ticket, NULL, 0))) {
5007 if ((error = pf_begin_rules(&ioe->ticket,
5008 ioe->rs_num, ioe->anchor))) {
5017 error = copyout(ioes, io->array, totlen);
5022 case DIOCXROLLBACK: {
5023 struct pfioc_trans *io = (struct pfioc_trans *)addr;
5024 struct pfioc_trans_e *ioe, *ioes;
5028 if (io->esize != sizeof(*ioe)) {
5033 io->size > pf_ioctl_maxcount ||
5034 WOULD_OVERFLOW(io->size, sizeof(struct pfioc_trans_e))) {
5038 totlen = sizeof(struct pfioc_trans_e) * io->size;
5039 ioes = mallocarray(io->size, sizeof(struct pfioc_trans_e),
5041 error = copyin(io->array, ioes, totlen);
5047 for (i = 0, ioe = ioes; i < io->size; i++, ioe++) {
5048 ioe->anchor[sizeof(ioe->anchor) - 1] = '\0';
5049 switch (ioe->rs_num) {
5050 case PF_RULESET_ETH:
5051 if ((error = pf_rollback_eth(ioe->ticket,
5055 goto fail; /* really bad */
5059 case PF_RULESET_ALTQ:
5060 if (ioe->anchor[0]) {
5066 if ((error = pf_rollback_altq(ioe->ticket))) {
5069 goto fail; /* really bad */
5073 case PF_RULESET_TABLE:
5075 struct pfr_table table;
5077 bzero(&table, sizeof(table));
5078 strlcpy(table.pfrt_anchor, ioe->anchor,
5079 sizeof(table.pfrt_anchor));
5080 if ((error = pfr_ina_rollback(&table,
5081 ioe->ticket, NULL, 0))) {
5084 goto fail; /* really bad */
5089 if ((error = pf_rollback_rules(ioe->ticket,
5090 ioe->rs_num, ioe->anchor))) {
5093 goto fail; /* really bad */
5104 struct pfioc_trans *io = (struct pfioc_trans *)addr;
5105 struct pfioc_trans_e *ioe, *ioes;
5106 struct pf_kruleset *rs;
5107 struct pf_keth_ruleset *ers;
5111 if (io->esize != sizeof(*ioe)) {
5117 io->size > pf_ioctl_maxcount ||
5118 WOULD_OVERFLOW(io->size, sizeof(struct pfioc_trans_e))) {
5123 totlen = sizeof(struct pfioc_trans_e) * io->size;
5124 ioes = mallocarray(io->size, sizeof(struct pfioc_trans_e),
5126 error = copyin(io->array, ioes, totlen);
5132 /* First makes sure everything will succeed. */
5133 for (i = 0, ioe = ioes; i < io->size; i++, ioe++) {
5134 ioe->anchor[sizeof(ioe->anchor) - 1] = 0;
5135 switch (ioe->rs_num) {
5136 case PF_RULESET_ETH:
5137 ers = pf_find_keth_ruleset(ioe->anchor);
5138 if (ers == NULL || ioe->ticket == 0 ||
5139 ioe->ticket != ers->inactive.ticket) {
5147 case PF_RULESET_ALTQ:
5148 if (ioe->anchor[0]) {
5154 if (!V_altqs_inactive_open || ioe->ticket !=
5155 V_ticket_altqs_inactive) {
5163 case PF_RULESET_TABLE:
5164 rs = pf_find_kruleset(ioe->anchor);
5165 if (rs == NULL || !rs->topen || ioe->ticket !=
5174 if (ioe->rs_num < 0 || ioe->rs_num >=
5181 rs = pf_find_kruleset(ioe->anchor);
5183 !rs->rules[ioe->rs_num].inactive.open ||
5184 rs->rules[ioe->rs_num].inactive.ticket !=
5194 /* Now do the commit - no errors should happen here. */
5195 for (i = 0, ioe = ioes; i < io->size; i++, ioe++) {
5196 switch (ioe->rs_num) {
5197 case PF_RULESET_ETH:
5198 if ((error = pf_commit_eth(ioe->ticket, ioe->anchor))) {
5201 goto fail; /* really bad */
5205 case PF_RULESET_ALTQ:
5206 if ((error = pf_commit_altq(ioe->ticket))) {
5209 goto fail; /* really bad */
5213 case PF_RULESET_TABLE:
5215 struct pfr_table table;
5217 bzero(&table, sizeof(table));
5218 (void)strlcpy(table.pfrt_anchor, ioe->anchor,
5219 sizeof(table.pfrt_anchor));
5220 if ((error = pfr_ina_commit(&table,
5221 ioe->ticket, NULL, NULL, 0))) {
5224 goto fail; /* really bad */
5229 if ((error = pf_commit_rules(ioe->ticket,
5230 ioe->rs_num, ioe->anchor))) {
5233 goto fail; /* really bad */
5240 /* Only hook into EtherNet taffic if we've got rules for it. */
5241 if (! TAILQ_EMPTY(V_pf_keth->active.rules))
5250 case DIOCGETSRCNODES: {
5251 struct pfioc_src_nodes *psn = (struct pfioc_src_nodes *)addr;
5252 struct pf_srchash *sh;
5253 struct pf_ksrc_node *n;
5254 struct pf_src_node *p, *pstore;
5257 for (i = 0, sh = V_pf_srchash; i <= pf_srchashmask;
5259 PF_HASHROW_LOCK(sh);
5260 LIST_FOREACH(n, &sh->nodes, entry)
5262 PF_HASHROW_UNLOCK(sh);
5265 psn->psn_len = min(psn->psn_len,
5266 sizeof(struct pf_src_node) * nr);
5268 if (psn->psn_len == 0) {
5269 psn->psn_len = sizeof(struct pf_src_node) * nr;
5275 p = pstore = malloc(psn->psn_len, M_TEMP, M_WAITOK | M_ZERO);
5276 for (i = 0, sh = V_pf_srchash; i <= pf_srchashmask;
5278 PF_HASHROW_LOCK(sh);
5279 LIST_FOREACH(n, &sh->nodes, entry) {
5281 if ((nr + 1) * sizeof(*p) > (unsigned)psn->psn_len)
5284 pf_src_node_copy(n, p);
5289 PF_HASHROW_UNLOCK(sh);
5291 error = copyout(pstore, psn->psn_src_nodes,
5292 sizeof(struct pf_src_node) * nr);
5294 free(pstore, M_TEMP);
5297 psn->psn_len = sizeof(struct pf_src_node) * nr;
5298 free(pstore, M_TEMP);
5302 case DIOCCLRSRCNODES: {
5303 pf_clear_srcnodes(NULL);
5304 pf_purge_expired_src_nodes();
5308 case DIOCKILLSRCNODES:
5309 pf_kill_srcnodes((struct pfioc_src_node_kill *)addr);
5312 #ifdef COMPAT_FREEBSD13
5313 case DIOCKEEPCOUNTERS_FREEBSD13:
5315 case DIOCKEEPCOUNTERS:
5316 error = pf_keepcounters((struct pfioc_nv *)addr);
5319 case DIOCGETSYNCOOKIES:
5320 error = pf_get_syncookies((struct pfioc_nv *)addr);
5323 case DIOCSETSYNCOOKIES:
5324 error = pf_set_syncookies((struct pfioc_nv *)addr);
5327 case DIOCSETHOSTID: {
5328 u_int32_t *hostid = (u_int32_t *)addr;
5332 V_pf_status.hostid = arc4random();
5334 V_pf_status.hostid = *hostid;
5345 case DIOCIGETIFACES: {
5346 struct pfioc_iface *io = (struct pfioc_iface *)addr;
5347 struct pfi_kif *ifstore;
5350 if (io->pfiio_esize != sizeof(struct pfi_kif)) {
5355 if (io->pfiio_size < 0 ||
5356 io->pfiio_size > pf_ioctl_maxcount ||
5357 WOULD_OVERFLOW(io->pfiio_size, sizeof(struct pfi_kif))) {
5362 io->pfiio_name[sizeof(io->pfiio_name) - 1] = '\0';
5364 bufsiz = io->pfiio_size * sizeof(struct pfi_kif);
5365 ifstore = mallocarray(io->pfiio_size, sizeof(struct pfi_kif),
5366 M_TEMP, M_WAITOK | M_ZERO);
5369 pfi_get_ifaces(io->pfiio_name, ifstore, &io->pfiio_size);
5371 error = copyout(ifstore, io->pfiio_buffer, bufsiz);
5372 free(ifstore, M_TEMP);
5376 case DIOCSETIFFLAG: {
5377 struct pfioc_iface *io = (struct pfioc_iface *)addr;
5379 io->pfiio_name[sizeof(io->pfiio_name) - 1] = '\0';
5382 error = pfi_set_flags(io->pfiio_name, io->pfiio_flags);
5387 case DIOCCLRIFFLAG: {
5388 struct pfioc_iface *io = (struct pfioc_iface *)addr;
5390 io->pfiio_name[sizeof(io->pfiio_name) - 1] = '\0';
5393 error = pfi_clear_flags(io->pfiio_name, io->pfiio_flags);
5398 case DIOCSETREASS: {
5399 u_int32_t *reass = (u_int32_t *)addr;
5401 V_pf_status.reass = *reass & (PF_REASS_ENABLED|PF_REASS_NODF);
5402 /* Removal of DF flag without reassembly enabled is not a
5403 * valid combination. Disable reassembly in such case. */
5404 if (!(V_pf_status.reass & PF_REASS_ENABLED))
5405 V_pf_status.reass = 0;
5414 if (sx_xlocked(&V_pf_ioctl_lock))
5415 sx_xunlock(&V_pf_ioctl_lock);
5424 pfsync_state_export(union pfsync_state_union *sp, struct pf_kstate *st, int msg_version)
5426 bzero(sp, sizeof(union pfsync_state_union));
5428 /* copy from state key */
5429 sp->pfs_1301.key[PF_SK_WIRE].addr[0] = st->key[PF_SK_WIRE]->addr[0];
5430 sp->pfs_1301.key[PF_SK_WIRE].addr[1] = st->key[PF_SK_WIRE]->addr[1];
5431 sp->pfs_1301.key[PF_SK_WIRE].port[0] = st->key[PF_SK_WIRE]->port[0];
5432 sp->pfs_1301.key[PF_SK_WIRE].port[1] = st->key[PF_SK_WIRE]->port[1];
5433 sp->pfs_1301.key[PF_SK_STACK].addr[0] = st->key[PF_SK_STACK]->addr[0];
5434 sp->pfs_1301.key[PF_SK_STACK].addr[1] = st->key[PF_SK_STACK]->addr[1];
5435 sp->pfs_1301.key[PF_SK_STACK].port[0] = st->key[PF_SK_STACK]->port[0];
5436 sp->pfs_1301.key[PF_SK_STACK].port[1] = st->key[PF_SK_STACK]->port[1];
5437 sp->pfs_1301.proto = st->key[PF_SK_WIRE]->proto;
5438 sp->pfs_1301.af = st->key[PF_SK_WIRE]->af;
5440 /* copy from state */
5441 strlcpy(sp->pfs_1301.ifname, st->kif->pfik_name, sizeof(sp->pfs_1301.ifname));
5442 bcopy(&st->rt_addr, &sp->pfs_1301.rt_addr, sizeof(sp->pfs_1301.rt_addr));
5443 sp->pfs_1301.creation = htonl(time_uptime - st->creation);
5444 sp->pfs_1301.expire = pf_state_expires(st);
5445 if (sp->pfs_1301.expire <= time_uptime)
5446 sp->pfs_1301.expire = htonl(0);
5448 sp->pfs_1301.expire = htonl(sp->pfs_1301.expire - time_uptime);
5450 sp->pfs_1301.direction = st->direction;
5451 sp->pfs_1301.log = st->act.log;
5452 sp->pfs_1301.timeout = st->timeout;
5454 switch (msg_version) {
5455 case PFSYNC_MSG_VERSION_1301:
5456 sp->pfs_1301.state_flags = st->state_flags;
5458 case PFSYNC_MSG_VERSION_1400:
5459 sp->pfs_1400.state_flags = htons(st->state_flags);
5460 sp->pfs_1400.qid = htons(st->act.qid);
5461 sp->pfs_1400.pqid = htons(st->act.pqid);
5462 sp->pfs_1400.dnpipe = htons(st->act.dnpipe);
5463 sp->pfs_1400.dnrpipe = htons(st->act.dnrpipe);
5464 sp->pfs_1400.rtableid = htonl(st->act.rtableid);
5465 sp->pfs_1400.min_ttl = st->act.min_ttl;
5466 sp->pfs_1400.set_tos = st->act.set_tos;
5467 sp->pfs_1400.max_mss = htons(st->act.max_mss);
5468 sp->pfs_1400.set_prio[0] = st->act.set_prio[0];
5469 sp->pfs_1400.set_prio[1] = st->act.set_prio[1];
5470 sp->pfs_1400.rt = st->rt;
5472 strlcpy(sp->pfs_1400.rt_ifname,
5473 st->rt_kif->pfik_name,
5474 sizeof(sp->pfs_1400.rt_ifname));
5477 panic("%s: Unsupported pfsync_msg_version %d",
5478 __func__, msg_version);
5482 sp->pfs_1301.sync_flags |= PFSYNC_FLAG_SRCNODE;
5483 if (st->nat_src_node)
5484 sp->pfs_1301.sync_flags |= PFSYNC_FLAG_NATSRCNODE;
5486 sp->pfs_1301.id = st->id;
5487 sp->pfs_1301.creatorid = st->creatorid;
5488 pf_state_peer_hton(&st->src, &sp->pfs_1301.src);
5489 pf_state_peer_hton(&st->dst, &sp->pfs_1301.dst);
5491 if (st->rule.ptr == NULL)
5492 sp->pfs_1301.rule = htonl(-1);
5494 sp->pfs_1301.rule = htonl(st->rule.ptr->nr);
5495 if (st->anchor.ptr == NULL)
5496 sp->pfs_1301.anchor = htonl(-1);
5498 sp->pfs_1301.anchor = htonl(st->anchor.ptr->nr);
5499 if (st->nat_rule.ptr == NULL)
5500 sp->pfs_1301.nat_rule = htonl(-1);
5502 sp->pfs_1301.nat_rule = htonl(st->nat_rule.ptr->nr);
5504 pf_state_counter_hton(st->packets[0], sp->pfs_1301.packets[0]);
5505 pf_state_counter_hton(st->packets[1], sp->pfs_1301.packets[1]);
5506 pf_state_counter_hton(st->bytes[0], sp->pfs_1301.bytes[0]);
5507 pf_state_counter_hton(st->bytes[1], sp->pfs_1301.bytes[1]);
5511 pf_state_export(struct pf_state_export *sp, struct pf_kstate *st)
5513 bzero(sp, sizeof(*sp));
5515 sp->version = PF_STATE_VERSION;
5517 /* copy from state key */
5518 sp->key[PF_SK_WIRE].addr[0] = st->key[PF_SK_WIRE]->addr[0];
5519 sp->key[PF_SK_WIRE].addr[1] = st->key[PF_SK_WIRE]->addr[1];
5520 sp->key[PF_SK_WIRE].port[0] = st->key[PF_SK_WIRE]->port[0];
5521 sp->key[PF_SK_WIRE].port[1] = st->key[PF_SK_WIRE]->port[1];
5522 sp->key[PF_SK_STACK].addr[0] = st->key[PF_SK_STACK]->addr[0];
5523 sp->key[PF_SK_STACK].addr[1] = st->key[PF_SK_STACK]->addr[1];
5524 sp->key[PF_SK_STACK].port[0] = st->key[PF_SK_STACK]->port[0];
5525 sp->key[PF_SK_STACK].port[1] = st->key[PF_SK_STACK]->port[1];
5526 sp->proto = st->key[PF_SK_WIRE]->proto;
5527 sp->af = st->key[PF_SK_WIRE]->af;
5529 /* copy from state */
5530 strlcpy(sp->ifname, st->kif->pfik_name, sizeof(sp->ifname));
5531 strlcpy(sp->orig_ifname, st->orig_kif->pfik_name,
5532 sizeof(sp->orig_ifname));
5533 bcopy(&st->rt_addr, &sp->rt_addr, sizeof(sp->rt_addr));
5534 sp->creation = htonl(time_uptime - st->creation);
5535 sp->expire = pf_state_expires(st);
5536 if (sp->expire <= time_uptime)
5537 sp->expire = htonl(0);
5539 sp->expire = htonl(sp->expire - time_uptime);
5541 sp->direction = st->direction;
5542 sp->log = st->act.log;
5543 sp->timeout = st->timeout;
5544 /* 8 bits for the old libpfctl, 16 bits for the new libpfctl */
5545 sp->state_flags_compat = st->state_flags;
5546 sp->state_flags = htons(st->state_flags);
5548 sp->sync_flags |= PFSYNC_FLAG_SRCNODE;
5549 if (st->nat_src_node)
5550 sp->sync_flags |= PFSYNC_FLAG_NATSRCNODE;
5553 sp->creatorid = st->creatorid;
5554 pf_state_peer_hton(&st->src, &sp->src);
5555 pf_state_peer_hton(&st->dst, &sp->dst);
5557 if (st->rule.ptr == NULL)
5558 sp->rule = htonl(-1);
5560 sp->rule = htonl(st->rule.ptr->nr);
5561 if (st->anchor.ptr == NULL)
5562 sp->anchor = htonl(-1);
5564 sp->anchor = htonl(st->anchor.ptr->nr);
5565 if (st->nat_rule.ptr == NULL)
5566 sp->nat_rule = htonl(-1);
5568 sp->nat_rule = htonl(st->nat_rule.ptr->nr);
5570 sp->packets[0] = st->packets[0];
5571 sp->packets[1] = st->packets[1];
5572 sp->bytes[0] = st->bytes[0];
5573 sp->bytes[1] = st->bytes[1];
5575 sp->qid = htons(st->act.qid);
5576 sp->pqid = htons(st->act.pqid);
5577 sp->dnpipe = htons(st->act.dnpipe);
5578 sp->dnrpipe = htons(st->act.dnrpipe);
5579 sp->rtableid = htonl(st->act.rtableid);
5580 sp->min_ttl = st->act.min_ttl;
5581 sp->set_tos = st->act.set_tos;
5582 sp->max_mss = htons(st->act.max_mss);
5585 strlcpy(sp->rt_ifname, st->rt_kif->pfik_name,
5586 sizeof(sp->rt_ifname));
5587 sp->set_prio[0] = st->act.set_prio[0];
5588 sp->set_prio[1] = st->act.set_prio[1];
5593 pf_tbladdr_copyout(struct pf_addr_wrap *aw)
5595 struct pfr_ktable *kt;
5597 KASSERT(aw->type == PF_ADDR_TABLE, ("%s: type %u", __func__, aw->type));
5600 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root != NULL)
5601 kt = kt->pfrkt_root;
5603 aw->p.tblcnt = (kt->pfrkt_flags & PFR_TFLAG_ACTIVE) ?
5608 pf_add_status_counters(nvlist_t *nvl, const char *name, counter_u64_t *counters,
5609 size_t number, char **names)
5613 nvc = nvlist_create(0);
5617 for (int i = 0; i < number; i++) {
5618 nvlist_append_number_array(nvc, "counters",
5619 counter_u64_fetch(counters[i]));
5620 nvlist_append_string_array(nvc, "names",
5622 nvlist_append_number_array(nvc, "ids",
5625 nvlist_add_nvlist(nvl, name, nvc);
5626 nvlist_destroy(nvc);
5632 pf_getstatus(struct pfioc_nv *nv)
5634 nvlist_t *nvl = NULL, *nvc = NULL;
5635 void *nvlpacked = NULL;
5638 char *pf_reasons[PFRES_MAX+1] = PFRES_NAMES;
5639 char *pf_lcounter[KLCNT_MAX+1] = KLCNT_NAMES;
5640 char *pf_fcounter[FCNT_MAX+1] = FCNT_NAMES;
5641 PF_RULES_RLOCK_TRACKER;
5643 #define ERROUT(x) ERROUT_FUNCTION(errout, x)
5647 nvl = nvlist_create(0);
5651 nvlist_add_bool(nvl, "running", V_pf_status.running);
5652 nvlist_add_number(nvl, "since", V_pf_status.since);
5653 nvlist_add_number(nvl, "debug", V_pf_status.debug);
5654 nvlist_add_number(nvl, "hostid", V_pf_status.hostid);
5655 nvlist_add_number(nvl, "states", V_pf_status.states);
5656 nvlist_add_number(nvl, "src_nodes", V_pf_status.src_nodes);
5657 nvlist_add_number(nvl, "reass", V_pf_status.reass);
5658 nvlist_add_bool(nvl, "syncookies_active",
5659 V_pf_status.syncookies_active);
5662 error = pf_add_status_counters(nvl, "counters", V_pf_status.counters,
5663 PFRES_MAX, pf_reasons);
5668 error = pf_add_status_counters(nvl, "lcounters", V_pf_status.lcounters,
5669 KLCNT_MAX, pf_lcounter);
5674 nvc = nvlist_create(0);
5678 for (int i = 0; i < FCNT_MAX; i++) {
5679 nvlist_append_number_array(nvc, "counters",
5680 pf_counter_u64_fetch(&V_pf_status.fcounters[i]));
5681 nvlist_append_string_array(nvc, "names",
5683 nvlist_append_number_array(nvc, "ids",
5686 nvlist_add_nvlist(nvl, "fcounters", nvc);
5687 nvlist_destroy(nvc);
5691 error = pf_add_status_counters(nvl, "scounters", V_pf_status.scounters,
5692 SCNT_MAX, pf_fcounter);
5696 nvlist_add_string(nvl, "ifname", V_pf_status.ifname);
5697 nvlist_add_binary(nvl, "chksum", V_pf_status.pf_chksum,
5698 PF_MD5_DIGEST_LENGTH);
5700 pfi_update_status(V_pf_status.ifname, &s);
5702 /* pcounters / bcounters */
5703 for (int i = 0; i < 2; i++) {
5704 for (int j = 0; j < 2; j++) {
5705 for (int k = 0; k < 2; k++) {
5706 nvlist_append_number_array(nvl, "pcounters",
5707 s.pcounters[i][j][k]);
5709 nvlist_append_number_array(nvl, "bcounters",
5714 nvlpacked = nvlist_pack(nvl, &nv->len);
5715 if (nvlpacked == NULL)
5720 else if (nv->size < nv->len)
5724 error = copyout(nvlpacked, nv->data, nv->len);
5731 free(nvlpacked, M_NVLIST);
5732 nvlist_destroy(nvc);
5733 nvlist_destroy(nvl);
5739 * XXX - Check for version mismatch!!!
5742 pf_clear_all_states(void)
5744 struct pf_kstate *s;
5747 for (i = 0; i <= pf_hashmask; i++) {
5748 struct pf_idhash *ih = &V_pf_idhash[i];
5750 PF_HASHROW_LOCK(ih);
5751 LIST_FOREACH(s, &ih->states, entry) {
5752 s->timeout = PFTM_PURGE;
5753 /* Don't send out individual delete messages. */
5754 s->state_flags |= PFSTATE_NOSYNC;
5758 PF_HASHROW_UNLOCK(ih);
5763 pf_clear_tables(void)
5765 struct pfioc_table io;
5768 bzero(&io, sizeof(io));
5770 error = pfr_clr_tables(&io.pfrio_table, &io.pfrio_ndel,
5777 pf_clear_srcnodes(struct pf_ksrc_node *n)
5779 struct pf_kstate *s;
5782 for (i = 0; i <= pf_hashmask; i++) {
5783 struct pf_idhash *ih = &V_pf_idhash[i];
5785 PF_HASHROW_LOCK(ih);
5786 LIST_FOREACH(s, &ih->states, entry) {
5787 if (n == NULL || n == s->src_node)
5789 if (n == NULL || n == s->nat_src_node)
5790 s->nat_src_node = NULL;
5792 PF_HASHROW_UNLOCK(ih);
5796 struct pf_srchash *sh;
5798 for (i = 0, sh = V_pf_srchash; i <= pf_srchashmask;
5800 PF_HASHROW_LOCK(sh);
5801 LIST_FOREACH(n, &sh->nodes, entry) {
5805 PF_HASHROW_UNLOCK(sh);
5808 /* XXX: hash slot should already be locked here. */
5815 pf_kill_srcnodes(struct pfioc_src_node_kill *psnk)
5817 struct pf_ksrc_node_list kill;
5820 for (int i = 0; i <= pf_srchashmask; i++) {
5821 struct pf_srchash *sh = &V_pf_srchash[i];
5822 struct pf_ksrc_node *sn, *tmp;
5824 PF_HASHROW_LOCK(sh);
5825 LIST_FOREACH_SAFE(sn, &sh->nodes, entry, tmp)
5826 if (PF_MATCHA(psnk->psnk_src.neg,
5827 &psnk->psnk_src.addr.v.a.addr,
5828 &psnk->psnk_src.addr.v.a.mask,
5829 &sn->addr, sn->af) &&
5830 PF_MATCHA(psnk->psnk_dst.neg,
5831 &psnk->psnk_dst.addr.v.a.addr,
5832 &psnk->psnk_dst.addr.v.a.mask,
5833 &sn->raddr, sn->af)) {
5834 pf_unlink_src_node(sn);
5835 LIST_INSERT_HEAD(&kill, sn, entry);
5838 PF_HASHROW_UNLOCK(sh);
5841 for (int i = 0; i <= pf_hashmask; i++) {
5842 struct pf_idhash *ih = &V_pf_idhash[i];
5843 struct pf_kstate *s;
5845 PF_HASHROW_LOCK(ih);
5846 LIST_FOREACH(s, &ih->states, entry) {
5847 if (s->src_node && s->src_node->expire == 1)
5849 if (s->nat_src_node && s->nat_src_node->expire == 1)
5850 s->nat_src_node = NULL;
5852 PF_HASHROW_UNLOCK(ih);
5855 psnk->psnk_killed = pf_free_src_nodes(&kill);
5859 pf_keepcounters(struct pfioc_nv *nv)
5861 nvlist_t *nvl = NULL;
5862 void *nvlpacked = NULL;
5865 #define ERROUT(x) ERROUT_FUNCTION(on_error, x)
5867 if (nv->len > pf_ioctl_maxcount)
5870 nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK);
5871 if (nvlpacked == NULL)
5874 error = copyin(nv->data, nvlpacked, nv->len);
5878 nvl = nvlist_unpack(nvlpacked, nv->len, 0);
5882 if (! nvlist_exists_bool(nvl, "keep_counters"))
5885 V_pf_status.keep_counters = nvlist_get_bool(nvl, "keep_counters");
5888 nvlist_destroy(nvl);
5889 free(nvlpacked, M_NVLIST);
5894 pf_clear_states(const struct pf_kstate_kill *kill)
5896 struct pf_state_key_cmp match_key;
5897 struct pf_kstate *s;
5898 struct pfi_kkif *kif;
5900 unsigned int killed = 0, dir;
5902 for (unsigned int i = 0; i <= pf_hashmask; i++) {
5903 struct pf_idhash *ih = &V_pf_idhash[i];
5905 relock_DIOCCLRSTATES:
5906 PF_HASHROW_LOCK(ih);
5907 LIST_FOREACH(s, &ih->states, entry) {
5908 /* For floating states look at the original kif. */
5909 kif = s->kif == V_pfi_all ? s->orig_kif : s->kif;
5911 if (kill->psk_ifname[0] &&
5912 strcmp(kill->psk_ifname,
5916 if (kill->psk_kill_match) {
5917 bzero(&match_key, sizeof(match_key));
5919 if (s->direction == PF_OUT) {
5927 match_key.af = s->key[idx]->af;
5928 match_key.proto = s->key[idx]->proto;
5929 PF_ACPY(&match_key.addr[0],
5930 &s->key[idx]->addr[1], match_key.af);
5931 match_key.port[0] = s->key[idx]->port[1];
5932 PF_ACPY(&match_key.addr[1],
5933 &s->key[idx]->addr[0], match_key.af);
5934 match_key.port[1] = s->key[idx]->port[0];
5938 * Don't send out individual
5941 s->state_flags |= PFSTATE_NOSYNC;
5945 if (kill->psk_kill_match)
5946 killed += pf_kill_matching_state(&match_key,
5949 goto relock_DIOCCLRSTATES;
5951 PF_HASHROW_UNLOCK(ih);
5954 if (V_pfsync_clear_states_ptr != NULL)
5955 V_pfsync_clear_states_ptr(V_pf_status.hostid, kill->psk_ifname);
5961 pf_killstates(struct pf_kstate_kill *kill, unsigned int *killed)
5963 struct pf_kstate *s;
5965 if (kill->psk_pfcmp.id) {
5966 if (kill->psk_pfcmp.creatorid == 0)
5967 kill->psk_pfcmp.creatorid = V_pf_status.hostid;
5968 if ((s = pf_find_state_byid(kill->psk_pfcmp.id,
5969 kill->psk_pfcmp.creatorid))) {
5976 for (unsigned int i = 0; i <= pf_hashmask; i++)
5977 *killed += pf_killstates_row(kill, &V_pf_idhash[i]);
5983 pf_killstates_nv(struct pfioc_nv *nv)
5985 struct pf_kstate_kill kill;
5986 nvlist_t *nvl = NULL;
5987 void *nvlpacked = NULL;
5989 unsigned int killed = 0;
5991 #define ERROUT(x) ERROUT_FUNCTION(on_error, x)
5993 if (nv->len > pf_ioctl_maxcount)
5996 nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK);
5997 if (nvlpacked == NULL)
6000 error = copyin(nv->data, nvlpacked, nv->len);
6004 nvl = nvlist_unpack(nvlpacked, nv->len, 0);
6008 error = pf_nvstate_kill_to_kstate_kill(nvl, &kill);
6012 pf_killstates(&kill, &killed);
6014 free(nvlpacked, M_NVLIST);
6016 nvlist_destroy(nvl);
6017 nvl = nvlist_create(0);
6021 nvlist_add_number(nvl, "killed", killed);
6023 nvlpacked = nvlist_pack(nvl, &nv->len);
6024 if (nvlpacked == NULL)
6029 else if (nv->size < nv->len)
6032 error = copyout(nvlpacked, nv->data, nv->len);
6035 nvlist_destroy(nvl);
6036 free(nvlpacked, M_NVLIST);
6041 pf_clearstates_nv(struct pfioc_nv *nv)
6043 struct pf_kstate_kill kill;
6044 nvlist_t *nvl = NULL;
6045 void *nvlpacked = NULL;
6047 unsigned int killed;
6049 #define ERROUT(x) ERROUT_FUNCTION(on_error, x)
6051 if (nv->len > pf_ioctl_maxcount)
6054 nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK);
6055 if (nvlpacked == NULL)
6058 error = copyin(nv->data, nvlpacked, nv->len);
6062 nvl = nvlist_unpack(nvlpacked, nv->len, 0);
6066 error = pf_nvstate_kill_to_kstate_kill(nvl, &kill);
6070 killed = pf_clear_states(&kill);
6072 free(nvlpacked, M_NVLIST);
6074 nvlist_destroy(nvl);
6075 nvl = nvlist_create(0);
6079 nvlist_add_number(nvl, "killed", killed);
6081 nvlpacked = nvlist_pack(nvl, &nv->len);
6082 if (nvlpacked == NULL)
6087 else if (nv->size < nv->len)
6090 error = copyout(nvlpacked, nv->data, nv->len);
6094 nvlist_destroy(nvl);
6095 free(nvlpacked, M_NVLIST);
6100 pf_getstate(struct pfioc_nv *nv)
6102 nvlist_t *nvl = NULL, *nvls;
6103 void *nvlpacked = NULL;
6104 struct pf_kstate *s = NULL;
6106 uint64_t id, creatorid;
6108 #define ERROUT(x) ERROUT_FUNCTION(errout, x)
6110 if (nv->len > pf_ioctl_maxcount)
6113 nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK);
6114 if (nvlpacked == NULL)
6117 error = copyin(nv->data, nvlpacked, nv->len);
6121 nvl = nvlist_unpack(nvlpacked, nv->len, 0);
6125 PFNV_CHK(pf_nvuint64(nvl, "id", &id));
6126 PFNV_CHK(pf_nvuint64(nvl, "creatorid", &creatorid));
6128 s = pf_find_state_byid(id, creatorid);
6132 free(nvlpacked, M_NVLIST);
6134 nvlist_destroy(nvl);
6135 nvl = nvlist_create(0);
6139 nvls = pf_state_to_nvstate(s);
6143 nvlist_add_nvlist(nvl, "state", nvls);
6144 nvlist_destroy(nvls);
6146 nvlpacked = nvlist_pack(nvl, &nv->len);
6147 if (nvlpacked == NULL)
6152 else if (nv->size < nv->len)
6155 error = copyout(nvlpacked, nv->data, nv->len);
6161 free(nvlpacked, M_NVLIST);
6162 nvlist_destroy(nvl);
6167 * XXX - Check for version mismatch!!!
6171 * Duplicate pfctl -Fa operation to get rid of as much as we can.
6181 if ((error = pf_begin_rules(&t[0], PF_RULESET_SCRUB, &nn))
6183 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: SCRUB\n"));
6186 if ((error = pf_begin_rules(&t[1], PF_RULESET_FILTER, &nn))
6188 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: FILTER\n"));
6189 break; /* XXX: rollback? */
6191 if ((error = pf_begin_rules(&t[2], PF_RULESET_NAT, &nn))
6193 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: NAT\n"));
6194 break; /* XXX: rollback? */
6196 if ((error = pf_begin_rules(&t[3], PF_RULESET_BINAT, &nn))
6198 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: BINAT\n"));
6199 break; /* XXX: rollback? */
6201 if ((error = pf_begin_rules(&t[4], PF_RULESET_RDR, &nn))
6203 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: RDR\n"));
6204 break; /* XXX: rollback? */
6207 /* XXX: these should always succeed here */
6208 pf_commit_rules(t[0], PF_RULESET_SCRUB, &nn);
6209 pf_commit_rules(t[1], PF_RULESET_FILTER, &nn);
6210 pf_commit_rules(t[2], PF_RULESET_NAT, &nn);
6211 pf_commit_rules(t[3], PF_RULESET_BINAT, &nn);
6212 pf_commit_rules(t[4], PF_RULESET_RDR, &nn);
6214 if ((error = pf_clear_tables()) != 0)
6217 if ((error = pf_begin_eth(&t[0], &nn)) != 0) {
6218 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: eth\n"));
6221 pf_commit_eth(t[0], &nn);
6224 if ((error = pf_begin_altq(&t[0])) != 0) {
6225 DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: ALTQ\n"));
6228 pf_commit_altq(t[0]);
6231 pf_clear_all_states();
6233 pf_clear_srcnodes(NULL);
6235 /* status does not use malloced mem so no need to cleanup */
6236 /* fingerprints and interfaces have their own cleanup code */
6242 static pfil_return_t
6243 pf_check_return(int chk, struct mbuf **m)
6249 return (PFIL_CONSUMED);
6258 return (PFIL_DROPPED);
6262 static pfil_return_t
6263 pf_eth_check_in(struct mbuf **m, struct ifnet *ifp, int flags,
6264 void *ruleset __unused, struct inpcb *inp)
6268 chk = pf_test_eth(PF_IN, flags, ifp, m, inp);
6270 return (pf_check_return(chk, m));
6273 static pfil_return_t
6274 pf_eth_check_out(struct mbuf **m, struct ifnet *ifp, int flags,
6275 void *ruleset __unused, struct inpcb *inp)
6279 chk = pf_test_eth(PF_OUT, flags, ifp, m, inp);
6281 return (pf_check_return(chk, m));
6285 static pfil_return_t
6286 pf_check_in(struct mbuf **m, struct ifnet *ifp, int flags,
6287 void *ruleset __unused, struct inpcb *inp)
6291 chk = pf_test(PF_IN, flags, ifp, m, inp, NULL);
6293 return (pf_check_return(chk, m));
6296 static pfil_return_t
6297 pf_check_out(struct mbuf **m, struct ifnet *ifp, int flags,
6298 void *ruleset __unused, struct inpcb *inp)
6302 chk = pf_test(PF_OUT, flags, ifp, m, inp, NULL);
6304 return (pf_check_return(chk, m));
6309 static pfil_return_t
6310 pf_check6_in(struct mbuf **m, struct ifnet *ifp, int flags,
6311 void *ruleset __unused, struct inpcb *inp)
6316 * In case of loopback traffic IPv6 uses the real interface in
6317 * order to support scoped addresses. In order to support stateful
6318 * filtering we have change this to lo0 as it is the case in IPv4.
6320 CURVNET_SET(ifp->if_vnet);
6321 chk = pf_test6(PF_IN, flags, (*m)->m_flags & M_LOOP ? V_loif : ifp,
6325 return (pf_check_return(chk, m));
6328 static pfil_return_t
6329 pf_check6_out(struct mbuf **m, struct ifnet *ifp, int flags,
6330 void *ruleset __unused, struct inpcb *inp)
6334 CURVNET_SET(ifp->if_vnet);
6335 chk = pf_test6(PF_OUT, flags, ifp, m, inp, NULL);
6338 return (pf_check_return(chk, m));
6342 VNET_DEFINE_STATIC(pfil_hook_t, pf_eth_in_hook);
6343 VNET_DEFINE_STATIC(pfil_hook_t, pf_eth_out_hook);
6344 #define V_pf_eth_in_hook VNET(pf_eth_in_hook)
6345 #define V_pf_eth_out_hook VNET(pf_eth_out_hook)
6348 VNET_DEFINE_STATIC(pfil_hook_t, pf_ip4_in_hook);
6349 VNET_DEFINE_STATIC(pfil_hook_t, pf_ip4_out_hook);
6350 #define V_pf_ip4_in_hook VNET(pf_ip4_in_hook)
6351 #define V_pf_ip4_out_hook VNET(pf_ip4_out_hook)
6354 VNET_DEFINE_STATIC(pfil_hook_t, pf_ip6_in_hook);
6355 VNET_DEFINE_STATIC(pfil_hook_t, pf_ip6_out_hook);
6356 #define V_pf_ip6_in_hook VNET(pf_ip6_in_hook)
6357 #define V_pf_ip6_out_hook VNET(pf_ip6_out_hook)
6363 struct pfil_hook_args pha = {
6364 .pa_version = PFIL_VERSION,
6366 .pa_type = PFIL_TYPE_ETHERNET,
6368 struct pfil_link_args pla = {
6369 .pa_version = PFIL_VERSION,
6373 if (atomic_load_bool(&V_pf_pfil_eth_hooked))
6376 pha.pa_mbuf_chk = pf_eth_check_in;
6377 pha.pa_flags = PFIL_IN;
6378 pha.pa_rulname = "eth-in";
6379 V_pf_eth_in_hook = pfil_add_hook(&pha);
6380 pla.pa_flags = PFIL_IN | PFIL_HEADPTR | PFIL_HOOKPTR;
6381 pla.pa_head = V_link_pfil_head;
6382 pla.pa_hook = V_pf_eth_in_hook;
6383 ret = pfil_link(&pla);
6385 pha.pa_mbuf_chk = pf_eth_check_out;
6386 pha.pa_flags = PFIL_OUT;
6387 pha.pa_rulname = "eth-out";
6388 V_pf_eth_out_hook = pfil_add_hook(&pha);
6389 pla.pa_flags = PFIL_OUT | PFIL_HEADPTR | PFIL_HOOKPTR;
6390 pla.pa_head = V_link_pfil_head;
6391 pla.pa_hook = V_pf_eth_out_hook;
6392 ret = pfil_link(&pla);
6395 atomic_store_bool(&V_pf_pfil_eth_hooked, true);
6401 struct pfil_hook_args pha = {
6402 .pa_version = PFIL_VERSION,
6405 struct pfil_link_args pla = {
6406 .pa_version = PFIL_VERSION,
6410 if (atomic_load_bool(&V_pf_pfil_hooked))
6414 pha.pa_type = PFIL_TYPE_IP4;
6415 pha.pa_mbuf_chk = pf_check_in;
6416 pha.pa_flags = PFIL_IN;
6417 pha.pa_rulname = "default-in";
6418 V_pf_ip4_in_hook = pfil_add_hook(&pha);
6419 pla.pa_flags = PFIL_IN | PFIL_HEADPTR | PFIL_HOOKPTR;
6420 pla.pa_head = V_inet_pfil_head;
6421 pla.pa_hook = V_pf_ip4_in_hook;
6422 ret = pfil_link(&pla);
6424 pha.pa_mbuf_chk = pf_check_out;
6425 pha.pa_flags = PFIL_OUT;
6426 pha.pa_rulname = "default-out";
6427 V_pf_ip4_out_hook = pfil_add_hook(&pha);
6428 pla.pa_flags = PFIL_OUT | PFIL_HEADPTR | PFIL_HOOKPTR;
6429 pla.pa_head = V_inet_pfil_head;
6430 pla.pa_hook = V_pf_ip4_out_hook;
6431 ret = pfil_link(&pla);
6433 if (V_pf_filter_local) {
6434 pla.pa_flags = PFIL_OUT | PFIL_HEADPTR | PFIL_HOOKPTR;
6435 pla.pa_head = V_inet_local_pfil_head;
6436 pla.pa_hook = V_pf_ip4_out_hook;
6437 ret = pfil_link(&pla);
6442 pha.pa_type = PFIL_TYPE_IP6;
6443 pha.pa_mbuf_chk = pf_check6_in;
6444 pha.pa_flags = PFIL_IN;
6445 pha.pa_rulname = "default-in6";
6446 V_pf_ip6_in_hook = pfil_add_hook(&pha);
6447 pla.pa_flags = PFIL_IN | PFIL_HEADPTR | PFIL_HOOKPTR;
6448 pla.pa_head = V_inet6_pfil_head;
6449 pla.pa_hook = V_pf_ip6_in_hook;
6450 ret = pfil_link(&pla);
6452 pha.pa_mbuf_chk = pf_check6_out;
6453 pha.pa_rulname = "default-out6";
6454 pha.pa_flags = PFIL_OUT;
6455 V_pf_ip6_out_hook = pfil_add_hook(&pha);
6456 pla.pa_flags = PFIL_OUT | PFIL_HEADPTR | PFIL_HOOKPTR;
6457 pla.pa_head = V_inet6_pfil_head;
6458 pla.pa_hook = V_pf_ip6_out_hook;
6459 ret = pfil_link(&pla);
6461 if (V_pf_filter_local) {
6462 pla.pa_flags = PFIL_OUT | PFIL_HEADPTR | PFIL_HOOKPTR;
6463 pla.pa_head = V_inet6_local_pfil_head;
6464 pla.pa_hook = V_pf_ip6_out_hook;
6465 ret = pfil_link(&pla);
6470 atomic_store_bool(&V_pf_pfil_hooked, true);
6477 if (!atomic_load_bool(&V_pf_pfil_eth_hooked))
6480 pfil_remove_hook(V_pf_eth_in_hook);
6481 pfil_remove_hook(V_pf_eth_out_hook);
6483 atomic_store_bool(&V_pf_pfil_eth_hooked, false);
6490 if (!atomic_load_bool(&V_pf_pfil_hooked))
6494 pfil_remove_hook(V_pf_ip4_in_hook);
6495 pfil_remove_hook(V_pf_ip4_out_hook);
6498 pfil_remove_hook(V_pf_ip6_in_hook);
6499 pfil_remove_hook(V_pf_ip6_out_hook);
6502 atomic_store_bool(&V_pf_pfil_hooked, false);
6508 V_pf_tag_z = uma_zcreate("pf tags", sizeof(struct pf_tagname),
6509 NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, 0);
6511 rm_init_flags(&V_pf_rules_lock, "pf rulesets", RM_RECURSE);
6512 sx_init(&V_pf_ioctl_lock, "pf ioctl");
6514 pf_init_tagset(&V_pf_tags, &pf_rule_tag_hashsize,
6515 PF_RULE_TAG_HASH_SIZE_DEFAULT);
6517 pf_init_tagset(&V_pf_qids, &pf_queue_tag_hashsize,
6518 PF_QUEUE_TAG_HASH_SIZE_DEFAULT);
6521 V_pf_keth = &V_pf_main_keth_anchor.ruleset;
6524 V_pf_vnet_active = 1;
6532 sx_init(&pf_end_lock, "pf end thread");
6534 pf_mtag_initialize();
6536 pf_dev = make_dev(&pf_cdevsw, 0, UID_ROOT, GID_WHEEL, 0600, PF_NAME);
6541 error = kproc_create(pf_purge_thread, NULL, &pf_purge_proc, 0, 0, "pf purge");
6551 pf_unload_vnet(void)
6555 V_pf_vnet_active = 0;
6556 V_pf_status.running = 0;
6561 pf_syncookies_cleanup();
6565 /* Make sure we've cleaned up ethernet rules before we continue. */
6566 NET_EPOCH_DRAIN_CALLBACKS();
6568 ret = swi_remove(V_pf_swi_cookie);
6570 ret = intr_event_destroy(V_pf_swi_ie);
6573 pf_unload_vnet_purge();
6575 pf_normalize_cleanup();
6582 if (IS_DEFAULT_VNET(curvnet))
6585 pf_cleanup_tagset(&V_pf_tags);
6587 pf_cleanup_tagset(&V_pf_qids);
6589 uma_zdestroy(V_pf_tag_z);
6591 #ifdef PF_WANT_32_TO_64_COUNTER
6593 LIST_REMOVE(V_pf_kifmarker, pfik_allkiflist);
6595 MPASS(LIST_EMPTY(&V_pf_allkiflist));
6596 MPASS(V_pf_allkifcount == 0);
6598 LIST_REMOVE(&V_pf_default_rule, allrulelist);
6599 V_pf_allrulecount--;
6600 LIST_REMOVE(V_pf_rulemarker, allrulelist);
6603 * There are known pf rule leaks when running the test suite.
6606 MPASS(LIST_EMPTY(&V_pf_allrulelist));
6607 MPASS(V_pf_allrulecount == 0);
6612 free(V_pf_kifmarker, PFI_MTYPE);
6613 free(V_pf_rulemarker, M_PFRULE);
6616 /* Free counters last as we updated them during shutdown. */
6617 pf_counter_u64_deinit(&V_pf_default_rule.evaluations);
6618 for (int i = 0; i < 2; i++) {
6619 pf_counter_u64_deinit(&V_pf_default_rule.packets[i]);
6620 pf_counter_u64_deinit(&V_pf_default_rule.bytes[i]);
6622 counter_u64_free(V_pf_default_rule.states_cur);
6623 counter_u64_free(V_pf_default_rule.states_tot);
6624 counter_u64_free(V_pf_default_rule.src_nodes);
6625 uma_zfree_pcpu(pf_timestamp_pcpu_zone, V_pf_default_rule.timestamp);
6627 for (int i = 0; i < PFRES_MAX; i++)
6628 counter_u64_free(V_pf_status.counters[i]);
6629 for (int i = 0; i < KLCNT_MAX; i++)
6630 counter_u64_free(V_pf_status.lcounters[i]);
6631 for (int i = 0; i < FCNT_MAX; i++)
6632 pf_counter_u64_deinit(&V_pf_status.fcounters[i]);
6633 for (int i = 0; i < SCNT_MAX; i++)
6634 counter_u64_free(V_pf_status.scounters[i]);
6636 rm_destroy(&V_pf_rules_lock);
6637 sx_destroy(&V_pf_ioctl_lock);
6644 sx_xlock(&pf_end_lock);
6646 while (pf_end_threads < 2) {
6647 wakeup_one(pf_purge_thread);
6648 sx_sleep(pf_purge_proc, &pf_end_lock, 0, "pftmo", 0);
6650 sx_xunlock(&pf_end_lock);
6655 destroy_dev(pf_dev);
6659 sx_destroy(&pf_end_lock);
6663 vnet_pf_init(void *unused __unused)
6668 VNET_SYSINIT(vnet_pf_init, SI_SUB_PROTO_FIREWALL, SI_ORDER_THIRD,
6669 vnet_pf_init, NULL);
6672 vnet_pf_uninit(const void *unused __unused)
6677 SYSUNINIT(pf_unload, SI_SUB_PROTO_FIREWALL, SI_ORDER_SECOND, pf_unload, NULL);
6678 VNET_SYSUNINIT(vnet_pf_uninit, SI_SUB_PROTO_FIREWALL, SI_ORDER_THIRD,
6679 vnet_pf_uninit, NULL);
6682 pf_modevent(module_t mod, int type, void *data)
6692 /* Handled in SYSUNINIT(pf_unload) to ensure it's done after
6693 * the vnet_pf_uninit()s */
6703 static moduledata_t pf_mod = {
6709 DECLARE_MODULE(pf, pf_mod, SI_SUB_PROTO_FIREWALL, SI_ORDER_SECOND);
6710 MODULE_DEPEND(pf, netlink, 1, 1, 1);
6711 MODULE_VERSION(pf, PF_MODVER);
projects / freebsd.git / blob