Date: Fri, 7 May 2021 15:25:46 GMT From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 6fd48efd8d6d - stable/13 - libpfctl: Switch to pfctl_rule Message-ID: <202105071525.147FPkXB026344@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/13 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=6fd48efd8d6d4a6fc12e60baf9ea717034b40eca commit 6fd48efd8d6d4a6fc12e60baf9ea717034b40eca Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2021-04-08 08:31:46 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2021-05-07 08:15:42 +0000 libpfctl: Switch to pfctl_rule Stop using the kernel's struct pf_rule, switch to libpfctl's pfctl_rule. Now that we use nvlists to communicate with the kernel these structures can be fully decoupled. Reviewed by: glebius MFC after: 4 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D29644 (cherry picked from commit e9eb09414a8de8f3329f51b48c90a5e5ac8f09cf) --- contrib/pf/ftp-proxy/filter.c | 100 +++++++++++---------- contrib/pf/tftp-proxy/filter.c | 90 ++++++++++--------- lib/libpfctl/libpfctl.c | 10 +-- lib/libpfctl/libpfctl.h | 143 +++++++++++++++++++++++++++++- sbin/pfctl/parse.y | 52 +++++------ sbin/pfctl/pf_ruleset.c | 63 ++++++------- sbin/pfctl/pfctl.c | 91 ++++++++++--------- sbin/pfctl/pfctl.h | 14 +-- sbin/pfctl/pfctl_optimize.c | 82 ++++++++--------- sbin/pfctl/pfctl_parser.c | 2 +- sbin/pfctl/pfctl_parser.h | 14 +-- usr.sbin/bsnmpd/modules/snmp_pf/pf_snmp.c | 17 ++-- 12 files changed, 416 insertions(+), 262 deletions(-) diff --git a/contrib/pf/ftp-proxy/filter.c b/contrib/pf/ftp-proxy/filter.c index db3735565dac..dad6324808bc 100644 --- a/contrib/pf/ftp-proxy/filter.c +++ b/contrib/pf/ftp-proxy/filter.c @@ -50,7 +50,11 @@ int server_lookup6(struct sockaddr_in6 *, struct sockaddr_in6 *, struct sockaddr_in6 *); static struct pfioc_pooladdr pfp; -static struct pfioc_rule pfr; +static struct pfctl_rule pfrule; +static char pfanchor[PF_ANCHOR_NAME_SIZE]; +static char pfanchor_call[PF_ANCHOR_NAME_SIZE]; +static uint32_t pfticket; +static uint32_t pfpool_ticket; static struct pfioc_trans pft; static struct pfioc_trans_e pfte[TRANS_SIZE]; static int dev, rule_log; @@ -68,9 +72,9 @@ add_filter(u_int32_t id, u_int8_t dir, struct sockaddr *src, if (prepare_rule(id, PF_RULESET_FILTER, src, dst, d_port) == -1) return (-1); - pfr.rule.direction = dir; - if (pfctl_add_rule(dev, &pfr.rule, pfr.anchor, pfr.anchor_call, - pfr.ticket, pfr.pool_ticket)) + pfrule.direction = dir; + if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call, + pfticket, pfpool_ticket)) return (-1); return (0); @@ -99,14 +103,14 @@ add_nat(u_int32_t id, struct sockaddr *src, struct sockaddr *dst, &satosin6(nat)->sin6_addr.s6_addr, 16); memset(&pfp.addr.addr.v.a.mask.addr8, 255, 16); } - if (pfctl_add_rule(dev, &pfr.rule, pfr.anchor, pfr.anchor_call, - pfr.ticket, pfr.pool_ticket)) + if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call, + pfticket, pfpool_ticket)) return (-1); - pfr.rule.rpool.proxy_port[0] = nat_range_low; - pfr.rule.rpool.proxy_port[1] = nat_range_high; - if (pfctl_add_rule(dev, &pfr.rule, pfr.anchor, pfr.anchor_call, - pfr.ticket, pfr.pool_ticket)) + pfrule.rpool.proxy_port[0] = nat_range_low; + pfrule.rpool.proxy_port[1] = nat_range_high; + if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call, + pfticket, pfpool_ticket)) return (-1); return (0); @@ -134,13 +138,13 @@ add_rdr(u_int32_t id, struct sockaddr *src, struct sockaddr *dst, &satosin6(rdr)->sin6_addr.s6_addr, 16); memset(&pfp.addr.addr.v.a.mask.addr8, 255, 16); } - if (pfctl_add_rule(dev, &pfr.rule, pfr.anchor, pfr.anchor_call, - pfr.ticket, pfr.pool_ticket)) + if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call, + pfticket, pfpool_ticket)) return (-1); - pfr.rule.rpool.proxy_port[0] = rdr_port; - if (pfctl_add_rule(dev, &pfr.rule, pfr.anchor, pfr.anchor_call, - pfr.ticket, pfr.pool_ticket)) + pfrule.rpool.proxy_port[0] = rdr_port; + if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call, + pfticket, pfpool_ticket)) return (-1); return (0); @@ -237,21 +241,21 @@ prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src, } memset(&pfp, 0, sizeof pfp); - memset(&pfr, 0, sizeof pfr); + memset(&pfrule, 0, sizeof pfrule); snprintf(an, PF_ANCHOR_NAME_SIZE, "%s/%d.%d", FTP_PROXY_ANCHOR, getpid(), id); strlcpy(pfp.anchor, an, PF_ANCHOR_NAME_SIZE); - strlcpy(pfr.anchor, an, PF_ANCHOR_NAME_SIZE); + strlcpy(pfanchor, an, PF_ANCHOR_NAME_SIZE); switch (rs_num) { case PF_RULESET_FILTER: - pfr.ticket = pfte[TRANS_FILTER].ticket; + pfticket = pfte[TRANS_FILTER].ticket; break; case PF_RULESET_NAT: - pfr.ticket = pfte[TRANS_NAT].ticket; + pfticket = pfte[TRANS_NAT].ticket; break; case PF_RULESET_RDR: - pfr.ticket = pfte[TRANS_RDR].ticket; + pfticket = pfte[TRANS_RDR].ticket; break; default: errno = EINVAL; @@ -259,30 +263,30 @@ prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src, } if (ioctl(dev, DIOCBEGINADDRS, &pfp) == -1) return (-1); - pfr.pool_ticket = pfp.ticket; + pfpool_ticket = pfp.ticket; /* Generic for all rule types. */ - pfr.rule.af = src->sa_family; - pfr.rule.proto = IPPROTO_TCP; - pfr.rule.src.addr.type = PF_ADDR_ADDRMASK; - pfr.rule.dst.addr.type = PF_ADDR_ADDRMASK; + pfrule.af = src->sa_family; + pfrule.proto = IPPROTO_TCP; + pfrule.src.addr.type = PF_ADDR_ADDRMASK; + pfrule.dst.addr.type = PF_ADDR_ADDRMASK; if (src->sa_family == AF_INET) { - memcpy(&pfr.rule.src.addr.v.a.addr.v4, + memcpy(&pfrule.src.addr.v.a.addr.v4, &satosin(src)->sin_addr.s_addr, 4); - memset(&pfr.rule.src.addr.v.a.mask.addr8, 255, 4); - memcpy(&pfr.rule.dst.addr.v.a.addr.v4, + memset(&pfrule.src.addr.v.a.mask.addr8, 255, 4); + memcpy(&pfrule.dst.addr.v.a.addr.v4, &satosin(dst)->sin_addr.s_addr, 4); - memset(&pfr.rule.dst.addr.v.a.mask.addr8, 255, 4); + memset(&pfrule.dst.addr.v.a.mask.addr8, 255, 4); } else { - memcpy(&pfr.rule.src.addr.v.a.addr.v6, + memcpy(&pfrule.src.addr.v.a.addr.v6, &satosin6(src)->sin6_addr.s6_addr, 16); - memset(&pfr.rule.src.addr.v.a.mask.addr8, 255, 16); - memcpy(&pfr.rule.dst.addr.v.a.addr.v6, + memset(&pfrule.src.addr.v.a.mask.addr8, 255, 16); + memcpy(&pfrule.dst.addr.v.a.addr.v6, &satosin6(dst)->sin6_addr.s6_addr, 16); - memset(&pfr.rule.dst.addr.v.a.mask.addr8, 255, 16); + memset(&pfrule.dst.addr.v.a.mask.addr8, 255, 16); } - pfr.rule.dst.port_op = PF_OP_EQ; - pfr.rule.dst.port[0] = htons(d_port); + pfrule.dst.port_op = PF_OP_EQ; + pfrule.dst.port[0] = htons(d_port); switch (rs_num) { case PF_RULESET_FILTER: @@ -291,32 +295,32 @@ prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src, * from $src to $dst port = $d_port flags S/SA keep state * (max 1) [queue qname] [tag tagname] */ - pfr.rule.action = PF_PASS; - pfr.rule.quick = 1; - pfr.rule.log = rule_log; - pfr.rule.keep_state = 1; - pfr.rule.flags = TH_SYN; - pfr.rule.flagset = (TH_SYN|TH_ACK); - pfr.rule.max_states = 1; + pfrule.action = PF_PASS; + pfrule.quick = 1; + pfrule.log = rule_log; + pfrule.keep_state = 1; + pfrule.flags = TH_SYN; + pfrule.flagset = (TH_SYN|TH_ACK); + pfrule.max_states = 1; if (qname != NULL) - strlcpy(pfr.rule.qname, qname, sizeof pfr.rule.qname); + strlcpy(pfrule.qname, qname, sizeof pfrule.qname); if (tagname != NULL) { - pfr.rule.quick = 0; - strlcpy(pfr.rule.tagname, tagname, - sizeof pfr.rule.tagname); + pfrule.quick = 0; + strlcpy(pfrule.tagname, tagname, + sizeof pfrule.tagname); } break; case PF_RULESET_NAT: /* * nat inet[6] proto tcp from $src to $dst port $d_port -> $nat */ - pfr.rule.action = PF_NAT; + pfrule.action = PF_NAT; break; case PF_RULESET_RDR: /* * rdr inet[6] proto tcp from $src to $dst port $d_port -> $rdr */ - pfr.rule.action = PF_RDR; + pfrule.action = PF_RDR; break; default: errno = EINVAL; diff --git a/contrib/pf/tftp-proxy/filter.c b/contrib/pf/tftp-proxy/filter.c index 0b87d568809f..1689d3465fd3 100644 --- a/contrib/pf/tftp-proxy/filter.c +++ b/contrib/pf/tftp-proxy/filter.c @@ -54,7 +54,11 @@ int server_lookup6(struct sockaddr_in6 *, struct sockaddr_in6 *, struct sockaddr_in6 *, u_int8_t); static struct pfioc_pooladdr pfp; -static struct pfioc_rule pfr; +static struct pfctl_rule pfrule; +static uint32_t pfticket; +static uint32_t pfpool_ticket; +static char pfanchor[PF_ANCHOR_NAME_SIZE]; +static char pfanchor_call[PF_ANCHOR_NAME_SIZE]; static struct pfioc_trans pft; static struct pfioc_trans_e pfte[TRANS_SIZE]; static int dev, rule_log; @@ -72,9 +76,9 @@ add_filter(u_int32_t id, u_int8_t dir, struct sockaddr *src, if (prepare_rule(id, PF_RULESET_FILTER, src, dst, d_port, proto) == -1) return (-1); - pfr.rule.direction = dir; - if (pfctl_add_rule(dev, &pfr.rule, pfr.anchor, pfr.anchor_call, - pfr.ticket, pfr.pool_ticket)) + pfrule.direction = dir; + if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call, + pfticket, pfpool_ticket)) return (-1); return (0); @@ -106,10 +110,10 @@ add_nat(u_int32_t id, struct sockaddr *src, struct sockaddr *dst, if (ioctl(dev, DIOCADDADDR, &pfp) == -1) return (-1); - pfr.rule.rpool.proxy_port[0] = nat_range_low; - pfr.rule.rpool.proxy_port[1] = nat_range_high; - if (pfctl_add_rule(dev, &pfr.rule, pfr.anchor, pfr.anchor_call, - pfr.ticket, pfr.pool_ticket)) + pfrule.rpool.proxy_port[0] = nat_range_low; + pfrule.rpool.proxy_port[1] = nat_range_high; + if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call, + pfticket, pfpool_ticket)) return (-1); return (0); @@ -140,9 +144,9 @@ add_rdr(u_int32_t id, struct sockaddr *src, struct sockaddr *dst, if (ioctl(dev, DIOCADDADDR, &pfp) == -1) return (-1); - pfr.rule.rpool.proxy_port[0] = rdr_port; - if (pfctl_add_rule(dev, &pfr.rule, pfr.anchor, pfr.anchor_call, - pfr.ticket, pfr.pool_ticket)) + pfrule.rpool.proxy_port[0] = rdr_port; + if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call, + pfticket, pfpool_ticket)) return (-1); return (0); @@ -244,21 +248,21 @@ prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src, } memset(&pfp, 0, sizeof pfp); - memset(&pfr, 0, sizeof pfr); + memset(&pfrule, 0, sizeof pfrule); snprintf(an, PF_ANCHOR_NAME_SIZE, "%s/%d.%d", FTP_PROXY_ANCHOR, getpid(), id); strlcpy(pfp.anchor, an, PF_ANCHOR_NAME_SIZE); - strlcpy(pfr.anchor, an, PF_ANCHOR_NAME_SIZE); + strlcpy(pfanchor, an, PF_ANCHOR_NAME_SIZE); switch (rs_num) { case PF_RULESET_FILTER: - pfr.ticket = pfte[TRANS_FILTER].ticket; + pfticket = pfte[TRANS_FILTER].ticket; break; case PF_RULESET_NAT: - pfr.ticket = pfte[TRANS_NAT].ticket; + pfticket = pfte[TRANS_NAT].ticket; break; case PF_RULESET_RDR: - pfr.ticket = pfte[TRANS_RDR].ticket; + pfticket = pfte[TRANS_RDR].ticket; break; default: errno = EINVAL; @@ -266,30 +270,30 @@ prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src, } if (ioctl(dev, DIOCBEGINADDRS, &pfp) == -1) return (-1); - pfr.pool_ticket = pfp.ticket; + pfpool_ticket = pfp.ticket; /* Generic for all rule types. */ - pfr.rule.af = src->sa_family; - pfr.rule.proto = proto; - pfr.rule.src.addr.type = PF_ADDR_ADDRMASK; - pfr.rule.dst.addr.type = PF_ADDR_ADDRMASK; + pfrule.af = src->sa_family; + pfrule.proto = proto; + pfrule.src.addr.type = PF_ADDR_ADDRMASK; + pfrule.dst.addr.type = PF_ADDR_ADDRMASK; if (src->sa_family == AF_INET) { - memcpy(&pfr.rule.src.addr.v.a.addr.v4, + memcpy(&pfrule.src.addr.v.a.addr.v4, &satosin(src)->sin_addr.s_addr, 4); - memset(&pfr.rule.src.addr.v.a.mask.addr8, 255, 4); - memcpy(&pfr.rule.dst.addr.v.a.addr.v4, + memset(&pfrule.src.addr.v.a.mask.addr8, 255, 4); + memcpy(&pfrule.dst.addr.v.a.addr.v4, &satosin(dst)->sin_addr.s_addr, 4); - memset(&pfr.rule.dst.addr.v.a.mask.addr8, 255, 4); + memset(&pfrule.dst.addr.v.a.mask.addr8, 255, 4); } else { - memcpy(&pfr.rule.src.addr.v.a.addr.v6, + memcpy(&pfrule.src.addr.v.a.addr.v6, &satosin6(src)->sin6_addr.s6_addr, 16); - memset(&pfr.rule.src.addr.v.a.mask.addr8, 255, 16); - memcpy(&pfr.rule.dst.addr.v.a.addr.v6, + memset(&pfrule.src.addr.v.a.mask.addr8, 255, 16); + memcpy(&pfrule.dst.addr.v.a.addr.v6, &satosin6(dst)->sin6_addr.s6_addr, 16); - memset(&pfr.rule.dst.addr.v.a.mask.addr8, 255, 16); + memset(&pfrule.dst.addr.v.a.mask.addr8, 255, 16); } - pfr.rule.dst.port_op = PF_OP_EQ; - pfr.rule.dst.port[0] = htons(d_port); + pfrule.dst.port_op = PF_OP_EQ; + pfrule.dst.port[0] = htons(d_port); switch (rs_num) { case PF_RULESET_FILTER: @@ -298,34 +302,34 @@ prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src, * from $src to $dst port = $d_port flags S/SAFR keep state * (max 1) [queue qname] */ - pfr.rule.action = PF_PASS; - pfr.rule.quick = 1; - pfr.rule.log = rule_log; - pfr.rule.keep_state = 1; + pfrule.action = PF_PASS; + pfrule.quick = 1; + pfrule.log = rule_log; + pfrule.keep_state = 1; #ifdef __FreeBSD__ - pfr.rule.flags = (proto == IPPROTO_TCP ? TH_SYN : 0); - pfr.rule.flagset = (proto == IPPROTO_TCP ? + pfrule.flags = (proto == IPPROTO_TCP ? TH_SYN : 0); + pfrule.flagset = (proto == IPPROTO_TCP ? (TH_SYN|TH_ACK|TH_FIN|TH_RST) : 0); #else - pfr.rule.flags = (proto == IPPROTO_TCP ? TH_SYN : NULL); - pfr.rule.flagset = (proto == IPPROTO_TCP ? + pfrule.flags = (proto == IPPROTO_TCP ? TH_SYN : NULL); + pfrule.flagset = (proto == IPPROTO_TCP ? (TH_SYN|TH_ACK|TH_FIN|TH_RST) : NULL); #endif - pfr.rule.max_states = 1; + pfrule.max_states = 1; if (qname != NULL) - strlcpy(pfr.rule.qname, qname, sizeof pfr.rule.qname); + strlcpy(pfrule.qname, qname, sizeof pfrule.qname); break; case PF_RULESET_NAT: /* * nat inet[6] proto tcp from $src to $dst port $d_port -> $nat */ - pfr.rule.action = PF_NAT; + pfrule.action = PF_NAT; break; case PF_RULESET_RDR: /* * rdr inet[6] proto tcp from $src to $dst port $d_port -> $rdr */ - pfr.rule.action = PF_RDR; + pfrule.action = PF_RDR; break; default: errno = EINVAL; diff --git a/lib/libpfctl/libpfctl.c b/lib/libpfctl/libpfctl.c index e0d429112f5b..dc174d8d5b72 100644 --- a/lib/libpfctl/libpfctl.c +++ b/lib/libpfctl/libpfctl.c @@ -256,7 +256,7 @@ pf_nvrule_uid_to_rule_uid(const nvlist_t *nvl, struct pf_rule_uid *uid) static void pfctl_nv_add_divert(nvlist_t *nvparent, const char *name, - const struct pf_rule *r) + const struct pfctl_rule *r) { nvlist_t *nvl = nvlist_create(0); @@ -267,14 +267,14 @@ pfctl_nv_add_divert(nvlist_t *nvparent, const char *name, } static void -pf_nvdivert_to_divert(const nvlist_t *nvl, struct pf_rule *rule) +pf_nvdivert_to_divert(const nvlist_t *nvl, struct pfctl_rule *rule) { pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "addr"), &rule->divert.addr); rule->divert.port = nvlist_get_number(nvl, "port"); } static void -pf_nvrule_to_rule(const nvlist_t *nvl, struct pf_rule *rule) +pf_nvrule_to_rule(const nvlist_t *nvl, struct pfctl_rule *rule) { const uint64_t *skip; size_t skipcount; @@ -373,7 +373,7 @@ pf_nvrule_to_rule(const nvlist_t *nvl, struct pf_rule *rule) } int -pfctl_add_rule(int dev, const struct pf_rule *r, const char *anchor, +pfctl_add_rule(int dev, const struct pfctl_rule *r, const char *anchor, const char *anchor_call, u_int32_t ticket, u_int32_t pool_ticket) { struct pfioc_nv nv; @@ -482,7 +482,7 @@ pfctl_add_rule(int dev, const struct pf_rule *r, const char *anchor, int pfctl_get_rule(int dev, u_int32_t nr, u_int32_t ticket, const char *anchor, - u_int32_t ruleset, struct pf_rule *rule, char *anchor_call) + u_int32_t ruleset, struct pfctl_rule *rule, char *anchor_call) { struct pfioc_nv nv; nvlist_t *nvl; diff --git a/lib/libpfctl/libpfctl.h b/lib/libpfctl/libpfctl.h index 65ff2179f23d..996830619489 100644 --- a/lib/libpfctl/libpfctl.h +++ b/lib/libpfctl/libpfctl.h @@ -36,10 +36,147 @@ #include <netpfil/pf/pf.h> +struct pfctl_anchor; + +struct pfctl_rule { + struct pf_rule_addr src; + struct pf_rule_addr dst; + union pf_rule_ptr skip[PF_SKIP_COUNT]; + char label[PF_RULE_LABEL_SIZE]; + char ifname[IFNAMSIZ]; + char qname[PF_QNAME_SIZE]; + char pqname[PF_QNAME_SIZE]; + char tagname[PF_TAG_NAME_SIZE]; + char match_tagname[PF_TAG_NAME_SIZE]; + + char overload_tblname[PF_TABLE_NAME_SIZE]; + + TAILQ_ENTRY(pfctl_rule) entries; + struct pf_pool rpool; + + u_int64_t evaluations; + u_int64_t packets[2]; + u_int64_t bytes[2]; + + struct pfi_kif *kif; + struct pfctl_anchor *anchor; + struct pfr_ktable *overload_tbl; + + pf_osfp_t os_fingerprint; + + int rtableid; + u_int32_t timeout[PFTM_MAX]; + u_int32_t max_states; + u_int32_t max_src_nodes; + u_int32_t max_src_states; + u_int32_t max_src_conn; + struct { + u_int32_t limit; + u_int32_t seconds; + } max_src_conn_rate; + u_int32_t qid; + u_int32_t pqid; + u_int32_t nr; + u_int32_t prob; + uid_t cuid; + pid_t cpid; + + counter_u64_t states_cur; + counter_u64_t states_tot; + counter_u64_t src_nodes; + + u_int16_t return_icmp; + u_int16_t return_icmp6; + u_int16_t max_mss; + u_int16_t tag; + u_int16_t match_tag; + u_int16_t scrub_flags; + + struct pf_rule_uid uid; + struct pf_rule_gid gid; + + u_int32_t rule_flag; + u_int8_t action; + u_int8_t direction; + u_int8_t log; + u_int8_t logif; + u_int8_t quick; + u_int8_t ifnot; + u_int8_t match_tag_not; + u_int8_t natpass; + + u_int8_t keep_state; + sa_family_t af; + u_int8_t proto; + u_int8_t type; + u_int8_t code; + u_int8_t flags; + u_int8_t flagset; + u_int8_t min_ttl; + u_int8_t allow_opts; + u_int8_t rt; + u_int8_t return_ttl; + u_int8_t tos; + u_int8_t set_tos; + u_int8_t anchor_relative; + u_int8_t anchor_wildcard; + + u_int8_t flush; + u_int8_t prio; + u_int8_t set_prio[2]; + + struct { + struct pf_addr addr; + u_int16_t port; + } divert; + + uint64_t u_states_cur; + uint64_t u_states_tot; + uint64_t u_src_nodes; +}; + +TAILQ_HEAD(pfctl_rulequeue, pfctl_rule); + +struct pfctl_ruleset { + struct { + struct pfctl_rulequeue queues[2]; + struct { + struct pfctl_rulequeue *ptr; + struct pfctl_rule **ptr_array; + u_int32_t rcount; + u_int32_t ticket; + int open; + } active, inactive; + } rules[PF_RULESET_MAX]; + struct pfctl_anchor *anchor; + u_int32_t tticket; + int tables; + int topen; +}; + +RB_HEAD(pfctl_anchor_global, pfctl_anchor); +RB_HEAD(pfctl_anchor_node, pfctl_anchor); +struct pfctl_anchor { + RB_ENTRY(pfctl_anchor) entry_global; + RB_ENTRY(pfctl_anchor) entry_node; + struct pfctl_anchor *parent; + struct pfctl_anchor_node children; + char name[PF_ANCHOR_NAME_SIZE]; + char path[MAXPATHLEN]; + struct pfctl_ruleset ruleset; + int refcnt; /* anchor rules */ + int match; /* XXX: used for pfctl black magic */ +}; +RB_PROTOTYPE(pfctl_anchor_global, pfctl_anchor, entry_global, + pf_anchor_compare); +RB_PROTOTYPE(pfctl_anchor_node, pfctl_anchor, entry_node, + pf_anchor_compare); + int pfctl_get_rule(int dev, u_int32_t nr, u_int32_t ticket, - const char *anchor, u_int32_t ruleset, struct pf_rule *rule, + const char *anchor, u_int32_t ruleset, struct pfctl_rule *rule, char *anchor_call); -int pfctl_add_rule(int dev, const struct pf_rule *r, const char *anchor, - const char *anchor_call, u_int32_t ticket, u_int32_t pool_ticket); +int pfctl_add_rule(int dev, const struct pfctl_rule *r, + const char *anchor, const char *anchor_call, u_int32_t ticket, + u_int32_t pool_ticket); #endif diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 89e421e6b5ad..08da7e6bddd6 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -317,10 +317,10 @@ static struct node_state_opt *keep_state_defaults = NULL; int disallow_table(struct node_host *, const char *); int disallow_urpf_failed(struct node_host *, const char *); int disallow_alias(struct node_host *, const char *); -int rule_consistent(struct pf_rule *, int); -int filter_consistent(struct pf_rule *, int); -int nat_consistent(struct pf_rule *); -int rdr_consistent(struct pf_rule *); +int rule_consistent(struct pfctl_rule *, int); +int filter_consistent(struct pfctl_rule *, int); +int nat_consistent(struct pfctl_rule *); +int rdr_consistent(struct pfctl_rule *); int process_tabledef(char *, struct table_opts *); void expand_label_str(char *, size_t, const char *, const char *); void expand_label_if(const char *, char *, size_t, const char *); @@ -333,7 +333,7 @@ void expand_label_nr(const char *, char *, size_t); void expand_label(char *, size_t, const char *, u_int8_t, struct node_host *, struct node_port *, struct node_host *, struct node_port *, u_int8_t); -void expand_rule(struct pf_rule *, struct node_if *, +void expand_rule(struct pfctl_rule *, struct node_if *, struct node_host *, struct node_proto *, struct node_os *, struct node_host *, struct node_port *, struct node_host *, struct node_port *, struct node_uid *, struct node_gid *, @@ -348,10 +348,10 @@ int expand_skip_interface(struct node_if *); int check_rulestate(int); int getservice(char *); -int rule_label(struct pf_rule *, char *); +int rule_label(struct pfctl_rule *, char *); int rt_tableid_max(void); -void mv_rules(struct pf_ruleset *, struct pf_ruleset *); +void mv_rules(struct pfctl_ruleset *, struct pfctl_ruleset *); void decide_address_family(struct node_host *, sa_family_t *); void remove_invalid_hosts(struct node_host **, sa_family_t *); int invalid_redirect(struct node_host *, sa_family_t); @@ -788,7 +788,7 @@ pfa_anchorlist : /* empty */ pfa_anchor : '{' { char ta[PF_ANCHOR_NAME_SIZE]; - struct pf_ruleset *rs; + struct pfctl_ruleset *rs; /* steping into a brace anchor */ pf->asd++; @@ -814,7 +814,7 @@ pfa_anchor : '{' anchorrule : ANCHOR anchorname dir quick interface af proto fromto filter_opts pfa_anchor { - struct pf_rule r; + struct pfctl_rule r; struct node_proto *proto; if (check_rulestate(PFCTL_STATE_FILTER)) { @@ -833,7 +833,7 @@ anchorrule : ANCHOR anchorname dir quick interface af proto fromto memset(&r, 0, sizeof(r)); if (pf->astack[pf->asd + 1]) { /* move inline rules into relative location */ - pf_anchor_setup(&r, + pfctl_anchor_setup(&r, &pf->astack[pf->asd]->ruleset, $2 ? $2 : pf->alast->name); @@ -946,7 +946,7 @@ anchorrule : ANCHOR anchorname dir quick interface af proto fromto pf->astack[pf->asd + 1] = NULL; } | NATANCHOR string interface af proto fromto rtable { - struct pf_rule r; + struct pfctl_rule r; if (check_rulestate(PFCTL_STATE_NAT)) { free($2); @@ -967,7 +967,7 @@ anchorrule : ANCHOR anchorname dir quick interface af proto fromto free($2); } | RDRANCHOR string interface af proto fromto rtable { - struct pf_rule r; + struct pfctl_rule r; if (check_rulestate(PFCTL_STATE_NAT)) { free($2); @@ -1009,7 +1009,7 @@ anchorrule : ANCHOR anchorname dir quick interface af proto fromto free($2); } | BINATANCHOR string interface af proto fromto rtable { - struct pf_rule r; + struct pfctl_rule r; if (check_rulestate(PFCTL_STATE_NAT)) { free($2); @@ -1087,7 +1087,7 @@ scrubaction : no SCRUB { scrubrule : scrubaction dir logquick interface af proto fromto scrub_opts { - struct pf_rule r; + struct pfctl_rule r; if (check_rulestate(PFCTL_STATE_SCRUB)) YYERROR; @@ -1247,7 +1247,7 @@ fragcache : FRAGMENT REASSEMBLE { $$ = 0; /* default */ } ; antispoof : ANTISPOOF logquick antispoof_ifspc af antispoof_opts { - struct pf_rule r; + struct pfctl_rule r; struct node_host *h = NULL, *hh; struct node_if *i, *j; @@ -2022,7 +2022,7 @@ qassign_item : STRING { pfrule : action dir logquick interface route af proto fromto filter_opts { - struct pf_rule r; + struct pfctl_rule r; struct node_state_opt *o; struct node_proto *proto; int srctrack = 0; @@ -4071,7 +4071,7 @@ nataction : no NAT natpasslog { natrule : nataction interface af proto fromto tag tagged rtable redirpool pool_opts { - struct pf_rule r; + struct pfctl_rule r; if (check_rulestate(PFCTL_STATE_NAT)) YYERROR; @@ -4230,7 +4230,7 @@ natrule : nataction interface af proto fromto tag tagged rtable binatrule : no BINAT natpasslog interface af proto FROM ipspec toipspec tag tagged rtable redirection { - struct pf_rule binat; + struct pfctl_rule binat; struct pf_pooladdr *pa; if (check_rulestate(PFCTL_STATE_NAT)) @@ -4615,7 +4615,7 @@ disallow_alias(struct node_host *h, const char *fmt) } int -rule_consistent(struct pf_rule *r, int anchor_call) +rule_consistent(struct pfctl_rule *r, int anchor_call) { int problems = 0; @@ -4643,7 +4643,7 @@ rule_consistent(struct pf_rule *r, int anchor_call) } int -filter_consistent(struct pf_rule *r, int anchor_call) +filter_consistent(struct pfctl_rule *r, int anchor_call) { int problems = 0; @@ -4706,13 +4706,13 @@ filter_consistent(struct pf_rule *r, int anchor_call) } int -nat_consistent(struct pf_rule *r) +nat_consistent(struct pfctl_rule *r) { return (0); /* yeah! */ } int -rdr_consistent(struct pf_rule *r) +rdr_consistent(struct pfctl_rule *r) { int problems = 0; @@ -5248,7 +5248,7 @@ expand_queue(struct pf_altq *a, struct node_if *interfaces, } void -expand_rule(struct pf_rule *r, +expand_rule(struct pfctl_rule *r, struct node_if *interfaces, struct node_host *rpool_hosts, struct node_proto *protos, struct node_os *src_oses, struct node_host *src_hosts, struct node_port *src_ports, @@ -6080,10 +6080,10 @@ symget(const char *nam) } void -mv_rules(struct pf_ruleset *src, struct pf_ruleset *dst) +mv_rules(struct pfctl_ruleset *src, struct pfctl_ruleset *dst) { int i; - struct pf_rule *r; + struct pfctl_rule *r; for (i = 0; i < PF_RULESET_MAX; ++i) { while ((r = TAILQ_FIRST(src->rules[i].active.ptr)) @@ -6214,7 +6214,7 @@ getservice(char *n) } int -rule_label(struct pf_rule *r, char *s) +rule_label(struct pfctl_rule *r, char *s) { if (s) { if (strlcpy(r->label, s, sizeof(r->label)) >= diff --git a/sbin/pfctl/pf_ruleset.c b/sbin/pfctl/pf_ruleset.c index baac1deb4fa7..f5cddf481871 100644 --- a/sbin/pfctl/pf_ruleset.c +++ b/sbin/pfctl/pf_ruleset.c @@ -73,22 +73,23 @@ __FBSDID("$FreeBSD$"); #define DPFPRINTF(format, x...) ((void)0) #endif /* PFDEBUG */ -struct pf_anchor_global pf_anchors; -struct pf_anchor pf_main_anchor; +struct pfctl_anchor_global pf_anchors; +struct pfctl_anchor pf_main_anchor; #undef V_pf_anchors #define V_pf_anchors pf_anchors #undef pf_main_ruleset #define pf_main_ruleset pf_main_anchor.ruleset -static __inline int pf_anchor_compare(struct pf_anchor *, - struct pf_anchor *); -static struct pf_anchor *pf_find_anchor(const char *); +static __inline int pf_anchor_compare(struct pfctl_anchor *, + struct pfctl_anchor *); +static struct pfctl_anchor *pf_find_anchor(const char *); -RB_GENERATE(pf_anchor_global, pf_anchor, entry_global, pf_anchor_compare); -RB_GENERATE(pf_anchor_node, pf_anchor, entry_node, pf_anchor_compare); +RB_GENERATE(pfctl_anchor_global, pfctl_anchor, entry_global, + pf_anchor_compare); +RB_GENERATE(pfctl_anchor_node, pfctl_anchor, entry_node, pf_anchor_compare); static __inline int -pf_anchor_compare(struct pf_anchor *a, struct pf_anchor *b) +pf_anchor_compare(struct pfctl_anchor *a, struct pfctl_anchor *b) { int c = strcmp(a->path, b->path); @@ -126,11 +127,11 @@ pf_get_ruleset_number(u_int8_t action) } void -pf_init_ruleset(struct pf_ruleset *ruleset) +pf_init_ruleset(struct pfctl_ruleset *ruleset) { int i; - memset(ruleset, 0, sizeof(struct pf_ruleset)); + memset(ruleset, 0, sizeof(struct pfctl_ruleset)); for (i = 0; i < PF_RULESET_MAX; i++) { TAILQ_INIT(&ruleset->rules[i].queues[0]); TAILQ_INIT(&ruleset->rules[i].queues[1]); @@ -139,24 +140,24 @@ pf_init_ruleset(struct pf_ruleset *ruleset) } } -static struct pf_anchor * +static struct pfctl_anchor * pf_find_anchor(const char *path) { - struct pf_anchor *key, *found; + struct pfctl_anchor *key, *found; - key = (struct pf_anchor *)rs_malloc(sizeof(*key)); + key = (struct pfctl_anchor *)rs_malloc(sizeof(*key)); if (key == NULL) return (NULL); strlcpy(key->path, path, sizeof(key->path)); - found = RB_FIND(pf_anchor_global, &V_pf_anchors, key); + found = RB_FIND(pfctl_anchor_global, &V_pf_anchors, key); rs_free(key); return (found); } -struct pf_ruleset * +struct pfctl_ruleset * pf_find_ruleset(const char *path) { - struct pf_anchor *anchor; + struct pfctl_anchor *anchor; while (*path == '/') path++; @@ -169,12 +170,12 @@ pf_find_ruleset(const char *path) return (&anchor->ruleset); } -struct pf_ruleset * +struct pfctl_ruleset * pf_find_or_create_ruleset(const char *path) { char *p, *q, *r; - struct pf_ruleset *ruleset; - struct pf_anchor *anchor = NULL, *dup, *parent = NULL; + struct pfctl_ruleset *ruleset; + struct pfctl_anchor *anchor = NULL, *dup, *parent = NULL; if (path[0] == 0) return (&pf_main_ruleset); @@ -212,7 +213,7 @@ pf_find_or_create_ruleset(const char *path) rs_free(p); return (NULL); } - anchor = (struct pf_anchor *)rs_malloc(sizeof(*anchor)); + anchor = (struct pfctl_anchor *)rs_malloc(sizeof(*anchor)); if (anchor == NULL) { rs_free(p); return (NULL); @@ -225,7 +226,7 @@ pf_find_or_create_ruleset(const char *path) strlcat(anchor->path, "/", sizeof(anchor->path)); } strlcat(anchor->path, anchor->name, sizeof(anchor->path)); - if ((dup = RB_INSERT(pf_anchor_global, &V_pf_anchors, anchor)) != + if ((dup = RB_INSERT(pfctl_anchor_global, &V_pf_anchors, anchor)) != NULL) { printf("pf_find_or_create_ruleset: RB_INSERT1 " "'%s' '%s' collides with '%s' '%s'\n", @@ -236,13 +237,13 @@ pf_find_or_create_ruleset(const char *path) } if (parent != NULL) { anchor->parent = parent; - if ((dup = RB_INSERT(pf_anchor_node, &parent->children, + if ((dup = RB_INSERT(pfctl_anchor_node, &parent->children, anchor)) != NULL) { printf("pf_find_or_create_ruleset: " "RB_INSERT2 '%s' '%s' collides with " "'%s' '%s'\n", anchor->path, anchor->name, dup->path, dup->name); - RB_REMOVE(pf_anchor_global, &V_pf_anchors, + RB_REMOVE(pfctl_anchor_global, &V_pf_anchors, anchor); rs_free(anchor); rs_free(p); @@ -262,9 +263,9 @@ pf_find_or_create_ruleset(const char *path) } void -pf_remove_if_empty_ruleset(struct pf_ruleset *ruleset) +pf_remove_if_empty_ruleset(struct pfctl_ruleset *ruleset) { - struct pf_anchor *parent; + struct pfctl_anchor *parent; int i; while (ruleset != NULL) { @@ -278,9 +279,9 @@ pf_remove_if_empty_ruleset(struct pf_ruleset *ruleset) !TAILQ_EMPTY(ruleset->rules[i].inactive.ptr) || ruleset->rules[i].inactive.open) return; - RB_REMOVE(pf_anchor_global, &V_pf_anchors, ruleset->anchor); + RB_REMOVE(pfctl_anchor_global, &V_pf_anchors, ruleset->anchor); if ((parent = ruleset->anchor->parent) != NULL) - RB_REMOVE(pf_anchor_node, &parent->children, + RB_REMOVE(pfctl_anchor_node, &parent->children, ruleset->anchor); rs_free(ruleset->anchor); if (parent == NULL) @@ -289,11 +290,11 @@ pf_remove_if_empty_ruleset(struct pf_ruleset *ruleset) } } int -pf_anchor_setup(struct pf_rule *r, const struct pf_ruleset *s, +pfctl_anchor_setup(struct pfctl_rule *r, const struct pfctl_ruleset *s, const char *name) { char *p, *path; - struct pf_ruleset *ruleset; + struct pfctl_ruleset *ruleset; r->anchor = NULL; r->anchor_relative = 0; @@ -314,7 +315,7 @@ pf_anchor_setup(struct pf_rule *r, const struct pf_ruleset *s, strlcpy(path, s->anchor->path, MAXPATHLEN); while (name[0] == '.' && name[1] == '.' && name[2] == '/') { if (!path[0]) { - printf("pf_anchor_setup: .. beyond root\n"); + printf("pfctl_anchor_setup: .. beyond root\n"); *** 690 LINES SKIPPED ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202105071525.147FPkXB026344>