2 * Copyright (c) 2007-2010 Apple Inc. All rights reserved.
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
29 /* $apfw: pf_table.c,v 1.4 2008/08/27 00:01:32 jhw Exp $ */
30 /* $OpenBSD: pf_table.c,v 1.68 2006/05/02 10:08:45 dhartmei Exp $ */
33 * Copyright (c) 2002 Cedric Berger
34 * All rights reserved.
36 * Redistribution and use in source and binary forms, with or without
37 * modification, are permitted provided that the following conditions
40 * - Redistributions of source code must retain the above copyright
41 * notice, this list of conditions and the following disclaimer.
42 * - Redistributions in binary form must reproduce the above
43 * copyright notice, this list of conditions and the following
44 * disclaimer in the documentation and/or other materials provided
45 * with the distribution.
47 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
48 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
49 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
50 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
51 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
52 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
53 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
54 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
55 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
56 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
57 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
58 * POSSIBILITY OF SUCH DAMAGE.
62 #include <sys/param.h>
63 #include <sys/systm.h>
64 #include <sys/socket.h>
66 #include <sys/kernel.h>
67 #include <sys/malloc.h>
70 #include <net/route.h>
71 #include <netinet/in.h>
72 #include <net/radix.h>
73 #include <net/pfvar.h>
75 #define ACCEPT_FLAGS(flags, oklist) \
77 if ((flags & ~(oklist)) & \
82 #define COPYIN(from, to, size, flags) \
83 ((flags & PFR_FLAG_USERIOCTL) ? \
84 copyin((from), (to), (size)) : \
85 (bcopy((void *)(uintptr_t)(from), (to), (size)), 0))
87 #define COPYOUT(from, to, size, flags) \
88 ((flags & PFR_FLAG_USERIOCTL) ? \
89 copyout((from), (to), (size)) : \
90 (bcopy((from), (void *)(uintptr_t)(to), (size)), 0))
92 #define FILLIN_SIN(sin, addr) \
94 (sin).sin_len = sizeof (sin); \
95 (sin).sin_family = AF_INET; \
96 (sin).sin_addr = (addr); \
99 #define FILLIN_SIN6(sin6, addr) \
101 (sin6).sin6_len = sizeof (sin6); \
102 (sin6).sin6_family = AF_INET6; \
103 (sin6).sin6_addr = (addr); \
106 #define SWAP(type, a1, a2) \
113 #define SUNION2PF(su, af) (((af) == AF_INET) ? \
114 (struct pf_addr *)&(su)->sin.sin_addr : \
115 (struct pf_addr *)&(su)->sin6.sin6_addr)
117 #define AF_BITS(af) (((af) == AF_INET) ? 32 : 128)
118 #define ADDR_NETWORK(ad) ((ad)->pfra_net < AF_BITS((ad)->pfra_af))
119 #define KENTRY_NETWORK(ke) ((ke)->pfrke_net < AF_BITS((ke)->pfrke_af))
120 #define KENTRY_RNF_ROOT(ke) \
121 ((((struct radix_node *)(ke))->rn_flags & RNF_ROOT) != 0)
123 #define NO_ADDRESSES (-1)
124 #define ENQUEUE_UNMARKED_ONLY (1)
125 #define INVERT_NEG_FLAG (1)
127 struct pfr_walktree
{
138 user_addr_t pfrw1_addr
;
139 user_addr_t pfrw1_astats
;
140 struct pfr_kentryworkq
*pfrw1_workq
;
141 struct pfr_kentry
*pfrw1_kentry
;
142 struct pfi_dynaddr
*pfrw1_dyn
;
147 #define pfrw_addr pfrw_1.pfrw1_addr
148 #define pfrw_astats pfrw_1.pfrw1_astats
149 #define pfrw_workq pfrw_1.pfrw1_workq
150 #define pfrw_kentry pfrw_1.pfrw1_kentry
151 #define pfrw_dyn pfrw_1.pfrw1_dyn
152 #define pfrw_cnt pfrw_free
154 #define senderr(e) do { rv = (e); goto _bad; } while (0)
156 struct pool pfr_ktable_pl
;
157 struct pool pfr_kentry_pl
;
159 static struct pool pfr_kentry_pl2
;
160 static struct sockaddr_in pfr_sin
;
161 static struct sockaddr_in6 pfr_sin6
;
162 static union sockaddr_union pfr_mask
;
163 static struct pf_addr pfr_ffaddr
;
165 static void pfr_copyout_addr(struct pfr_addr
*, struct pfr_kentry
*ke
);
166 static int pfr_validate_addr(struct pfr_addr
*);
167 static void pfr_enqueue_addrs(struct pfr_ktable
*, struct pfr_kentryworkq
*,
169 static void pfr_mark_addrs(struct pfr_ktable
*);
170 static struct pfr_kentry
*pfr_lookup_addr(struct pfr_ktable
*,
171 struct pfr_addr
*, int);
172 static struct pfr_kentry
*pfr_create_kentry(struct pfr_addr
*, int);
173 static void pfr_destroy_kentries(struct pfr_kentryworkq
*);
174 static void pfr_destroy_kentry(struct pfr_kentry
*);
175 static void pfr_insert_kentries(struct pfr_ktable
*,
176 struct pfr_kentryworkq
*, u_int64_t
);
177 static void pfr_remove_kentries(struct pfr_ktable
*, struct pfr_kentryworkq
*);
178 static void pfr_clstats_kentries(struct pfr_kentryworkq
*, u_int64_t
, int);
179 static void pfr_reset_feedback(user_addr_t
, int, int);
180 static void pfr_prepare_network(union sockaddr_union
*, int, int);
181 static int pfr_route_kentry(struct pfr_ktable
*, struct pfr_kentry
*);
182 static int pfr_unroute_kentry(struct pfr_ktable
*, struct pfr_kentry
*);
183 static int pfr_walktree(struct radix_node
*, void *);
184 static int pfr_validate_table(struct pfr_table
*, int, int);
185 static int pfr_fix_anchor(char *);
186 static void pfr_commit_ktable(struct pfr_ktable
*, u_int64_t
);
187 static void pfr_insert_ktables(struct pfr_ktableworkq
*);
188 static void pfr_insert_ktable(struct pfr_ktable
*);
189 static void pfr_setflags_ktables(struct pfr_ktableworkq
*);
190 static void pfr_setflags_ktable(struct pfr_ktable
*, int);
191 static void pfr_clstats_ktables(struct pfr_ktableworkq
*, u_int64_t
, int);
192 static void pfr_clstats_ktable(struct pfr_ktable
*, u_int64_t
, int);
193 static struct pfr_ktable
*pfr_create_ktable(struct pfr_table
*, u_int64_t
, int);
194 static void pfr_destroy_ktables(struct pfr_ktableworkq
*, int);
195 static void pfr_destroy_ktable(struct pfr_ktable
*, int);
196 static int pfr_ktable_compare(struct pfr_ktable
*, struct pfr_ktable
*);
197 static struct pfr_ktable
*pfr_lookup_table(struct pfr_table
*);
198 static void pfr_clean_node_mask(struct pfr_ktable
*, struct pfr_kentryworkq
*);
199 static int pfr_table_count(struct pfr_table
*, int);
200 static int pfr_skip_table(struct pfr_table
*, struct pfr_ktable
*, int);
201 static struct pfr_kentry
*pfr_kentry_byidx(struct pfr_ktable
*, int, int);
203 RB_PROTOTYPE_SC(static, pfr_ktablehead
, pfr_ktable
, pfrkt_tree
,
205 RB_GENERATE(pfr_ktablehead
, pfr_ktable
, pfrkt_tree
, pfr_ktable_compare
);
207 static struct pfr_ktablehead pfr_ktables
;
208 static struct pfr_table pfr_nulltable
;
209 static int pfr_ktable_cnt
;
214 pool_init(&pfr_ktable_pl
, sizeof (struct pfr_ktable
), 0, 0, 0,
216 pool_init(&pfr_kentry_pl
, sizeof (struct pfr_kentry
), 0, 0, 0,
218 pool_init(&pfr_kentry_pl2
, sizeof (struct pfr_kentry
), 0, 0, 0,
221 pfr_sin
.sin_len
= sizeof (pfr_sin
);
222 pfr_sin
.sin_family
= AF_INET
;
223 pfr_sin6
.sin6_len
= sizeof (pfr_sin6
);
224 pfr_sin6
.sin6_family
= AF_INET6
;
226 memset(&pfr_ffaddr
, 0xff, sizeof (pfr_ffaddr
));
233 pool_destroy(&pfr_ktable_pl
);
234 pool_destroy(&pfr_kentry_pl
);
235 pool_destroy(&pfr_kentry_pl2
);
240 pfr_clr_addrs(struct pfr_table
*tbl
, int *ndel
, int flags
)
242 struct pfr_ktable
*kt
;
243 struct pfr_kentryworkq workq
;
245 ACCEPT_FLAGS(flags
, PFR_FLAG_ATOMIC
| PFR_FLAG_DUMMY
);
246 if (pfr_validate_table(tbl
, 0, flags
& PFR_FLAG_USERIOCTL
))
248 kt
= pfr_lookup_table(tbl
);
249 if (kt
== NULL
|| !(kt
->pfrkt_flags
& PFR_TFLAG_ACTIVE
))
251 if (kt
->pfrkt_flags
& PFR_TFLAG_CONST
)
253 pfr_enqueue_addrs(kt
, &workq
, ndel
, 0);
255 if (!(flags
& PFR_FLAG_DUMMY
)) {
256 pfr_remove_kentries(kt
, &workq
);
258 printf("pfr_clr_addrs: corruption detected (%d).\n",
267 pfr_add_addrs(struct pfr_table
*tbl
, user_addr_t _addr
, int size
,
268 int *nadd
, int flags
)
270 struct pfr_ktable
*kt
, *tmpkt
;
271 struct pfr_kentryworkq workq
;
272 struct pfr_kentry
*p
, *q
;
275 user_addr_t addr
= _addr
;
276 u_int64_t tzero
= pf_calendar_time_second();
278 ACCEPT_FLAGS(flags
, PFR_FLAG_ATOMIC
| PFR_FLAG_DUMMY
|
280 if (pfr_validate_table(tbl
, 0, flags
& PFR_FLAG_USERIOCTL
))
282 kt
= pfr_lookup_table(tbl
);
283 if (kt
== NULL
|| !(kt
->pfrkt_flags
& PFR_TFLAG_ACTIVE
))
285 if (kt
->pfrkt_flags
& PFR_TFLAG_CONST
)
287 tmpkt
= pfr_create_ktable(&pfr_nulltable
, 0, 0);
291 for (i
= 0; i
< size
; i
++, addr
+= sizeof (ad
)) {
292 if (COPYIN(addr
, &ad
, sizeof (ad
), flags
))
294 if (pfr_validate_addr(&ad
))
296 p
= pfr_lookup_addr(kt
, &ad
, 1);
297 q
= pfr_lookup_addr(tmpkt
, &ad
, 1);
298 if (flags
& PFR_FLAG_FEEDBACK
) {
300 ad
.pfra_fback
= PFR_FB_DUPLICATE
;
302 ad
.pfra_fback
= PFR_FB_ADDED
;
303 else if (p
->pfrke_not
!= ad
.pfra_not
)
304 ad
.pfra_fback
= PFR_FB_CONFLICT
;
306 ad
.pfra_fback
= PFR_FB_NONE
;
308 if (p
== NULL
&& q
== NULL
) {
309 p
= pfr_create_kentry(&ad
,
310 !(flags
& PFR_FLAG_USERIOCTL
));
313 if (pfr_route_kentry(tmpkt
, p
)) {
314 pfr_destroy_kentry(p
);
315 ad
.pfra_fback
= PFR_FB_NONE
;
317 SLIST_INSERT_HEAD(&workq
, p
, pfrke_workq
);
321 if (flags
& PFR_FLAG_FEEDBACK
)
322 if (COPYOUT(&ad
, addr
, sizeof (ad
), flags
))
325 pfr_clean_node_mask(tmpkt
, &workq
);
326 if (!(flags
& PFR_FLAG_DUMMY
)) {
327 pfr_insert_kentries(kt
, &workq
, tzero
);
329 pfr_destroy_kentries(&workq
);
332 pfr_destroy_ktable(tmpkt
, 0);
335 pfr_clean_node_mask(tmpkt
, &workq
);
336 pfr_destroy_kentries(&workq
);
337 if (flags
& PFR_FLAG_FEEDBACK
)
338 pfr_reset_feedback(_addr
, size
, flags
);
339 pfr_destroy_ktable(tmpkt
, 0);
344 pfr_del_addrs(struct pfr_table
*tbl
, user_addr_t _addr
, int size
,
345 int *ndel
, int flags
)
347 struct pfr_ktable
*kt
;
348 struct pfr_kentryworkq workq
;
349 struct pfr_kentry
*p
;
351 user_addr_t addr
= _addr
;
352 int i
, rv
, xdel
= 0, log
= 1;
354 ACCEPT_FLAGS(flags
, PFR_FLAG_ATOMIC
| PFR_FLAG_DUMMY
|
356 if (pfr_validate_table(tbl
, 0, flags
& PFR_FLAG_USERIOCTL
))
358 kt
= pfr_lookup_table(tbl
);
359 if (kt
== NULL
|| !(kt
->pfrkt_flags
& PFR_TFLAG_ACTIVE
))
361 if (kt
->pfrkt_flags
& PFR_TFLAG_CONST
)
364 * there are two algorithms to choose from here.
366 * n: number of addresses to delete
367 * N: number of addresses in the table
369 * one is O(N) and is better for large 'n'
370 * one is O(n*LOG(N)) and is better for small 'n'
372 * following code try to decide which one is best.
374 for (i
= kt
->pfrkt_cnt
; i
> 0; i
>>= 1)
376 if (size
> kt
->pfrkt_cnt
/log
) {
377 /* full table scan */
380 /* iterate over addresses to delete */
381 for (i
= 0; i
< size
; i
++, addr
+= sizeof (ad
)) {
382 if (COPYIN(addr
, &ad
, sizeof (ad
), flags
))
384 if (pfr_validate_addr(&ad
))
386 p
= pfr_lookup_addr(kt
, &ad
, 1);
392 for (addr
= _addr
, i
= 0; i
< size
; i
++, addr
+= sizeof (ad
)) {
393 if (COPYIN(addr
, &ad
, sizeof (ad
), flags
))
395 if (pfr_validate_addr(&ad
))
397 p
= pfr_lookup_addr(kt
, &ad
, 1);
398 if (flags
& PFR_FLAG_FEEDBACK
) {
400 ad
.pfra_fback
= PFR_FB_NONE
;
401 else if (p
->pfrke_not
!= ad
.pfra_not
)
402 ad
.pfra_fback
= PFR_FB_CONFLICT
;
403 else if (p
->pfrke_mark
)
404 ad
.pfra_fback
= PFR_FB_DUPLICATE
;
406 ad
.pfra_fback
= PFR_FB_DELETED
;
408 if (p
!= NULL
&& p
->pfrke_not
== ad
.pfra_not
&&
411 SLIST_INSERT_HEAD(&workq
, p
, pfrke_workq
);
414 if (flags
& PFR_FLAG_FEEDBACK
)
415 if (COPYOUT(&ad
, addr
, sizeof (ad
), flags
))
418 if (!(flags
& PFR_FLAG_DUMMY
)) {
419 pfr_remove_kentries(kt
, &workq
);
425 if (flags
& PFR_FLAG_FEEDBACK
)
426 pfr_reset_feedback(_addr
, size
, flags
);
431 pfr_set_addrs(struct pfr_table
*tbl
, user_addr_t _addr
, int size
,
432 int *size2
, int *nadd
, int *ndel
, int *nchange
, int flags
,
433 u_int32_t ignore_pfrt_flags
)
435 struct pfr_ktable
*kt
, *tmpkt
;
436 struct pfr_kentryworkq addq
, delq
, changeq
;
437 struct pfr_kentry
*p
, *q
;
439 user_addr_t addr
= _addr
;
440 int i
, rv
, xadd
= 0, xdel
= 0, xchange
= 0;
441 u_int64_t tzero
= pf_calendar_time_second();
443 ACCEPT_FLAGS(flags
, PFR_FLAG_ATOMIC
| PFR_FLAG_DUMMY
|
445 if (pfr_validate_table(tbl
, ignore_pfrt_flags
, flags
&
448 kt
= pfr_lookup_table(tbl
);
449 if (kt
== NULL
|| !(kt
->pfrkt_flags
& PFR_TFLAG_ACTIVE
))
451 if (kt
->pfrkt_flags
& PFR_TFLAG_CONST
)
453 tmpkt
= pfr_create_ktable(&pfr_nulltable
, 0, 0);
459 SLIST_INIT(&changeq
);
460 for (i
= 0; i
< size
; i
++, addr
+= sizeof (ad
)) {
461 if (COPYIN(addr
, &ad
, sizeof (ad
), flags
))
463 if (pfr_validate_addr(&ad
))
465 ad
.pfra_fback
= PFR_FB_NONE
;
466 p
= pfr_lookup_addr(kt
, &ad
, 1);
469 ad
.pfra_fback
= PFR_FB_DUPLICATE
;
473 if (p
->pfrke_not
!= ad
.pfra_not
) {
474 SLIST_INSERT_HEAD(&changeq
, p
, pfrke_workq
);
475 ad
.pfra_fback
= PFR_FB_CHANGED
;
479 q
= pfr_lookup_addr(tmpkt
, &ad
, 1);
481 ad
.pfra_fback
= PFR_FB_DUPLICATE
;
484 p
= pfr_create_kentry(&ad
,
485 !(flags
& PFR_FLAG_USERIOCTL
));
488 if (pfr_route_kentry(tmpkt
, p
)) {
489 pfr_destroy_kentry(p
);
490 ad
.pfra_fback
= PFR_FB_NONE
;
492 SLIST_INSERT_HEAD(&addq
, p
, pfrke_workq
);
493 ad
.pfra_fback
= PFR_FB_ADDED
;
498 if (flags
& PFR_FLAG_FEEDBACK
)
499 if (COPYOUT(&ad
, addr
, sizeof (ad
), flags
))
502 pfr_enqueue_addrs(kt
, &delq
, &xdel
, ENQUEUE_UNMARKED_ONLY
);
503 if ((flags
& PFR_FLAG_FEEDBACK
) && *size2
) {
504 if (*size2
< size
+xdel
) {
510 SLIST_FOREACH(p
, &delq
, pfrke_workq
) {
511 pfr_copyout_addr(&ad
, p
);
512 ad
.pfra_fback
= PFR_FB_DELETED
;
513 if (COPYOUT(&ad
, addr
, sizeof (ad
), flags
))
519 pfr_clean_node_mask(tmpkt
, &addq
);
520 if (!(flags
& PFR_FLAG_DUMMY
)) {
521 pfr_insert_kentries(kt
, &addq
, tzero
);
522 pfr_remove_kentries(kt
, &delq
);
523 pfr_clstats_kentries(&changeq
, tzero
, INVERT_NEG_FLAG
);
525 pfr_destroy_kentries(&addq
);
532 if ((flags
& PFR_FLAG_FEEDBACK
) && size2
)
534 pfr_destroy_ktable(tmpkt
, 0);
537 pfr_clean_node_mask(tmpkt
, &addq
);
538 pfr_destroy_kentries(&addq
);
539 if (flags
& PFR_FLAG_FEEDBACK
)
540 pfr_reset_feedback(_addr
, size
, flags
);
541 pfr_destroy_ktable(tmpkt
, 0);
546 pfr_tst_addrs(struct pfr_table
*tbl
, user_addr_t addr
, int size
,
547 int *nmatch
, int flags
)
549 struct pfr_ktable
*kt
;
550 struct pfr_kentry
*p
;
554 ACCEPT_FLAGS(flags
, PFR_FLAG_REPLACE
);
555 if (pfr_validate_table(tbl
, 0, 0))
557 kt
= pfr_lookup_table(tbl
);
558 if (kt
== NULL
|| !(kt
->pfrkt_flags
& PFR_TFLAG_ACTIVE
))
561 for (i
= 0; i
< size
; i
++, addr
+= sizeof (ad
)) {
562 if (COPYIN(addr
, &ad
, sizeof (ad
), flags
))
564 if (pfr_validate_addr(&ad
))
566 if (ADDR_NETWORK(&ad
))
568 p
= pfr_lookup_addr(kt
, &ad
, 0);
569 if (flags
& PFR_FLAG_REPLACE
)
570 pfr_copyout_addr(&ad
, p
);
571 ad
.pfra_fback
= (p
== NULL
) ? PFR_FB_NONE
:
572 (p
->pfrke_not
? PFR_FB_NOTMATCH
: PFR_FB_MATCH
);
573 if (p
!= NULL
&& !p
->pfrke_not
)
575 if (COPYOUT(&ad
, addr
, sizeof (ad
), flags
))
584 pfr_get_addrs(struct pfr_table
*tbl
, user_addr_t addr
, int *size
,
587 struct pfr_ktable
*kt
;
588 struct pfr_walktree w
;
591 ACCEPT_FLAGS(flags
, 0);
592 if (pfr_validate_table(tbl
, 0, 0))
594 kt
= pfr_lookup_table(tbl
);
595 if (kt
== NULL
|| !(kt
->pfrkt_flags
& PFR_TFLAG_ACTIVE
))
597 if (kt
->pfrkt_cnt
> *size
) {
598 *size
= kt
->pfrkt_cnt
;
602 bzero(&w
, sizeof (w
));
603 w
.pfrw_op
= PFRW_GET_ADDRS
;
605 w
.pfrw_free
= kt
->pfrkt_cnt
;
606 w
.pfrw_flags
= flags
;
607 rv
= kt
->pfrkt_ip4
->rnh_walktree(kt
->pfrkt_ip4
, pfr_walktree
, &w
);
609 rv
= kt
->pfrkt_ip6
->rnh_walktree(kt
->pfrkt_ip6
,
615 printf("pfr_get_addrs: corruption detected (%d).\n",
619 *size
= kt
->pfrkt_cnt
;
624 pfr_get_astats(struct pfr_table
*tbl
, user_addr_t addr
, int *size
,
627 struct pfr_ktable
*kt
;
628 struct pfr_walktree w
;
629 struct pfr_kentryworkq workq
;
631 u_int64_t tzero
= pf_calendar_time_second();
633 /* XXX PFR_FLAG_CLSTATS disabled */
634 ACCEPT_FLAGS(flags
, PFR_FLAG_ATOMIC
);
635 if (pfr_validate_table(tbl
, 0, 0))
637 kt
= pfr_lookup_table(tbl
);
638 if (kt
== NULL
|| !(kt
->pfrkt_flags
& PFR_TFLAG_ACTIVE
))
640 if (kt
->pfrkt_cnt
> *size
) {
641 *size
= kt
->pfrkt_cnt
;
645 bzero(&w
, sizeof (w
));
646 w
.pfrw_op
= PFRW_GET_ASTATS
;
647 w
.pfrw_astats
= addr
;
648 w
.pfrw_free
= kt
->pfrkt_cnt
;
649 w
.pfrw_flags
= flags
;
650 rv
= kt
->pfrkt_ip4
->rnh_walktree(kt
->pfrkt_ip4
, pfr_walktree
, &w
);
652 rv
= kt
->pfrkt_ip6
->rnh_walktree(kt
->pfrkt_ip6
,
654 if (!rv
&& (flags
& PFR_FLAG_CLSTATS
)) {
655 pfr_enqueue_addrs(kt
, &workq
, NULL
, 0);
656 pfr_clstats_kentries(&workq
, tzero
, 0);
662 printf("pfr_get_astats: corruption detected (%d).\n",
666 *size
= kt
->pfrkt_cnt
;
671 pfr_clr_astats(struct pfr_table
*tbl
, user_addr_t _addr
, int size
,
672 int *nzero
, int flags
)
674 struct pfr_ktable
*kt
;
675 struct pfr_kentryworkq workq
;
676 struct pfr_kentry
*p
;
678 user_addr_t addr
= _addr
;
679 int i
, rv
, xzero
= 0;
681 ACCEPT_FLAGS(flags
, PFR_FLAG_ATOMIC
| PFR_FLAG_DUMMY
|
683 if (pfr_validate_table(tbl
, 0, 0))
685 kt
= pfr_lookup_table(tbl
);
686 if (kt
== NULL
|| !(kt
->pfrkt_flags
& PFR_TFLAG_ACTIVE
))
689 for (i
= 0; i
< size
; i
++, addr
+= sizeof (ad
)) {
690 if (COPYIN(addr
, &ad
, sizeof (ad
), flags
))
692 if (pfr_validate_addr(&ad
))
694 p
= pfr_lookup_addr(kt
, &ad
, 1);
695 if (flags
& PFR_FLAG_FEEDBACK
) {
696 ad
.pfra_fback
= (p
!= NULL
) ?
697 PFR_FB_CLEARED
: PFR_FB_NONE
;
698 if (COPYOUT(&ad
, addr
, sizeof (ad
), flags
))
702 SLIST_INSERT_HEAD(&workq
, p
, pfrke_workq
);
707 if (!(flags
& PFR_FLAG_DUMMY
)) {
708 pfr_clstats_kentries(&workq
, 0, 0);
714 if (flags
& PFR_FLAG_FEEDBACK
)
715 pfr_reset_feedback(_addr
, size
, flags
);
720 pfr_validate_addr(struct pfr_addr
*ad
)
724 switch (ad
->pfra_af
) {
727 if (ad
->pfra_net
> 32)
733 if (ad
->pfra_net
> 128)
740 if (ad
->pfra_net
< 128 &&
741 (((caddr_t
)ad
)[ad
->pfra_net
/8] & (0xFF >> (ad
->pfra_net%8
))))
743 for (i
= (ad
->pfra_net
+7)/8; i
< (int)sizeof (ad
->pfra_u
); i
++)
744 if (((caddr_t
)ad
)[i
])
746 if (ad
->pfra_not
&& ad
->pfra_not
!= 1)
754 pfr_enqueue_addrs(struct pfr_ktable
*kt
, struct pfr_kentryworkq
*workq
,
755 int *naddr
, int sweep
)
757 struct pfr_walktree w
;
760 bzero(&w
, sizeof (w
));
761 w
.pfrw_op
= sweep
? PFRW_SWEEP
: PFRW_ENQUEUE
;
762 w
.pfrw_workq
= workq
;
763 if (kt
->pfrkt_ip4
!= NULL
)
764 if (kt
->pfrkt_ip4
->rnh_walktree(kt
->pfrkt_ip4
,
766 printf("pfr_enqueue_addrs: IPv4 walktree failed.\n");
767 if (kt
->pfrkt_ip6
!= NULL
)
768 if (kt
->pfrkt_ip6
->rnh_walktree(kt
->pfrkt_ip6
,
770 printf("pfr_enqueue_addrs: IPv6 walktree failed.\n");
776 pfr_mark_addrs(struct pfr_ktable
*kt
)
778 struct pfr_walktree w
;
780 bzero(&w
, sizeof (w
));
781 w
.pfrw_op
= PFRW_MARK
;
782 if (kt
->pfrkt_ip4
->rnh_walktree(kt
->pfrkt_ip4
, pfr_walktree
, &w
))
783 printf("pfr_mark_addrs: IPv4 walktree failed.\n");
784 if (kt
->pfrkt_ip6
->rnh_walktree(kt
->pfrkt_ip6
, pfr_walktree
, &w
))
785 printf("pfr_mark_addrs: IPv6 walktree failed.\n");
789 static struct pfr_kentry
*
790 pfr_lookup_addr(struct pfr_ktable
*kt
, struct pfr_addr
*ad
, int exact
)
792 union sockaddr_union sa
, mask
;
793 struct radix_node_head
*head
;
794 struct pfr_kentry
*ke
;
796 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
798 bzero(&sa
, sizeof (sa
));
799 if (ad
->pfra_af
== AF_INET
) {
800 FILLIN_SIN(sa
.sin
, ad
->pfra_ip4addr
);
801 head
= kt
->pfrkt_ip4
;
802 } else if (ad
->pfra_af
== AF_INET6
) {
803 FILLIN_SIN6(sa
.sin6
, ad
->pfra_ip6addr
);
804 head
= kt
->pfrkt_ip6
;
808 if (ADDR_NETWORK(ad
)) {
809 pfr_prepare_network(&mask
, ad
->pfra_af
, ad
->pfra_net
);
810 ke
= (struct pfr_kentry
*)rn_lookup(&sa
, &mask
, head
);
811 if (ke
&& KENTRY_RNF_ROOT(ke
))
814 ke
= (struct pfr_kentry
*)rn_match(&sa
, head
);
815 if (ke
&& KENTRY_RNF_ROOT(ke
))
817 if (exact
&& ke
&& KENTRY_NETWORK(ke
))
823 static struct pfr_kentry
*
824 pfr_create_kentry(struct pfr_addr
*ad
, int intr
)
826 struct pfr_kentry
*ke
;
829 ke
= pool_get(&pfr_kentry_pl2
, PR_WAITOK
);
831 ke
= pool_get(&pfr_kentry_pl
, PR_WAITOK
);
834 bzero(ke
, sizeof (*ke
));
836 if (ad
->pfra_af
== AF_INET
)
837 FILLIN_SIN(ke
->pfrke_sa
.sin
, ad
->pfra_ip4addr
);
838 else if (ad
->pfra_af
== AF_INET6
)
839 FILLIN_SIN6(ke
->pfrke_sa
.sin6
, ad
->pfra_ip6addr
);
840 ke
->pfrke_af
= ad
->pfra_af
;
841 ke
->pfrke_net
= ad
->pfra_net
;
842 ke
->pfrke_not
= ad
->pfra_not
;
843 ke
->pfrke_intrpool
= intr
;
848 pfr_destroy_kentries(struct pfr_kentryworkq
*workq
)
850 struct pfr_kentry
*p
, *q
;
852 for (p
= SLIST_FIRST(workq
); p
!= NULL
; p
= q
) {
853 q
= SLIST_NEXT(p
, pfrke_workq
);
854 pfr_destroy_kentry(p
);
859 pfr_destroy_kentry(struct pfr_kentry
*ke
)
861 if (ke
->pfrke_intrpool
)
862 pool_put(&pfr_kentry_pl2
, ke
);
864 pool_put(&pfr_kentry_pl
, ke
);
868 pfr_insert_kentries(struct pfr_ktable
*kt
,
869 struct pfr_kentryworkq
*workq
, u_int64_t tzero
)
871 struct pfr_kentry
*p
;
874 SLIST_FOREACH(p
, workq
, pfrke_workq
) {
875 rv
= pfr_route_kentry(kt
, p
);
877 printf("pfr_insert_kentries: cannot route entry "
881 p
->pfrke_tzero
= tzero
;
888 pfr_insert_kentry(struct pfr_ktable
*kt
, struct pfr_addr
*ad
, u_int64_t tzero
)
890 struct pfr_kentry
*p
;
893 p
= pfr_lookup_addr(kt
, ad
, 1);
896 p
= pfr_create_kentry(ad
, 1);
900 rv
= pfr_route_kentry(kt
, p
);
904 p
->pfrke_tzero
= tzero
;
911 pfr_remove_kentries(struct pfr_ktable
*kt
,
912 struct pfr_kentryworkq
*workq
)
914 struct pfr_kentry
*p
;
917 SLIST_FOREACH(p
, workq
, pfrke_workq
) {
918 pfr_unroute_kentry(kt
, p
);
922 pfr_destroy_kentries(workq
);
926 pfr_clean_node_mask(struct pfr_ktable
*kt
,
927 struct pfr_kentryworkq
*workq
)
929 struct pfr_kentry
*p
;
931 SLIST_FOREACH(p
, workq
, pfrke_workq
)
932 pfr_unroute_kentry(kt
, p
);
936 pfr_clstats_kentries(struct pfr_kentryworkq
*workq
, u_int64_t tzero
,
939 struct pfr_kentry
*p
;
941 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
943 SLIST_FOREACH(p
, workq
, pfrke_workq
) {
945 p
->pfrke_not
= !p
->pfrke_not
;
946 bzero(p
->pfrke_packets
, sizeof (p
->pfrke_packets
));
947 bzero(p
->pfrke_bytes
, sizeof (p
->pfrke_bytes
));
948 p
->pfrke_tzero
= tzero
;
953 pfr_reset_feedback(user_addr_t addr
, int size
, int flags
)
958 for (i
= 0; i
< size
; i
++, addr
+= sizeof (ad
)) {
959 if (COPYIN(addr
, &ad
, sizeof (ad
), flags
))
961 ad
.pfra_fback
= PFR_FB_NONE
;
962 if (COPYOUT(&ad
, addr
, sizeof (ad
), flags
))
968 pfr_prepare_network(union sockaddr_union
*sa
, int af
, int net
)
972 bzero(sa
, sizeof (*sa
));
974 sa
->sin
.sin_len
= sizeof (sa
->sin
);
975 sa
->sin
.sin_family
= AF_INET
;
976 sa
->sin
.sin_addr
.s_addr
= net
? htonl(-1 << (32-net
)) : 0;
977 } else if (af
== AF_INET6
) {
978 sa
->sin6
.sin6_len
= sizeof (sa
->sin6
);
979 sa
->sin6
.sin6_family
= AF_INET6
;
980 for (i
= 0; i
< 4; i
++) {
982 sa
->sin6
.sin6_addr
.s6_addr32
[i
] =
983 net
? htonl(-1 << (32-net
)) : 0;
986 sa
->sin6
.sin6_addr
.s6_addr32
[i
] = 0xFFFFFFFF;
993 pfr_route_kentry(struct pfr_ktable
*kt
, struct pfr_kentry
*ke
)
995 union sockaddr_union mask
;
996 struct radix_node
*rn
;
997 struct radix_node_head
*head
;
999 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1001 bzero(ke
->pfrke_node
, sizeof (ke
->pfrke_node
));
1002 if (ke
->pfrke_af
== AF_INET
)
1003 head
= kt
->pfrkt_ip4
;
1004 else if (ke
->pfrke_af
== AF_INET6
)
1005 head
= kt
->pfrkt_ip6
;
1009 if (KENTRY_NETWORK(ke
)) {
1010 pfr_prepare_network(&mask
, ke
->pfrke_af
, ke
->pfrke_net
);
1011 rn
= rn_addroute(&ke
->pfrke_sa
, &mask
, head
, ke
->pfrke_node
);
1013 rn
= rn_addroute(&ke
->pfrke_sa
, NULL
, head
, ke
->pfrke_node
);
1015 return (rn
== NULL
? -1 : 0);
1019 pfr_unroute_kentry(struct pfr_ktable
*kt
, struct pfr_kentry
*ke
)
1021 union sockaddr_union mask
;
1022 struct radix_node
*rn
;
1023 struct radix_node_head
*head
;
1025 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1027 if (ke
->pfrke_af
== AF_INET
)
1028 head
= kt
->pfrkt_ip4
;
1029 else if (ke
->pfrke_af
== AF_INET6
)
1030 head
= kt
->pfrkt_ip6
;
1034 if (KENTRY_NETWORK(ke
)) {
1035 pfr_prepare_network(&mask
, ke
->pfrke_af
, ke
->pfrke_net
);
1036 rn
= rn_delete(&ke
->pfrke_sa
, &mask
, head
);
1038 rn
= rn_delete(&ke
->pfrke_sa
, NULL
, head
);
1041 printf("pfr_unroute_kentry: delete failed.\n");
1048 pfr_copyout_addr(struct pfr_addr
*ad
, struct pfr_kentry
*ke
)
1050 bzero(ad
, sizeof (*ad
));
1053 ad
->pfra_af
= ke
->pfrke_af
;
1054 ad
->pfra_net
= ke
->pfrke_net
;
1055 ad
->pfra_not
= ke
->pfrke_not
;
1056 if (ad
->pfra_af
== AF_INET
)
1057 ad
->pfra_ip4addr
= ke
->pfrke_sa
.sin
.sin_addr
;
1058 else if (ad
->pfra_af
== AF_INET6
)
1059 ad
->pfra_ip6addr
= ke
->pfrke_sa
.sin6
.sin6_addr
;
1063 pfr_walktree(struct radix_node
*rn
, void *arg
)
1065 struct pfr_kentry
*ke
= (struct pfr_kentry
*)rn
;
1066 struct pfr_walktree
*w
= arg
;
1067 int flags
= w
->pfrw_flags
;
1069 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1071 switch (w
->pfrw_op
) {
1080 SLIST_INSERT_HEAD(w
->pfrw_workq
, ke
, pfrke_workq
);
1083 case PFRW_GET_ADDRS
:
1084 if (w
->pfrw_free
-- > 0) {
1087 pfr_copyout_addr(&ad
, ke
);
1088 if (copyout(&ad
, w
->pfrw_addr
, sizeof (ad
)))
1090 w
->pfrw_addr
+= sizeof (ad
);
1093 case PFRW_GET_ASTATS
:
1094 if (w
->pfrw_free
-- > 0) {
1095 struct pfr_astats as
;
1097 pfr_copyout_addr(&as
.pfras_a
, ke
);
1099 bcopy(ke
->pfrke_packets
, as
.pfras_packets
,
1100 sizeof (as
.pfras_packets
));
1101 bcopy(ke
->pfrke_bytes
, as
.pfras_bytes
,
1102 sizeof (as
.pfras_bytes
));
1103 as
.pfras_tzero
= ke
->pfrke_tzero
;
1105 if (COPYOUT(&as
, w
->pfrw_astats
, sizeof (as
), flags
))
1107 w
->pfrw_astats
+= sizeof (as
);
1112 break; /* negative entries are ignored */
1113 if (!w
->pfrw_cnt
--) {
1114 w
->pfrw_kentry
= ke
;
1115 return (1); /* finish search */
1118 case PFRW_DYNADDR_UPDATE
:
1119 if (ke
->pfrke_af
== AF_INET
) {
1120 if (w
->pfrw_dyn
->pfid_acnt4
++ > 0)
1122 pfr_prepare_network(&pfr_mask
, AF_INET
, ke
->pfrke_net
);
1123 w
->pfrw_dyn
->pfid_addr4
= *SUNION2PF(
1124 &ke
->pfrke_sa
, AF_INET
);
1125 w
->pfrw_dyn
->pfid_mask4
= *SUNION2PF(
1126 &pfr_mask
, AF_INET
);
1127 } else if (ke
->pfrke_af
== AF_INET6
) {
1128 if (w
->pfrw_dyn
->pfid_acnt6
++ > 0)
1130 pfr_prepare_network(&pfr_mask
, AF_INET6
, ke
->pfrke_net
);
1131 w
->pfrw_dyn
->pfid_addr6
= *SUNION2PF(
1132 &ke
->pfrke_sa
, AF_INET6
);
1133 w
->pfrw_dyn
->pfid_mask6
= *SUNION2PF(
1134 &pfr_mask
, AF_INET6
);
1142 pfr_clr_tables(struct pfr_table
*filter
, int *ndel
, int flags
)
1144 struct pfr_ktableworkq workq
;
1145 struct pfr_ktable
*p
;
1148 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1150 ACCEPT_FLAGS(flags
, PFR_FLAG_ATOMIC
| PFR_FLAG_DUMMY
|
1152 if (pfr_fix_anchor(filter
->pfrt_anchor
))
1154 if (pfr_table_count(filter
, flags
) < 0)
1158 RB_FOREACH(p
, pfr_ktablehead
, &pfr_ktables
) {
1159 if (pfr_skip_table(filter
, p
, flags
))
1161 if (strcmp(p
->pfrkt_anchor
, PF_RESERVED_ANCHOR
) == 0)
1163 if (!(p
->pfrkt_flags
& PFR_TFLAG_ACTIVE
))
1165 p
->pfrkt_nflags
= p
->pfrkt_flags
& ~PFR_TFLAG_ACTIVE
;
1166 SLIST_INSERT_HEAD(&workq
, p
, pfrkt_workq
);
1169 if (!(flags
& PFR_FLAG_DUMMY
)) {
1170 pfr_setflags_ktables(&workq
);
1178 pfr_add_tables(user_addr_t tbl
, int size
, int *nadd
, int flags
)
1180 struct pfr_ktableworkq addq
, changeq
;
1181 struct pfr_ktable
*p
, *q
, *r
, key
;
1182 int i
, rv
, xadd
= 0;
1183 u_int64_t tzero
= pf_calendar_time_second();
1185 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1187 ACCEPT_FLAGS(flags
, PFR_FLAG_ATOMIC
| PFR_FLAG_DUMMY
);
1189 SLIST_INIT(&changeq
);
1190 for (i
= 0; i
< size
; i
++, tbl
+= sizeof (key
.pfrkt_t
)) {
1191 if (COPYIN(tbl
, &key
.pfrkt_t
, sizeof (key
.pfrkt_t
), flags
))
1193 pfr_table_copyin_cleanup(&key
.pfrkt_t
);
1194 if (pfr_validate_table(&key
.pfrkt_t
, PFR_TFLAG_USRMASK
,
1195 flags
& PFR_FLAG_USERIOCTL
))
1197 key
.pfrkt_flags
|= PFR_TFLAG_ACTIVE
;
1198 p
= RB_FIND(pfr_ktablehead
, &pfr_ktables
, &key
);
1200 p
= pfr_create_ktable(&key
.pfrkt_t
, tzero
, 1);
1203 SLIST_FOREACH(q
, &addq
, pfrkt_workq
) {
1204 if (!pfr_ktable_compare(p
, q
))
1207 SLIST_INSERT_HEAD(&addq
, p
, pfrkt_workq
);
1209 if (!key
.pfrkt_anchor
[0])
1212 /* find or create root table */
1213 bzero(key
.pfrkt_anchor
, sizeof (key
.pfrkt_anchor
));
1214 r
= RB_FIND(pfr_ktablehead
, &pfr_ktables
, &key
);
1219 SLIST_FOREACH(q
, &addq
, pfrkt_workq
) {
1220 if (!pfr_ktable_compare(&key
, q
)) {
1225 key
.pfrkt_flags
= 0;
1226 r
= pfr_create_ktable(&key
.pfrkt_t
, 0, 1);
1229 SLIST_INSERT_HEAD(&addq
, r
, pfrkt_workq
);
1231 } else if (!(p
->pfrkt_flags
& PFR_TFLAG_ACTIVE
)) {
1232 SLIST_FOREACH(q
, &changeq
, pfrkt_workq
)
1233 if (!pfr_ktable_compare(&key
, q
))
1235 p
->pfrkt_nflags
= (p
->pfrkt_flags
&
1236 ~PFR_TFLAG_USRMASK
) | key
.pfrkt_flags
;
1237 SLIST_INSERT_HEAD(&changeq
, p
, pfrkt_workq
);
1243 if (!(flags
& PFR_FLAG_DUMMY
)) {
1244 pfr_insert_ktables(&addq
);
1245 pfr_setflags_ktables(&changeq
);
1247 pfr_destroy_ktables(&addq
, 0);
1252 pfr_destroy_ktables(&addq
, 0);
1257 pfr_del_tables(user_addr_t tbl
, int size
, int *ndel
, int flags
)
1259 struct pfr_ktableworkq workq
;
1260 struct pfr_ktable
*p
, *q
, key
;
1263 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1265 ACCEPT_FLAGS(flags
, PFR_FLAG_ATOMIC
| PFR_FLAG_DUMMY
);
1267 for (i
= 0; i
< size
; i
++, tbl
+= sizeof (key
.pfrkt_t
)) {
1268 if (COPYIN(tbl
, &key
.pfrkt_t
, sizeof (key
.pfrkt_t
), flags
))
1270 pfr_table_copyin_cleanup(&key
.pfrkt_t
);
1271 if (pfr_validate_table(&key
.pfrkt_t
, 0,
1272 flags
& PFR_FLAG_USERIOCTL
))
1274 p
= RB_FIND(pfr_ktablehead
, &pfr_ktables
, &key
);
1275 if (p
!= NULL
&& (p
->pfrkt_flags
& PFR_TFLAG_ACTIVE
)) {
1276 SLIST_FOREACH(q
, &workq
, pfrkt_workq
)
1277 if (!pfr_ktable_compare(p
, q
))
1279 p
->pfrkt_nflags
= p
->pfrkt_flags
& ~PFR_TFLAG_ACTIVE
;
1280 SLIST_INSERT_HEAD(&workq
, p
, pfrkt_workq
);
1287 if (!(flags
& PFR_FLAG_DUMMY
)) {
1288 pfr_setflags_ktables(&workq
);
1296 pfr_get_tables(struct pfr_table
*filter
, user_addr_t tbl
, int *size
,
1299 struct pfr_ktable
*p
;
1302 ACCEPT_FLAGS(flags
, PFR_FLAG_ALLRSETS
);
1303 if (pfr_fix_anchor(filter
->pfrt_anchor
))
1305 n
= nn
= pfr_table_count(filter
, flags
);
1312 RB_FOREACH(p
, pfr_ktablehead
, &pfr_ktables
) {
1313 if (pfr_skip_table(filter
, p
, flags
))
1317 if (COPYOUT(&p
->pfrkt_t
, tbl
, sizeof (p
->pfrkt_t
), flags
))
1319 tbl
+= sizeof (p
->pfrkt_t
);
1322 printf("pfr_get_tables: corruption detected (%d).\n", n
);
1330 pfr_get_tstats(struct pfr_table
*filter
, user_addr_t tbl
, int *size
,
1333 struct pfr_ktable
*p
;
1334 struct pfr_ktableworkq workq
;
1336 u_int64_t tzero
= pf_calendar_time_second();
1338 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1340 /* XXX PFR_FLAG_CLSTATS disabled */
1341 ACCEPT_FLAGS(flags
, PFR_FLAG_ATOMIC
| PFR_FLAG_ALLRSETS
);
1342 if (pfr_fix_anchor(filter
->pfrt_anchor
))
1344 n
= nn
= pfr_table_count(filter
, flags
);
1352 RB_FOREACH(p
, pfr_ktablehead
, &pfr_ktables
) {
1353 if (pfr_skip_table(filter
, p
, flags
))
1357 if (COPYOUT(&p
->pfrkt_ts
, tbl
, sizeof (p
->pfrkt_ts
), flags
)) {
1360 tbl
+= sizeof (p
->pfrkt_ts
);
1361 SLIST_INSERT_HEAD(&workq
, p
, pfrkt_workq
);
1363 if (flags
& PFR_FLAG_CLSTATS
)
1364 pfr_clstats_ktables(&workq
, tzero
,
1365 flags
& PFR_FLAG_ADDRSTOO
);
1367 printf("pfr_get_tstats: corruption detected (%d).\n", n
);
1375 pfr_clr_tstats(user_addr_t tbl
, int size
, int *nzero
, int flags
)
1377 struct pfr_ktableworkq workq
;
1378 struct pfr_ktable
*p
, key
;
1380 u_int64_t tzero
= pf_calendar_time_second();
1382 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1384 ACCEPT_FLAGS(flags
, PFR_FLAG_ATOMIC
| PFR_FLAG_DUMMY
|
1387 for (i
= 0; i
< size
; i
++, tbl
+= sizeof (key
.pfrkt_t
)) {
1388 if (COPYIN(tbl
, &key
.pfrkt_t
, sizeof (key
.pfrkt_t
), flags
))
1390 pfr_table_copyin_cleanup(&key
.pfrkt_t
);
1391 if (pfr_validate_table(&key
.pfrkt_t
, 0, 0))
1393 p
= RB_FIND(pfr_ktablehead
, &pfr_ktables
, &key
);
1395 SLIST_INSERT_HEAD(&workq
, p
, pfrkt_workq
);
1399 if (!(flags
& PFR_FLAG_DUMMY
)) {
1400 pfr_clstats_ktables(&workq
, tzero
, flags
& PFR_FLAG_ADDRSTOO
);
1408 pfr_set_tflags(user_addr_t tbl
, int size
, int setflag
, int clrflag
,
1409 int *nchange
, int *ndel
, int flags
)
1411 struct pfr_ktableworkq workq
;
1412 struct pfr_ktable
*p
, *q
, key
;
1413 int i
, xchange
= 0, xdel
= 0;
1415 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1417 ACCEPT_FLAGS(flags
, PFR_FLAG_ATOMIC
| PFR_FLAG_DUMMY
);
1418 if ((setflag
& ~PFR_TFLAG_USRMASK
) ||
1419 (clrflag
& ~PFR_TFLAG_USRMASK
) ||
1420 (setflag
& clrflag
))
1423 for (i
= 0; i
< size
; i
++, tbl
+= sizeof (key
.pfrkt_t
)) {
1424 if (COPYIN(tbl
, &key
.pfrkt_t
, sizeof (key
.pfrkt_t
), flags
))
1426 pfr_table_copyin_cleanup(&key
.pfrkt_t
);
1427 if (pfr_validate_table(&key
.pfrkt_t
, 0,
1428 flags
& PFR_FLAG_USERIOCTL
))
1430 p
= RB_FIND(pfr_ktablehead
, &pfr_ktables
, &key
);
1431 if (p
!= NULL
&& (p
->pfrkt_flags
& PFR_TFLAG_ACTIVE
)) {
1432 p
->pfrkt_nflags
= (p
->pfrkt_flags
| setflag
) &
1434 if (p
->pfrkt_nflags
== p
->pfrkt_flags
)
1436 SLIST_FOREACH(q
, &workq
, pfrkt_workq
)
1437 if (!pfr_ktable_compare(p
, q
))
1439 SLIST_INSERT_HEAD(&workq
, p
, pfrkt_workq
);
1440 if ((p
->pfrkt_flags
& PFR_TFLAG_PERSIST
) &&
1441 (clrflag
& PFR_TFLAG_PERSIST
) &&
1442 !(p
->pfrkt_flags
& PFR_TFLAG_REFERENCED
))
1450 if (!(flags
& PFR_FLAG_DUMMY
)) {
1451 pfr_setflags_ktables(&workq
);
1453 if (nchange
!= NULL
)
1461 pfr_ina_begin(struct pfr_table
*trs
, u_int32_t
*ticket
, int *ndel
, int flags
)
1463 struct pfr_ktableworkq workq
;
1464 struct pfr_ktable
*p
;
1465 struct pf_ruleset
*rs
;
1468 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1470 ACCEPT_FLAGS(flags
, PFR_FLAG_DUMMY
);
1471 rs
= pf_find_or_create_ruleset(trs
->pfrt_anchor
);
1475 RB_FOREACH(p
, pfr_ktablehead
, &pfr_ktables
) {
1476 if (!(p
->pfrkt_flags
& PFR_TFLAG_INACTIVE
) ||
1477 pfr_skip_table(trs
, p
, 0))
1479 p
->pfrkt_nflags
= p
->pfrkt_flags
& ~PFR_TFLAG_INACTIVE
;
1480 SLIST_INSERT_HEAD(&workq
, p
, pfrkt_workq
);
1483 if (!(flags
& PFR_FLAG_DUMMY
)) {
1484 pfr_setflags_ktables(&workq
);
1486 *ticket
= ++rs
->tticket
;
1489 pf_remove_if_empty_ruleset(rs
);
1496 pfr_ina_define(struct pfr_table
*tbl
, user_addr_t addr
, int size
,
1497 int *nadd
, int *naddr
, u_int32_t ticket
, int flags
)
1499 struct pfr_ktableworkq tableq
;
1500 struct pfr_kentryworkq addrq
;
1501 struct pfr_ktable
*kt
, *rt
, *shadow
, key
;
1502 struct pfr_kentry
*p
;
1504 struct pf_ruleset
*rs
;
1505 int i
, rv
, xadd
= 0, xaddr
= 0;
1507 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1509 ACCEPT_FLAGS(flags
, PFR_FLAG_DUMMY
| PFR_FLAG_ADDRSTOO
);
1510 if (size
&& !(flags
& PFR_FLAG_ADDRSTOO
))
1512 if (pfr_validate_table(tbl
, PFR_TFLAG_USRMASK
,
1513 flags
& PFR_FLAG_USERIOCTL
))
1515 rs
= pf_find_ruleset(tbl
->pfrt_anchor
);
1516 if (rs
== NULL
|| !rs
->topen
|| ticket
!= rs
->tticket
)
1518 tbl
->pfrt_flags
|= PFR_TFLAG_INACTIVE
;
1519 SLIST_INIT(&tableq
);
1520 kt
= RB_FIND(pfr_ktablehead
, &pfr_ktables
, (struct pfr_ktable
*)(void *)tbl
);
1522 kt
= pfr_create_ktable(tbl
, 0, 1);
1525 SLIST_INSERT_HEAD(&tableq
, kt
, pfrkt_workq
);
1527 if (!tbl
->pfrt_anchor
[0])
1530 /* find or create root table */
1531 bzero(&key
, sizeof (key
));
1532 strlcpy(key
.pfrkt_name
, tbl
->pfrt_name
,
1533 sizeof (key
.pfrkt_name
));
1534 rt
= RB_FIND(pfr_ktablehead
, &pfr_ktables
, &key
);
1536 kt
->pfrkt_root
= rt
;
1539 rt
= pfr_create_ktable(&key
.pfrkt_t
, 0, 1);
1541 pfr_destroy_ktables(&tableq
, 0);
1544 SLIST_INSERT_HEAD(&tableq
, rt
, pfrkt_workq
);
1545 kt
->pfrkt_root
= rt
;
1546 } else if (!(kt
->pfrkt_flags
& PFR_TFLAG_INACTIVE
))
1549 shadow
= pfr_create_ktable(tbl
, 0, 0);
1550 if (shadow
== NULL
) {
1551 pfr_destroy_ktables(&tableq
, 0);
1555 for (i
= 0; i
< size
; i
++, addr
+= sizeof (ad
)) {
1556 if (COPYIN(addr
, &ad
, sizeof (ad
), flags
))
1558 if (pfr_validate_addr(&ad
))
1560 if (pfr_lookup_addr(shadow
, &ad
, 1) != NULL
)
1562 p
= pfr_create_kentry(&ad
, 0);
1565 if (pfr_route_kentry(shadow
, p
)) {
1566 pfr_destroy_kentry(p
);
1569 SLIST_INSERT_HEAD(&addrq
, p
, pfrke_workq
);
1572 if (!(flags
& PFR_FLAG_DUMMY
)) {
1573 if (kt
->pfrkt_shadow
!= NULL
)
1574 pfr_destroy_ktable(kt
->pfrkt_shadow
, 1);
1575 kt
->pfrkt_flags
|= PFR_TFLAG_INACTIVE
;
1576 pfr_insert_ktables(&tableq
);
1577 shadow
->pfrkt_cnt
= (flags
& PFR_FLAG_ADDRSTOO
) ?
1578 xaddr
: NO_ADDRESSES
;
1579 kt
->pfrkt_shadow
= shadow
;
1581 pfr_clean_node_mask(shadow
, &addrq
);
1582 pfr_destroy_ktable(shadow
, 0);
1583 pfr_destroy_ktables(&tableq
, 0);
1584 pfr_destroy_kentries(&addrq
);
1592 pfr_destroy_ktable(shadow
, 0);
1593 pfr_destroy_ktables(&tableq
, 0);
1594 pfr_destroy_kentries(&addrq
);
1599 pfr_ina_rollback(struct pfr_table
*trs
, u_int32_t ticket
, int *ndel
, int flags
)
1601 struct pfr_ktableworkq workq
;
1602 struct pfr_ktable
*p
;
1603 struct pf_ruleset
*rs
;
1606 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1608 ACCEPT_FLAGS(flags
, PFR_FLAG_DUMMY
);
1609 rs
= pf_find_ruleset(trs
->pfrt_anchor
);
1610 if (rs
== NULL
|| !rs
->topen
|| ticket
!= rs
->tticket
)
1613 RB_FOREACH(p
, pfr_ktablehead
, &pfr_ktables
) {
1614 if (!(p
->pfrkt_flags
& PFR_TFLAG_INACTIVE
) ||
1615 pfr_skip_table(trs
, p
, 0))
1617 p
->pfrkt_nflags
= p
->pfrkt_flags
& ~PFR_TFLAG_INACTIVE
;
1618 SLIST_INSERT_HEAD(&workq
, p
, pfrkt_workq
);
1621 if (!(flags
& PFR_FLAG_DUMMY
)) {
1622 pfr_setflags_ktables(&workq
);
1624 pf_remove_if_empty_ruleset(rs
);
1632 pfr_ina_commit(struct pfr_table
*trs
, u_int32_t ticket
, int *nadd
,
1633 int *nchange
, int flags
)
1635 struct pfr_ktable
*p
, *q
;
1636 struct pfr_ktableworkq workq
;
1637 struct pf_ruleset
*rs
;
1638 int xadd
= 0, xchange
= 0;
1639 u_int64_t tzero
= pf_calendar_time_second();
1641 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1643 ACCEPT_FLAGS(flags
, PFR_FLAG_ATOMIC
| PFR_FLAG_DUMMY
);
1644 rs
= pf_find_ruleset(trs
->pfrt_anchor
);
1645 if (rs
== NULL
|| !rs
->topen
|| ticket
!= rs
->tticket
)
1649 RB_FOREACH(p
, pfr_ktablehead
, &pfr_ktables
) {
1650 if (!(p
->pfrkt_flags
& PFR_TFLAG_INACTIVE
) ||
1651 pfr_skip_table(trs
, p
, 0))
1653 SLIST_INSERT_HEAD(&workq
, p
, pfrkt_workq
);
1654 if (p
->pfrkt_flags
& PFR_TFLAG_ACTIVE
)
1660 if (!(flags
& PFR_FLAG_DUMMY
)) {
1661 for (p
= SLIST_FIRST(&workq
); p
!= NULL
; p
= q
) {
1662 q
= SLIST_NEXT(p
, pfrkt_workq
);
1663 pfr_commit_ktable(p
, tzero
);
1666 pf_remove_if_empty_ruleset(rs
);
1670 if (nchange
!= NULL
)
1677 pfr_commit_ktable(struct pfr_ktable
*kt
, u_int64_t tzero
)
1679 struct pfr_ktable
*shadow
= kt
->pfrkt_shadow
;
1682 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1684 if (shadow
->pfrkt_cnt
== NO_ADDRESSES
) {
1685 if (!(kt
->pfrkt_flags
& PFR_TFLAG_ACTIVE
))
1686 pfr_clstats_ktable(kt
, tzero
, 1);
1687 } else if (kt
->pfrkt_flags
& PFR_TFLAG_ACTIVE
) {
1688 /* kt might contain addresses */
1689 struct pfr_kentryworkq addrq
, addq
, changeq
, delq
, garbageq
;
1690 struct pfr_kentry
*p
, *q
, *next
;
1693 pfr_enqueue_addrs(shadow
, &addrq
, NULL
, 0);
1696 SLIST_INIT(&changeq
);
1698 SLIST_INIT(&garbageq
);
1699 pfr_clean_node_mask(shadow
, &addrq
);
1700 for (p
= SLIST_FIRST(&addrq
); p
!= NULL
; p
= next
) {
1701 next
= SLIST_NEXT(p
, pfrke_workq
); /* XXX */
1702 pfr_copyout_addr(&ad
, p
);
1703 q
= pfr_lookup_addr(kt
, &ad
, 1);
1705 if (q
->pfrke_not
!= p
->pfrke_not
)
1706 SLIST_INSERT_HEAD(&changeq
, q
,
1709 SLIST_INSERT_HEAD(&garbageq
, p
, pfrke_workq
);
1711 p
->pfrke_tzero
= tzero
;
1712 SLIST_INSERT_HEAD(&addq
, p
, pfrke_workq
);
1715 pfr_enqueue_addrs(kt
, &delq
, NULL
, ENQUEUE_UNMARKED_ONLY
);
1716 pfr_insert_kentries(kt
, &addq
, tzero
);
1717 pfr_remove_kentries(kt
, &delq
);
1718 pfr_clstats_kentries(&changeq
, tzero
, INVERT_NEG_FLAG
);
1719 pfr_destroy_kentries(&garbageq
);
1721 /* kt cannot contain addresses */
1722 SWAP(struct radix_node_head
*, kt
->pfrkt_ip4
,
1724 SWAP(struct radix_node_head
*, kt
->pfrkt_ip6
,
1726 SWAP(int, kt
->pfrkt_cnt
, shadow
->pfrkt_cnt
);
1727 pfr_clstats_ktable(kt
, tzero
, 1);
1729 nflags
= ((shadow
->pfrkt_flags
& PFR_TFLAG_USRMASK
) |
1730 (kt
->pfrkt_flags
& PFR_TFLAG_SETMASK
) | PFR_TFLAG_ACTIVE
) &
1731 ~PFR_TFLAG_INACTIVE
;
1732 pfr_destroy_ktable(shadow
, 0);
1733 kt
->pfrkt_shadow
= NULL
;
1734 pfr_setflags_ktable(kt
, nflags
);
1738 pfr_table_copyin_cleanup(struct pfr_table
*tbl
)
1740 tbl
->pfrt_anchor
[sizeof (tbl
->pfrt_anchor
) - 1] = '\0';
1741 tbl
->pfrt_name
[sizeof (tbl
->pfrt_name
) - 1] = '\0';
1745 pfr_validate_table(struct pfr_table
*tbl
, int allowedflags
, int no_reserved
)
1749 if (!tbl
->pfrt_name
[0])
1751 if (no_reserved
&& strcmp(tbl
->pfrt_anchor
, PF_RESERVED_ANCHOR
) == 0)
1753 if (tbl
->pfrt_name
[PF_TABLE_NAME_SIZE
-1])
1755 for (i
= strlen(tbl
->pfrt_name
); i
< PF_TABLE_NAME_SIZE
; i
++)
1756 if (tbl
->pfrt_name
[i
])
1758 if (pfr_fix_anchor(tbl
->pfrt_anchor
))
1760 if (tbl
->pfrt_flags
& ~allowedflags
)
1766 * Rewrite anchors referenced by tables to remove slashes
1767 * and check for validity.
1770 pfr_fix_anchor(char *anchor
)
1772 size_t siz
= MAXPATHLEN
;
1775 if (anchor
[0] == '/') {
1781 while (*++path
== '/')
1783 bcopy(path
, anchor
, siz
- off
);
1784 memset(anchor
+ siz
- off
, 0, off
);
1786 if (anchor
[siz
- 1])
1788 for (i
= strlen(anchor
); i
< (int)siz
; i
++)
1795 pfr_table_count(struct pfr_table
*filter
, int flags
)
1797 struct pf_ruleset
*rs
;
1799 if (flags
& PFR_FLAG_ALLRSETS
)
1800 return (pfr_ktable_cnt
);
1801 if (filter
->pfrt_anchor
[0]) {
1802 rs
= pf_find_ruleset(filter
->pfrt_anchor
);
1803 return ((rs
!= NULL
) ? rs
->tables
: -1);
1805 return (pf_main_ruleset
.tables
);
1809 pfr_skip_table(struct pfr_table
*filter
, struct pfr_ktable
*kt
, int flags
)
1811 if (flags
& PFR_FLAG_ALLRSETS
)
1813 if (strcmp(filter
->pfrt_anchor
, kt
->pfrkt_anchor
))
1819 pfr_insert_ktables(struct pfr_ktableworkq
*workq
)
1821 struct pfr_ktable
*p
;
1823 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1825 SLIST_FOREACH(p
, workq
, pfrkt_workq
)
1826 pfr_insert_ktable(p
);
1830 pfr_insert_ktable(struct pfr_ktable
*kt
)
1832 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1834 RB_INSERT(pfr_ktablehead
, &pfr_ktables
, kt
);
1836 if (kt
->pfrkt_root
!= NULL
)
1837 if (!kt
->pfrkt_root
->pfrkt_refcnt
[PFR_REFCNT_ANCHOR
]++)
1838 pfr_setflags_ktable(kt
->pfrkt_root
,
1839 kt
->pfrkt_root
->pfrkt_flags
|PFR_TFLAG_REFDANCHOR
);
1843 pfr_setflags_ktables(struct pfr_ktableworkq
*workq
)
1845 struct pfr_ktable
*p
, *q
;
1847 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1849 for (p
= SLIST_FIRST(workq
); p
; p
= q
) {
1850 q
= SLIST_NEXT(p
, pfrkt_workq
);
1851 pfr_setflags_ktable(p
, p
->pfrkt_nflags
);
1856 pfr_setflags_ktable(struct pfr_ktable
*kt
, int newf
)
1858 struct pfr_kentryworkq addrq
;
1860 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1862 if (!(newf
& PFR_TFLAG_REFERENCED
) &&
1863 !(newf
& PFR_TFLAG_PERSIST
))
1864 newf
&= ~PFR_TFLAG_ACTIVE
;
1865 if (!(newf
& PFR_TFLAG_ACTIVE
))
1866 newf
&= ~PFR_TFLAG_USRMASK
;
1867 if (!(newf
& PFR_TFLAG_SETMASK
)) {
1868 RB_REMOVE(pfr_ktablehead
, &pfr_ktables
, kt
);
1869 if (kt
->pfrkt_root
!= NULL
)
1870 if (!--kt
->pfrkt_root
->pfrkt_refcnt
[PFR_REFCNT_ANCHOR
])
1871 pfr_setflags_ktable(kt
->pfrkt_root
,
1872 kt
->pfrkt_root
->pfrkt_flags
&
1873 ~PFR_TFLAG_REFDANCHOR
);
1874 pfr_destroy_ktable(kt
, 1);
1878 if (!(newf
& PFR_TFLAG_ACTIVE
) && kt
->pfrkt_cnt
) {
1879 pfr_enqueue_addrs(kt
, &addrq
, NULL
, 0);
1880 pfr_remove_kentries(kt
, &addrq
);
1882 if (!(newf
& PFR_TFLAG_INACTIVE
) && kt
->pfrkt_shadow
!= NULL
) {
1883 pfr_destroy_ktable(kt
->pfrkt_shadow
, 1);
1884 kt
->pfrkt_shadow
= NULL
;
1886 kt
->pfrkt_flags
= newf
;
1890 pfr_clstats_ktables(struct pfr_ktableworkq
*workq
, u_int64_t tzero
, int recurse
)
1892 struct pfr_ktable
*p
;
1894 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1896 SLIST_FOREACH(p
, workq
, pfrkt_workq
)
1897 pfr_clstats_ktable(p
, tzero
, recurse
);
1901 pfr_clstats_ktable(struct pfr_ktable
*kt
, u_int64_t tzero
, int recurse
)
1903 struct pfr_kentryworkq addrq
;
1905 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1908 pfr_enqueue_addrs(kt
, &addrq
, NULL
, 0);
1909 pfr_clstats_kentries(&addrq
, tzero
, 0);
1911 bzero(kt
->pfrkt_packets
, sizeof (kt
->pfrkt_packets
));
1912 bzero(kt
->pfrkt_bytes
, sizeof (kt
->pfrkt_bytes
));
1913 kt
->pfrkt_match
= kt
->pfrkt_nomatch
= 0;
1914 kt
->pfrkt_tzero
= tzero
;
1917 static struct pfr_ktable
*
1918 pfr_create_ktable(struct pfr_table
*tbl
, u_int64_t tzero
, int attachruleset
)
1920 struct pfr_ktable
*kt
;
1921 struct pf_ruleset
*rs
;
1923 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1925 kt
= pool_get(&pfr_ktable_pl
, PR_WAITOK
);
1928 bzero(kt
, sizeof (*kt
));
1931 if (attachruleset
) {
1932 rs
= pf_find_or_create_ruleset(tbl
->pfrt_anchor
);
1934 pfr_destroy_ktable(kt
, 0);
1941 if (!rn_inithead((void **)&kt
->pfrkt_ip4
,
1942 offsetof(struct sockaddr_in
, sin_addr
) * 8) ||
1943 !rn_inithead((void **)&kt
->pfrkt_ip6
,
1944 offsetof(struct sockaddr_in6
, sin6_addr
) * 8)) {
1945 pfr_destroy_ktable(kt
, 0);
1948 kt
->pfrkt_tzero
= tzero
;
1954 pfr_destroy_ktables(struct pfr_ktableworkq
*workq
, int flushaddr
)
1956 struct pfr_ktable
*p
, *q
;
1958 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1960 for (p
= SLIST_FIRST(workq
); p
; p
= q
) {
1961 q
= SLIST_NEXT(p
, pfrkt_workq
);
1962 pfr_destroy_ktable(p
, flushaddr
);
1967 pfr_destroy_ktable(struct pfr_ktable
*kt
, int flushaddr
)
1969 struct pfr_kentryworkq addrq
;
1971 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1974 pfr_enqueue_addrs(kt
, &addrq
, NULL
, 0);
1975 pfr_clean_node_mask(kt
, &addrq
);
1976 pfr_destroy_kentries(&addrq
);
1978 if (kt
->pfrkt_ip4
!= NULL
)
1979 _FREE((caddr_t
)kt
->pfrkt_ip4
, M_RTABLE
);
1980 if (kt
->pfrkt_ip6
!= NULL
)
1981 _FREE((caddr_t
)kt
->pfrkt_ip6
, M_RTABLE
);
1982 if (kt
->pfrkt_shadow
!= NULL
)
1983 pfr_destroy_ktable(kt
->pfrkt_shadow
, flushaddr
);
1984 if (kt
->pfrkt_rs
!= NULL
) {
1985 kt
->pfrkt_rs
->tables
--;
1986 pf_remove_if_empty_ruleset(kt
->pfrkt_rs
);
1988 pool_put(&pfr_ktable_pl
, kt
);
1992 pfr_ktable_compare(struct pfr_ktable
*p
, struct pfr_ktable
*q
)
1996 if ((d
= strncmp(p
->pfrkt_name
, q
->pfrkt_name
, PF_TABLE_NAME_SIZE
)))
1998 return (strcmp(p
->pfrkt_anchor
, q
->pfrkt_anchor
));
2001 static struct pfr_ktable
*
2002 pfr_lookup_table(struct pfr_table
*tbl
)
2004 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
2006 /* struct pfr_ktable start like a struct pfr_table */
2007 return (RB_FIND(pfr_ktablehead
, &pfr_ktables
,
2008 (struct pfr_ktable
*)(void *)tbl
));
2012 pfr_match_addr(struct pfr_ktable
*kt
, struct pf_addr
*a
, sa_family_t af
)
2014 struct pfr_kentry
*ke
= NULL
;
2017 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
2019 if (!(kt
->pfrkt_flags
& PFR_TFLAG_ACTIVE
) && kt
->pfrkt_root
!= NULL
)
2020 kt
= kt
->pfrkt_root
;
2021 if (!(kt
->pfrkt_flags
& PFR_TFLAG_ACTIVE
))
2027 pfr_sin
.sin_addr
.s_addr
= a
->addr32
[0];
2028 ke
= (struct pfr_kentry
*)rn_match(&pfr_sin
, kt
->pfrkt_ip4
);
2029 if (ke
&& KENTRY_RNF_ROOT(ke
))
2035 bcopy(a
, &pfr_sin6
.sin6_addr
, sizeof (pfr_sin6
.sin6_addr
));
2036 ke
= (struct pfr_kentry
*)rn_match(&pfr_sin6
, kt
->pfrkt_ip6
);
2037 if (ke
&& KENTRY_RNF_ROOT(ke
))
2042 match
= (ke
&& !ke
->pfrke_not
);
2046 kt
->pfrkt_nomatch
++;
2051 pfr_update_stats(struct pfr_ktable
*kt
, struct pf_addr
*a
, sa_family_t af
,
2052 u_int64_t len
, int dir_out
, int op_pass
, int notrule
)
2054 struct pfr_kentry
*ke
= NULL
;
2056 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
2058 if (!(kt
->pfrkt_flags
& PFR_TFLAG_ACTIVE
) && kt
->pfrkt_root
!= NULL
)
2059 kt
= kt
->pfrkt_root
;
2060 if (!(kt
->pfrkt_flags
& PFR_TFLAG_ACTIVE
))
2066 pfr_sin
.sin_addr
.s_addr
= a
->addr32
[0];
2067 ke
= (struct pfr_kentry
*)rn_match(&pfr_sin
, kt
->pfrkt_ip4
);
2068 if (ke
&& KENTRY_RNF_ROOT(ke
))
2074 bcopy(a
, &pfr_sin6
.sin6_addr
, sizeof (pfr_sin6
.sin6_addr
));
2075 ke
= (struct pfr_kentry
*)rn_match(&pfr_sin6
, kt
->pfrkt_ip6
);
2076 if (ke
&& KENTRY_RNF_ROOT(ke
))
2083 if ((ke
== NULL
|| ke
->pfrke_not
) != notrule
) {
2084 if (op_pass
!= PFR_OP_PASS
)
2085 printf("pfr_update_stats: assertion failed.\n");
2086 op_pass
= PFR_OP_XPASS
;
2088 kt
->pfrkt_packets
[dir_out
][op_pass
]++;
2089 kt
->pfrkt_bytes
[dir_out
][op_pass
] += len
;
2090 if (ke
!= NULL
&& op_pass
!= PFR_OP_XPASS
) {
2091 ke
->pfrke_packets
[dir_out
][op_pass
]++;
2092 ke
->pfrke_bytes
[dir_out
][op_pass
] += len
;
2097 pfr_attach_table(struct pf_ruleset
*rs
, char *name
)
2099 struct pfr_ktable
*kt
, *rt
;
2100 struct pfr_table tbl
;
2101 struct pf_anchor
*ac
= rs
->anchor
;
2103 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
2105 bzero(&tbl
, sizeof (tbl
));
2106 strlcpy(tbl
.pfrt_name
, name
, sizeof (tbl
.pfrt_name
));
2108 strlcpy(tbl
.pfrt_anchor
, ac
->path
, sizeof (tbl
.pfrt_anchor
));
2109 kt
= pfr_lookup_table(&tbl
);
2111 kt
= pfr_create_ktable(&tbl
, pf_calendar_time_second(), 1);
2115 bzero(tbl
.pfrt_anchor
, sizeof (tbl
.pfrt_anchor
));
2116 rt
= pfr_lookup_table(&tbl
);
2118 rt
= pfr_create_ktable(&tbl
, 0, 1);
2120 pfr_destroy_ktable(kt
, 0);
2123 pfr_insert_ktable(rt
);
2125 kt
->pfrkt_root
= rt
;
2127 pfr_insert_ktable(kt
);
2129 if (!kt
->pfrkt_refcnt
[PFR_REFCNT_RULE
]++)
2130 pfr_setflags_ktable(kt
, kt
->pfrkt_flags
|PFR_TFLAG_REFERENCED
);
2135 pfr_detach_table(struct pfr_ktable
*kt
)
2137 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
2139 if (kt
->pfrkt_refcnt
[PFR_REFCNT_RULE
] <= 0)
2140 printf("pfr_detach_table: refcount = %d.\n",
2141 kt
->pfrkt_refcnt
[PFR_REFCNT_RULE
]);
2142 else if (!--kt
->pfrkt_refcnt
[PFR_REFCNT_RULE
])
2143 pfr_setflags_ktable(kt
, kt
->pfrkt_flags
&~PFR_TFLAG_REFERENCED
);
2147 pfr_pool_get(struct pfr_ktable
*kt
, int *pidx
, struct pf_addr
*counter
,
2148 struct pf_addr
**raddr
, struct pf_addr
**rmask
, sa_family_t af
)
2150 struct pfr_kentry
*ke
, *ke2
;
2151 struct pf_addr
*addr
;
2152 union sockaddr_union mask
;
2153 int idx
= -1, use_counter
= 0;
2155 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
2158 addr
= (struct pf_addr
*)&pfr_sin
.sin_addr
;
2159 else if (af
== AF_INET6
)
2160 addr
= (struct pf_addr
*)&pfr_sin6
.sin6_addr
;
2164 if (!(kt
->pfrkt_flags
& PFR_TFLAG_ACTIVE
) && kt
->pfrkt_root
!= NULL
)
2165 kt
= kt
->pfrkt_root
;
2166 if (!(kt
->pfrkt_flags
& PFR_TFLAG_ACTIVE
))
2171 if (counter
!= NULL
&& idx
>= 0)
2177 ke
= pfr_kentry_byidx(kt
, idx
, af
);
2179 kt
->pfrkt_nomatch
++;
2182 pfr_prepare_network(&pfr_mask
, af
, ke
->pfrke_net
);
2183 *raddr
= SUNION2PF(&ke
->pfrke_sa
, af
);
2184 *rmask
= SUNION2PF(&pfr_mask
, af
);
2187 /* is supplied address within block? */
2188 if (!PF_MATCHA(0, *raddr
, *rmask
, counter
, af
)) {
2189 /* no, go to next block in table */
2194 PF_ACPY(addr
, counter
, af
);
2196 /* use first address of block */
2197 PF_ACPY(addr
, *raddr
, af
);
2200 if (!KENTRY_NETWORK(ke
)) {
2201 /* this is a single IP address - no possible nested block */
2202 PF_ACPY(counter
, addr
, af
);
2208 /* we don't want to use a nested block */
2210 ke2
= (struct pfr_kentry
*)rn_match(&pfr_sin
,
2212 else if (af
== AF_INET6
)
2213 ke2
= (struct pfr_kentry
*)rn_match(&pfr_sin6
,
2216 return (-1); /* never happens */
2217 /* no need to check KENTRY_RNF_ROOT() here */
2219 /* lookup return the same block - perfect */
2220 PF_ACPY(counter
, addr
, af
);
2226 /* we need to increase the counter past the nested block */
2227 pfr_prepare_network(&mask
, AF_INET
, ke2
->pfrke_net
);
2228 PF_POOLMASK(addr
, addr
, SUNION2PF(&mask
, af
), &pfr_ffaddr
, af
);
2230 if (!PF_MATCHA(0, *raddr
, *rmask
, addr
, af
)) {
2231 /* ok, we reached the end of our main block */
2232 /* go to next block in table */
2240 static struct pfr_kentry
*
2241 pfr_kentry_byidx(struct pfr_ktable
*kt
, int idx
, int af
)
2243 struct pfr_walktree w
;
2245 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
2247 bzero(&w
, sizeof (w
));
2248 w
.pfrw_op
= PFRW_POOL_GET
;
2254 (void) kt
->pfrkt_ip4
->rnh_walktree(kt
->pfrkt_ip4
,
2256 return (w
.pfrw_kentry
);
2260 (void) kt
->pfrkt_ip6
->rnh_walktree(kt
->pfrkt_ip6
,
2262 return (w
.pfrw_kentry
);
2270 pfr_dynaddr_update(struct pfr_ktable
*kt
, struct pfi_dynaddr
*dyn
)
2272 struct pfr_walktree w
;
2274 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
2276 bzero(&w
, sizeof (w
));
2277 w
.pfrw_op
= PFRW_DYNADDR_UPDATE
;
2280 dyn
->pfid_acnt4
= 0;
2281 dyn
->pfid_acnt6
= 0;
2282 if (!dyn
->pfid_af
|| dyn
->pfid_af
== AF_INET
)
2283 (void) kt
->pfrkt_ip4
->rnh_walktree(kt
->pfrkt_ip4
,
2285 if (!dyn
->pfid_af
|| dyn
->pfid_af
== AF_INET6
)
2286 (void) kt
->pfrkt_ip6
->rnh_walktree(kt
->pfrkt_ip6
,
projects / apple / xnu.git / blob