2 * Copyright (c) 2008 Apple Inc. All rights reserved.
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
29 /* $apfw: pf_table.c,v 1.4 2008/08/27 00:01:32 jhw Exp $ */
30 /* $OpenBSD: pf_table.c,v 1.68 2006/05/02 10:08:45 dhartmei Exp $ */
33 * Copyright (c) 2002 Cedric Berger
34 * All rights reserved.
36 * Redistribution and use in source and binary forms, with or without
37 * modification, are permitted provided that the following conditions
40 * - Redistributions of source code must retain the above copyright
41 * notice, this list of conditions and the following disclaimer.
42 * - Redistributions in binary form must reproduce the above
43 * copyright notice, this list of conditions and the following
44 * disclaimer in the documentation and/or other materials provided
45 * with the distribution.
47 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
48 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
49 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
50 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
51 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
52 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
53 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
54 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
55 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
56 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
57 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
58 * POSSIBILITY OF SUCH DAMAGE.
62 #include <sys/param.h>
63 #include <sys/systm.h>
64 #include <sys/socket.h>
66 #include <sys/kernel.h>
67 #include <sys/malloc.h>
70 #include <net/route.h>
71 #include <netinet/in.h>
72 #include <net/radix.h>
73 #include <net/pfvar.h>
75 #define ACCEPT_FLAGS(flags, oklist) \
77 if ((flags & ~(oklist)) & \
82 #define COPYIN(from, to, size, flags) \
83 ((flags & PFR_FLAG_USERIOCTL) ? \
84 copyin(CAST_USER_ADDR_T(from), (to), (size)) : \
85 (bcopy((from), (to), (size)), 0))
87 #define COPYOUT(from, to, size, flags) \
88 ((flags & PFR_FLAG_USERIOCTL) ? \
89 copyout((from), CAST_USER_ADDR_T(to), (size)) : \
90 (bcopy((from), (to), (size)), 0))
92 #define FILLIN_SIN(sin, addr) \
94 (sin).sin_len = sizeof (sin); \
95 (sin).sin_family = AF_INET; \
96 (sin).sin_addr = (addr); \
99 #define FILLIN_SIN6(sin6, addr) \
101 (sin6).sin6_len = sizeof (sin6); \
102 (sin6).sin6_family = AF_INET6; \
103 (sin6).sin6_addr = (addr); \
106 #define SWAP(type, a1, a2) \
113 #define SUNION2PF(su, af) (((af) == AF_INET) ? \
114 (struct pf_addr *)&(su)->sin.sin_addr : \
115 (struct pf_addr *)&(su)->sin6.sin6_addr)
117 #define AF_BITS(af) (((af) == AF_INET) ? 32 : 128)
118 #define ADDR_NETWORK(ad) ((ad)->pfra_net < AF_BITS((ad)->pfra_af))
119 #define KENTRY_NETWORK(ke) ((ke)->pfrke_net < AF_BITS((ke)->pfrke_af))
120 #define KENTRY_RNF_ROOT(ke) \
121 ((((struct radix_node *)(ke))->rn_flags & RNF_ROOT) != 0)
123 #define NO_ADDRESSES (-1)
124 #define ENQUEUE_UNMARKED_ONLY (1)
125 #define INVERT_NEG_FLAG (1)
127 struct pfr_walktree
{
138 struct pfr_addr
*pfrw1_addr
;
139 struct pfr_astats
*pfrw1_astats
;
140 struct pfr_kentryworkq
*pfrw1_workq
;
141 struct pfr_kentry
*pfrw1_kentry
;
142 struct pfi_dynaddr
*pfrw1_dyn
;
147 #define pfrw_addr pfrw_1.pfrw1_addr
148 #define pfrw_astats pfrw_1.pfrw1_astats
149 #define pfrw_workq pfrw_1.pfrw1_workq
150 #define pfrw_kentry pfrw_1.pfrw1_kentry
151 #define pfrw_dyn pfrw_1.pfrw1_dyn
152 #define pfrw_cnt pfrw_free
154 #define senderr(e) do { rv = (e); goto _bad; } while (0)
156 struct pool pfr_ktable_pl
;
157 struct pool pfr_kentry_pl
;
159 static struct pool pfr_kentry_pl2
;
160 static struct sockaddr_in pfr_sin
;
161 static struct sockaddr_in6 pfr_sin6
;
162 static union sockaddr_union pfr_mask
;
163 static struct pf_addr pfr_ffaddr
;
165 static void pfr_copyout_addr(struct pfr_addr
*, struct pfr_kentry
*ke
);
166 static int pfr_validate_addr(struct pfr_addr
*);
167 static void pfr_enqueue_addrs(struct pfr_ktable
*, struct pfr_kentryworkq
*,
169 static void pfr_mark_addrs(struct pfr_ktable
*);
170 static struct pfr_kentry
*pfr_lookup_addr(struct pfr_ktable
*,
171 struct pfr_addr
*, int);
172 static struct pfr_kentry
*pfr_create_kentry(struct pfr_addr
*, int);
173 static void pfr_destroy_kentries(struct pfr_kentryworkq
*);
174 static void pfr_destroy_kentry(struct pfr_kentry
*);
175 static void pfr_insert_kentries(struct pfr_ktable
*,
176 struct pfr_kentryworkq
*, u_int64_t
);
177 static void pfr_remove_kentries(struct pfr_ktable
*, struct pfr_kentryworkq
*);
178 static void pfr_clstats_kentries(struct pfr_kentryworkq
*, u_int64_t
, int);
179 static void pfr_reset_feedback(struct pfr_addr
*, int, int);
180 static void pfr_prepare_network(union sockaddr_union
*, int, int);
181 static int pfr_route_kentry(struct pfr_ktable
*, struct pfr_kentry
*);
182 static int pfr_unroute_kentry(struct pfr_ktable
*, struct pfr_kentry
*);
183 static int pfr_walktree(struct radix_node
*, void *);
184 static int pfr_validate_table(struct pfr_table
*, int, int);
185 static int pfr_fix_anchor(char *);
186 static void pfr_commit_ktable(struct pfr_ktable
*, u_int64_t
);
187 static void pfr_insert_ktables(struct pfr_ktableworkq
*);
188 static void pfr_insert_ktable(struct pfr_ktable
*);
189 static void pfr_setflags_ktables(struct pfr_ktableworkq
*);
190 static void pfr_setflags_ktable(struct pfr_ktable
*, int);
191 static void pfr_clstats_ktables(struct pfr_ktableworkq
*, u_int64_t
, int);
192 static void pfr_clstats_ktable(struct pfr_ktable
*, u_int64_t
, int);
193 static struct pfr_ktable
*pfr_create_ktable(struct pfr_table
*, u_int64_t
, int);
194 static void pfr_destroy_ktables(struct pfr_ktableworkq
*, int);
195 static void pfr_destroy_ktable(struct pfr_ktable
*, int);
196 static int pfr_ktable_compare(struct pfr_ktable
*, struct pfr_ktable
*);
197 static struct pfr_ktable
*pfr_lookup_table(struct pfr_table
*);
198 static void pfr_clean_node_mask(struct pfr_ktable
*, struct pfr_kentryworkq
*);
199 static int pfr_table_count(struct pfr_table
*, int);
200 static int pfr_skip_table(struct pfr_table
*, struct pfr_ktable
*, int);
201 static struct pfr_kentry
*pfr_kentry_byidx(struct pfr_ktable
*, int, int);
203 RB_PROTOTYPE_SC(static, pfr_ktablehead
, pfr_ktable
, pfrkt_tree
,
205 RB_GENERATE(pfr_ktablehead
, pfr_ktable
, pfrkt_tree
, pfr_ktable_compare
);
207 static struct pfr_ktablehead pfr_ktables
;
208 static struct pfr_table pfr_nulltable
;
209 static int pfr_ktable_cnt
;
214 pool_init(&pfr_ktable_pl
, sizeof (struct pfr_ktable
), 0, 0, 0,
216 pool_init(&pfr_kentry_pl
, sizeof (struct pfr_kentry
), 0, 0, 0,
218 pool_init(&pfr_kentry_pl2
, sizeof (struct pfr_kentry
), 0, 0, 0,
221 pfr_sin
.sin_len
= sizeof (pfr_sin
);
222 pfr_sin
.sin_family
= AF_INET
;
223 pfr_sin6
.sin6_len
= sizeof (pfr_sin6
);
224 pfr_sin6
.sin6_family
= AF_INET6
;
226 memset(&pfr_ffaddr
, 0xff, sizeof (pfr_ffaddr
));
233 pool_destroy(&pfr_ktable_pl
);
234 pool_destroy(&pfr_kentry_pl
);
235 pool_destroy(&pfr_kentry_pl2
);
240 pfr_clr_addrs(struct pfr_table
*tbl
, int *ndel
, int flags
)
242 struct pfr_ktable
*kt
;
243 struct pfr_kentryworkq workq
;
245 ACCEPT_FLAGS(flags
, PFR_FLAG_ATOMIC
| PFR_FLAG_DUMMY
);
246 if (pfr_validate_table(tbl
, 0, flags
& PFR_FLAG_USERIOCTL
))
248 kt
= pfr_lookup_table(tbl
);
249 if (kt
== NULL
|| !(kt
->pfrkt_flags
& PFR_TFLAG_ACTIVE
))
251 if (kt
->pfrkt_flags
& PFR_TFLAG_CONST
)
253 pfr_enqueue_addrs(kt
, &workq
, ndel
, 0);
255 if (!(flags
& PFR_FLAG_DUMMY
)) {
256 pfr_remove_kentries(kt
, &workq
);
258 printf("pfr_clr_addrs: corruption detected (%d).\n",
267 pfr_add_addrs(struct pfr_table
*tbl
, struct pfr_addr
*addr
, int size
,
268 int *nadd
, int flags
)
270 struct pfr_ktable
*kt
, *tmpkt
;
271 struct pfr_kentryworkq workq
;
272 struct pfr_kentry
*p
, *q
;
275 u_int64_t tzero
= pf_time_second();
277 ACCEPT_FLAGS(flags
, PFR_FLAG_ATOMIC
| PFR_FLAG_DUMMY
|
279 if (pfr_validate_table(tbl
, 0, flags
& PFR_FLAG_USERIOCTL
))
281 kt
= pfr_lookup_table(tbl
);
282 if (kt
== NULL
|| !(kt
->pfrkt_flags
& PFR_TFLAG_ACTIVE
))
284 if (kt
->pfrkt_flags
& PFR_TFLAG_CONST
)
286 tmpkt
= pfr_create_ktable(&pfr_nulltable
, 0, 0);
290 for (i
= 0; i
< size
; i
++) {
291 if (COPYIN(addr
+i
, &ad
, sizeof (ad
), flags
))
293 if (pfr_validate_addr(&ad
))
295 p
= pfr_lookup_addr(kt
, &ad
, 1);
296 q
= pfr_lookup_addr(tmpkt
, &ad
, 1);
297 if (flags
& PFR_FLAG_FEEDBACK
) {
299 ad
.pfra_fback
= PFR_FB_DUPLICATE
;
301 ad
.pfra_fback
= PFR_FB_ADDED
;
302 else if (p
->pfrke_not
!= ad
.pfra_not
)
303 ad
.pfra_fback
= PFR_FB_CONFLICT
;
305 ad
.pfra_fback
= PFR_FB_NONE
;
307 if (p
== NULL
&& q
== NULL
) {
308 p
= pfr_create_kentry(&ad
,
309 !(flags
& PFR_FLAG_USERIOCTL
));
312 if (pfr_route_kentry(tmpkt
, p
)) {
313 pfr_destroy_kentry(p
);
314 ad
.pfra_fback
= PFR_FB_NONE
;
316 SLIST_INSERT_HEAD(&workq
, p
, pfrke_workq
);
320 if (flags
& PFR_FLAG_FEEDBACK
)
321 if (COPYOUT(&ad
, addr
+i
, sizeof (ad
), flags
))
324 pfr_clean_node_mask(tmpkt
, &workq
);
325 if (!(flags
& PFR_FLAG_DUMMY
)) {
326 pfr_insert_kentries(kt
, &workq
, tzero
);
328 pfr_destroy_kentries(&workq
);
331 pfr_destroy_ktable(tmpkt
, 0);
334 pfr_clean_node_mask(tmpkt
, &workq
);
335 pfr_destroy_kentries(&workq
);
336 if (flags
& PFR_FLAG_FEEDBACK
)
337 pfr_reset_feedback(addr
, size
, flags
);
338 pfr_destroy_ktable(tmpkt
, 0);
343 pfr_del_addrs(struct pfr_table
*tbl
, struct pfr_addr
*addr
, int size
,
344 int *ndel
, int flags
)
346 struct pfr_ktable
*kt
;
347 struct pfr_kentryworkq workq
;
348 struct pfr_kentry
*p
;
350 int i
, rv
, xdel
= 0, log
= 1;
352 ACCEPT_FLAGS(flags
, PFR_FLAG_ATOMIC
| PFR_FLAG_DUMMY
|
354 if (pfr_validate_table(tbl
, 0, flags
& PFR_FLAG_USERIOCTL
))
356 kt
= pfr_lookup_table(tbl
);
357 if (kt
== NULL
|| !(kt
->pfrkt_flags
& PFR_TFLAG_ACTIVE
))
359 if (kt
->pfrkt_flags
& PFR_TFLAG_CONST
)
362 * there are two algorithms to choose from here.
364 * n: number of addresses to delete
365 * N: number of addresses in the table
367 * one is O(N) and is better for large 'n'
368 * one is O(n*LOG(N)) and is better for small 'n'
370 * following code try to decide which one is best.
372 for (i
= kt
->pfrkt_cnt
; i
> 0; i
>>= 1)
374 if (size
> kt
->pfrkt_cnt
/log
) {
375 /* full table scan */
378 /* iterate over addresses to delete */
379 for (i
= 0; i
< size
; i
++) {
380 if (COPYIN(addr
+i
, &ad
, sizeof (ad
), flags
))
382 if (pfr_validate_addr(&ad
))
384 p
= pfr_lookup_addr(kt
, &ad
, 1);
390 for (i
= 0; i
< size
; i
++) {
391 if (COPYIN(addr
+i
, &ad
, sizeof (ad
), flags
))
393 if (pfr_validate_addr(&ad
))
395 p
= pfr_lookup_addr(kt
, &ad
, 1);
396 if (flags
& PFR_FLAG_FEEDBACK
) {
398 ad
.pfra_fback
= PFR_FB_NONE
;
399 else if (p
->pfrke_not
!= ad
.pfra_not
)
400 ad
.pfra_fback
= PFR_FB_CONFLICT
;
401 else if (p
->pfrke_mark
)
402 ad
.pfra_fback
= PFR_FB_DUPLICATE
;
404 ad
.pfra_fback
= PFR_FB_DELETED
;
406 if (p
!= NULL
&& p
->pfrke_not
== ad
.pfra_not
&&
409 SLIST_INSERT_HEAD(&workq
, p
, pfrke_workq
);
412 if (flags
& PFR_FLAG_FEEDBACK
)
413 if (COPYOUT(&ad
, addr
+i
, sizeof (ad
), flags
))
416 if (!(flags
& PFR_FLAG_DUMMY
)) {
417 pfr_remove_kentries(kt
, &workq
);
423 if (flags
& PFR_FLAG_FEEDBACK
)
424 pfr_reset_feedback(addr
, size
, flags
);
429 pfr_set_addrs(struct pfr_table
*tbl
, struct pfr_addr
*addr
, int size
,
430 int *size2
, int *nadd
, int *ndel
, int *nchange
, int flags
,
431 u_int32_t ignore_pfrt_flags
)
433 struct pfr_ktable
*kt
, *tmpkt
;
434 struct pfr_kentryworkq addq
, delq
, changeq
;
435 struct pfr_kentry
*p
, *q
;
437 int i
, rv
, xadd
= 0, xdel
= 0, xchange
= 0;
438 u_int64_t tzero
= pf_time_second();
440 ACCEPT_FLAGS(flags
, PFR_FLAG_ATOMIC
| PFR_FLAG_DUMMY
|
442 if (pfr_validate_table(tbl
, ignore_pfrt_flags
, flags
&
445 kt
= pfr_lookup_table(tbl
);
446 if (kt
== NULL
|| !(kt
->pfrkt_flags
& PFR_TFLAG_ACTIVE
))
448 if (kt
->pfrkt_flags
& PFR_TFLAG_CONST
)
450 tmpkt
= pfr_create_ktable(&pfr_nulltable
, 0, 0);
456 SLIST_INIT(&changeq
);
457 for (i
= 0; i
< size
; i
++) {
458 if (COPYIN(addr
+i
, &ad
, sizeof (ad
), flags
))
460 if (pfr_validate_addr(&ad
))
462 ad
.pfra_fback
= PFR_FB_NONE
;
463 p
= pfr_lookup_addr(kt
, &ad
, 1);
466 ad
.pfra_fback
= PFR_FB_DUPLICATE
;
470 if (p
->pfrke_not
!= ad
.pfra_not
) {
471 SLIST_INSERT_HEAD(&changeq
, p
, pfrke_workq
);
472 ad
.pfra_fback
= PFR_FB_CHANGED
;
476 q
= pfr_lookup_addr(tmpkt
, &ad
, 1);
478 ad
.pfra_fback
= PFR_FB_DUPLICATE
;
481 p
= pfr_create_kentry(&ad
,
482 !(flags
& PFR_FLAG_USERIOCTL
));
485 if (pfr_route_kentry(tmpkt
, p
)) {
486 pfr_destroy_kentry(p
);
487 ad
.pfra_fback
= PFR_FB_NONE
;
489 SLIST_INSERT_HEAD(&addq
, p
, pfrke_workq
);
490 ad
.pfra_fback
= PFR_FB_ADDED
;
495 if (flags
& PFR_FLAG_FEEDBACK
)
496 if (COPYOUT(&ad
, addr
+i
, sizeof (ad
), flags
))
499 pfr_enqueue_addrs(kt
, &delq
, &xdel
, ENQUEUE_UNMARKED_ONLY
);
500 if ((flags
& PFR_FLAG_FEEDBACK
) && *size2
) {
501 if (*size2
< size
+xdel
) {
506 SLIST_FOREACH(p
, &delq
, pfrke_workq
) {
507 pfr_copyout_addr(&ad
, p
);
508 ad
.pfra_fback
= PFR_FB_DELETED
;
509 if (COPYOUT(&ad
, addr
+size
+i
, sizeof (ad
), flags
))
514 pfr_clean_node_mask(tmpkt
, &addq
);
515 if (!(flags
& PFR_FLAG_DUMMY
)) {
516 pfr_insert_kentries(kt
, &addq
, tzero
);
517 pfr_remove_kentries(kt
, &delq
);
518 pfr_clstats_kentries(&changeq
, tzero
, INVERT_NEG_FLAG
);
520 pfr_destroy_kentries(&addq
);
527 if ((flags
& PFR_FLAG_FEEDBACK
) && size2
)
529 pfr_destroy_ktable(tmpkt
, 0);
532 pfr_clean_node_mask(tmpkt
, &addq
);
533 pfr_destroy_kentries(&addq
);
534 if (flags
& PFR_FLAG_FEEDBACK
)
535 pfr_reset_feedback(addr
, size
, flags
);
536 pfr_destroy_ktable(tmpkt
, 0);
541 pfr_tst_addrs(struct pfr_table
*tbl
, struct pfr_addr
*addr
, int size
,
542 int *nmatch
, int flags
)
544 struct pfr_ktable
*kt
;
545 struct pfr_kentry
*p
;
549 ACCEPT_FLAGS(flags
, PFR_FLAG_REPLACE
);
550 if (pfr_validate_table(tbl
, 0, 0))
552 kt
= pfr_lookup_table(tbl
);
553 if (kt
== NULL
|| !(kt
->pfrkt_flags
& PFR_TFLAG_ACTIVE
))
556 for (i
= 0; i
< size
; i
++) {
557 if (COPYIN(addr
+i
, &ad
, sizeof (ad
), flags
))
559 if (pfr_validate_addr(&ad
))
561 if (ADDR_NETWORK(&ad
))
563 p
= pfr_lookup_addr(kt
, &ad
, 0);
564 if (flags
& PFR_FLAG_REPLACE
)
565 pfr_copyout_addr(&ad
, p
);
566 ad
.pfra_fback
= (p
== NULL
) ? PFR_FB_NONE
:
567 (p
->pfrke_not
? PFR_FB_NOTMATCH
: PFR_FB_MATCH
);
568 if (p
!= NULL
&& !p
->pfrke_not
)
570 if (COPYOUT(&ad
, addr
+i
, sizeof (ad
), flags
))
579 pfr_get_addrs(struct pfr_table
*tbl
, struct pfr_addr
*addr
, int *size
,
582 struct pfr_ktable
*kt
;
583 struct pfr_walktree w
;
586 ACCEPT_FLAGS(flags
, 0);
587 if (pfr_validate_table(tbl
, 0, 0))
589 kt
= pfr_lookup_table(tbl
);
590 if (kt
== NULL
|| !(kt
->pfrkt_flags
& PFR_TFLAG_ACTIVE
))
592 if (kt
->pfrkt_cnt
> *size
) {
593 *size
= kt
->pfrkt_cnt
;
597 bzero(&w
, sizeof (w
));
598 w
.pfrw_op
= PFRW_GET_ADDRS
;
600 w
.pfrw_free
= kt
->pfrkt_cnt
;
601 w
.pfrw_flags
= flags
;
602 rv
= kt
->pfrkt_ip4
->rnh_walktree(kt
->pfrkt_ip4
, pfr_walktree
, &w
);
604 rv
= kt
->pfrkt_ip6
->rnh_walktree(kt
->pfrkt_ip6
,
610 printf("pfr_get_addrs: corruption detected (%d).\n",
614 *size
= kt
->pfrkt_cnt
;
619 pfr_get_astats(struct pfr_table
*tbl
, struct pfr_astats
*addr
, int *size
,
622 struct pfr_ktable
*kt
;
623 struct pfr_walktree w
;
624 struct pfr_kentryworkq workq
;
626 u_int64_t tzero
= pf_time_second();
628 /* XXX PFR_FLAG_CLSTATS disabled */
629 ACCEPT_FLAGS(flags
, PFR_FLAG_ATOMIC
);
630 if (pfr_validate_table(tbl
, 0, 0))
632 kt
= pfr_lookup_table(tbl
);
633 if (kt
== NULL
|| !(kt
->pfrkt_flags
& PFR_TFLAG_ACTIVE
))
635 if (kt
->pfrkt_cnt
> *size
) {
636 *size
= kt
->pfrkt_cnt
;
640 bzero(&w
, sizeof (w
));
641 w
.pfrw_op
= PFRW_GET_ASTATS
;
642 w
.pfrw_astats
= addr
;
643 w
.pfrw_free
= kt
->pfrkt_cnt
;
644 w
.pfrw_flags
= flags
;
645 rv
= kt
->pfrkt_ip4
->rnh_walktree(kt
->pfrkt_ip4
, pfr_walktree
, &w
);
647 rv
= kt
->pfrkt_ip6
->rnh_walktree(kt
->pfrkt_ip6
,
649 if (!rv
&& (flags
& PFR_FLAG_CLSTATS
)) {
650 pfr_enqueue_addrs(kt
, &workq
, NULL
, 0);
651 pfr_clstats_kentries(&workq
, tzero
, 0);
657 printf("pfr_get_astats: corruption detected (%d).\n",
661 *size
= kt
->pfrkt_cnt
;
666 pfr_clr_astats(struct pfr_table
*tbl
, struct pfr_addr
*addr
, int size
,
667 int *nzero
, int flags
)
669 struct pfr_ktable
*kt
;
670 struct pfr_kentryworkq workq
;
671 struct pfr_kentry
*p
;
673 int i
, rv
, xzero
= 0;
675 ACCEPT_FLAGS(flags
, PFR_FLAG_ATOMIC
| PFR_FLAG_DUMMY
|
677 if (pfr_validate_table(tbl
, 0, 0))
679 kt
= pfr_lookup_table(tbl
);
680 if (kt
== NULL
|| !(kt
->pfrkt_flags
& PFR_TFLAG_ACTIVE
))
683 for (i
= 0; i
< size
; i
++) {
684 if (COPYIN(addr
+i
, &ad
, sizeof (ad
), flags
))
686 if (pfr_validate_addr(&ad
))
688 p
= pfr_lookup_addr(kt
, &ad
, 1);
689 if (flags
& PFR_FLAG_FEEDBACK
) {
690 ad
.pfra_fback
= (p
!= NULL
) ?
691 PFR_FB_CLEARED
: PFR_FB_NONE
;
692 if (COPYOUT(&ad
, addr
+i
, sizeof (ad
), flags
))
696 SLIST_INSERT_HEAD(&workq
, p
, pfrke_workq
);
701 if (!(flags
& PFR_FLAG_DUMMY
)) {
702 pfr_clstats_kentries(&workq
, 0, 0);
708 if (flags
& PFR_FLAG_FEEDBACK
)
709 pfr_reset_feedback(addr
, size
, flags
);
714 pfr_validate_addr(struct pfr_addr
*ad
)
718 switch (ad
->pfra_af
) {
721 if (ad
->pfra_net
> 32)
727 if (ad
->pfra_net
> 128)
734 if (ad
->pfra_net
< 128 &&
735 (((caddr_t
)ad
)[ad
->pfra_net
/8] & (0xFF >> (ad
->pfra_net%8
))))
737 for (i
= (ad
->pfra_net
+7)/8; i
< (int)sizeof (ad
->pfra_u
); i
++)
738 if (((caddr_t
)ad
)[i
])
740 if (ad
->pfra_not
&& ad
->pfra_not
!= 1)
748 pfr_enqueue_addrs(struct pfr_ktable
*kt
, struct pfr_kentryworkq
*workq
,
749 int *naddr
, int sweep
)
751 struct pfr_walktree w
;
754 bzero(&w
, sizeof (w
));
755 w
.pfrw_op
= sweep
? PFRW_SWEEP
: PFRW_ENQUEUE
;
756 w
.pfrw_workq
= workq
;
757 if (kt
->pfrkt_ip4
!= NULL
)
758 if (kt
->pfrkt_ip4
->rnh_walktree(kt
->pfrkt_ip4
,
760 printf("pfr_enqueue_addrs: IPv4 walktree failed.\n");
761 if (kt
->pfrkt_ip6
!= NULL
)
762 if (kt
->pfrkt_ip6
->rnh_walktree(kt
->pfrkt_ip6
,
764 printf("pfr_enqueue_addrs: IPv6 walktree failed.\n");
770 pfr_mark_addrs(struct pfr_ktable
*kt
)
772 struct pfr_walktree w
;
774 bzero(&w
, sizeof (w
));
775 w
.pfrw_op
= PFRW_MARK
;
776 if (kt
->pfrkt_ip4
->rnh_walktree(kt
->pfrkt_ip4
, pfr_walktree
, &w
))
777 printf("pfr_mark_addrs: IPv4 walktree failed.\n");
778 if (kt
->pfrkt_ip6
->rnh_walktree(kt
->pfrkt_ip6
, pfr_walktree
, &w
))
779 printf("pfr_mark_addrs: IPv6 walktree failed.\n");
784 pfr_lookup_addr(struct pfr_ktable
*kt
, struct pfr_addr
*ad
, int exact
)
786 union sockaddr_union sa
, mask
;
787 struct radix_node_head
*head
;
788 struct pfr_kentry
*ke
;
790 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
792 bzero(&sa
, sizeof (sa
));
793 if (ad
->pfra_af
== AF_INET
) {
794 FILLIN_SIN(sa
.sin
, ad
->pfra_ip4addr
);
795 head
= kt
->pfrkt_ip4
;
796 } else if (ad
->pfra_af
== AF_INET6
) {
797 FILLIN_SIN6(sa
.sin6
, ad
->pfra_ip6addr
);
798 head
= kt
->pfrkt_ip6
;
802 if (ADDR_NETWORK(ad
)) {
803 pfr_prepare_network(&mask
, ad
->pfra_af
, ad
->pfra_net
);
804 ke
= (struct pfr_kentry
*)rn_lookup(&sa
, &mask
, head
);
805 if (ke
&& KENTRY_RNF_ROOT(ke
))
808 ke
= (struct pfr_kentry
*)rn_match(&sa
, head
);
809 if (ke
&& KENTRY_RNF_ROOT(ke
))
811 if (exact
&& ke
&& KENTRY_NETWORK(ke
))
818 pfr_create_kentry(struct pfr_addr
*ad
, int intr
)
820 struct pfr_kentry
*ke
;
823 ke
= pool_get(&pfr_kentry_pl2
, PR_WAITOK
);
825 ke
= pool_get(&pfr_kentry_pl
, PR_WAITOK
);
828 bzero(ke
, sizeof (*ke
));
830 if (ad
->pfra_af
== AF_INET
)
831 FILLIN_SIN(ke
->pfrke_sa
.sin
, ad
->pfra_ip4addr
);
832 else if (ad
->pfra_af
== AF_INET6
)
833 FILLIN_SIN6(ke
->pfrke_sa
.sin6
, ad
->pfra_ip6addr
);
834 ke
->pfrke_af
= ad
->pfra_af
;
835 ke
->pfrke_net
= ad
->pfra_net
;
836 ke
->pfrke_not
= ad
->pfra_not
;
837 ke
->pfrke_intrpool
= intr
;
842 pfr_destroy_kentries(struct pfr_kentryworkq
*workq
)
844 struct pfr_kentry
*p
, *q
;
846 for (p
= SLIST_FIRST(workq
); p
!= NULL
; p
= q
) {
847 q
= SLIST_NEXT(p
, pfrke_workq
);
848 pfr_destroy_kentry(p
);
853 pfr_destroy_kentry(struct pfr_kentry
*ke
)
855 if (ke
->pfrke_intrpool
)
856 pool_put(&pfr_kentry_pl2
, ke
);
858 pool_put(&pfr_kentry_pl
, ke
);
862 pfr_insert_kentries(struct pfr_ktable
*kt
,
863 struct pfr_kentryworkq
*workq
, u_int64_t tzero
)
865 struct pfr_kentry
*p
;
868 SLIST_FOREACH(p
, workq
, pfrke_workq
) {
869 rv
= pfr_route_kentry(kt
, p
);
871 printf("pfr_insert_kentries: cannot route entry "
875 p
->pfrke_tzero
= tzero
;
882 pfr_insert_kentry(struct pfr_ktable
*kt
, struct pfr_addr
*ad
, u_int64_t tzero
)
884 struct pfr_kentry
*p
;
887 p
= pfr_lookup_addr(kt
, ad
, 1);
890 p
= pfr_create_kentry(ad
, 1);
894 rv
= pfr_route_kentry(kt
, p
);
898 p
->pfrke_tzero
= tzero
;
905 pfr_remove_kentries(struct pfr_ktable
*kt
,
906 struct pfr_kentryworkq
*workq
)
908 struct pfr_kentry
*p
;
911 SLIST_FOREACH(p
, workq
, pfrke_workq
) {
912 pfr_unroute_kentry(kt
, p
);
916 pfr_destroy_kentries(workq
);
920 pfr_clean_node_mask(struct pfr_ktable
*kt
,
921 struct pfr_kentryworkq
*workq
)
923 struct pfr_kentry
*p
;
925 SLIST_FOREACH(p
, workq
, pfrke_workq
)
926 pfr_unroute_kentry(kt
, p
);
930 pfr_clstats_kentries(struct pfr_kentryworkq
*workq
, u_int64_t tzero
,
933 struct pfr_kentry
*p
;
935 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
937 SLIST_FOREACH(p
, workq
, pfrke_workq
) {
939 p
->pfrke_not
= !p
->pfrke_not
;
940 bzero(p
->pfrke_packets
, sizeof (p
->pfrke_packets
));
941 bzero(p
->pfrke_bytes
, sizeof (p
->pfrke_bytes
));
942 p
->pfrke_tzero
= tzero
;
947 pfr_reset_feedback(struct pfr_addr
*addr
, int size
, int flags
)
952 for (i
= 0; i
< size
; i
++) {
953 if (COPYIN(addr
+i
, &ad
, sizeof (ad
), flags
))
955 ad
.pfra_fback
= PFR_FB_NONE
;
956 if (COPYOUT(&ad
, addr
+i
, sizeof (ad
), flags
))
962 pfr_prepare_network(union sockaddr_union
*sa
, int af
, int net
)
966 bzero(sa
, sizeof (*sa
));
968 sa
->sin
.sin_len
= sizeof (sa
->sin
);
969 sa
->sin
.sin_family
= AF_INET
;
970 sa
->sin
.sin_addr
.s_addr
= net
? htonl(-1 << (32-net
)) : 0;
971 } else if (af
== AF_INET6
) {
972 sa
->sin6
.sin6_len
= sizeof (sa
->sin6
);
973 sa
->sin6
.sin6_family
= AF_INET6
;
974 for (i
= 0; i
< 4; i
++) {
976 sa
->sin6
.sin6_addr
.s6_addr32
[i
] =
977 net
? htonl(-1 << (32-net
)) : 0;
980 sa
->sin6
.sin6_addr
.s6_addr32
[i
] = 0xFFFFFFFF;
987 pfr_route_kentry(struct pfr_ktable
*kt
, struct pfr_kentry
*ke
)
989 union sockaddr_union mask
;
990 struct radix_node
*rn
;
991 struct radix_node_head
*head
;
993 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
995 bzero(ke
->pfrke_node
, sizeof (ke
->pfrke_node
));
996 if (ke
->pfrke_af
== AF_INET
)
997 head
= kt
->pfrkt_ip4
;
998 else if (ke
->pfrke_af
== AF_INET6
)
999 head
= kt
->pfrkt_ip6
;
1003 if (KENTRY_NETWORK(ke
)) {
1004 pfr_prepare_network(&mask
, ke
->pfrke_af
, ke
->pfrke_net
);
1005 rn
= rn_addroute(&ke
->pfrke_sa
, &mask
, head
, ke
->pfrke_node
);
1007 rn
= rn_addroute(&ke
->pfrke_sa
, NULL
, head
, ke
->pfrke_node
);
1009 return (rn
== NULL
? -1 : 0);
1013 pfr_unroute_kentry(struct pfr_ktable
*kt
, struct pfr_kentry
*ke
)
1015 union sockaddr_union mask
;
1016 struct radix_node
*rn
;
1017 struct radix_node_head
*head
;
1019 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1021 if (ke
->pfrke_af
== AF_INET
)
1022 head
= kt
->pfrkt_ip4
;
1023 else if (ke
->pfrke_af
== AF_INET6
)
1024 head
= kt
->pfrkt_ip6
;
1028 if (KENTRY_NETWORK(ke
)) {
1029 pfr_prepare_network(&mask
, ke
->pfrke_af
, ke
->pfrke_net
);
1030 rn
= rn_delete(&ke
->pfrke_sa
, &mask
, head
);
1032 rn
= rn_delete(&ke
->pfrke_sa
, NULL
, head
);
1035 printf("pfr_unroute_kentry: delete failed.\n");
1042 pfr_copyout_addr(struct pfr_addr
*ad
, struct pfr_kentry
*ke
)
1044 bzero(ad
, sizeof (*ad
));
1047 ad
->pfra_af
= ke
->pfrke_af
;
1048 ad
->pfra_net
= ke
->pfrke_net
;
1049 ad
->pfra_not
= ke
->pfrke_not
;
1050 if (ad
->pfra_af
== AF_INET
)
1051 ad
->pfra_ip4addr
= ke
->pfrke_sa
.sin
.sin_addr
;
1052 else if (ad
->pfra_af
== AF_INET6
)
1053 ad
->pfra_ip6addr
= ke
->pfrke_sa
.sin6
.sin6_addr
;
1057 pfr_walktree(struct radix_node
*rn
, void *arg
)
1059 struct pfr_kentry
*ke
= (struct pfr_kentry
*)rn
;
1060 struct pfr_walktree
*w
= arg
;
1061 int flags
= w
->pfrw_flags
;
1063 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1065 switch (w
->pfrw_op
) {
1074 SLIST_INSERT_HEAD(w
->pfrw_workq
, ke
, pfrke_workq
);
1077 case PFRW_GET_ADDRS
:
1078 if (w
->pfrw_free
-- > 0) {
1081 pfr_copyout_addr(&ad
, ke
);
1083 CAST_USER_ADDR_T(w
->pfrw_addr
),
1089 case PFRW_GET_ASTATS
:
1090 if (w
->pfrw_free
-- > 0) {
1091 struct pfr_astats as
;
1093 pfr_copyout_addr(&as
.pfras_a
, ke
);
1095 bcopy(ke
->pfrke_packets
, as
.pfras_packets
,
1096 sizeof (as
.pfras_packets
));
1097 bcopy(ke
->pfrke_bytes
, as
.pfras_bytes
,
1098 sizeof (as
.pfras_bytes
));
1099 as
.pfras_tzero
= ke
->pfrke_tzero
;
1101 if (COPYOUT(&as
, w
->pfrw_astats
, sizeof (as
), flags
))
1108 break; /* negative entries are ignored */
1109 if (!w
->pfrw_cnt
--) {
1110 w
->pfrw_kentry
= ke
;
1111 return (1); /* finish search */
1114 case PFRW_DYNADDR_UPDATE
:
1115 if (ke
->pfrke_af
== AF_INET
) {
1116 if (w
->pfrw_dyn
->pfid_acnt4
++ > 0)
1118 pfr_prepare_network(&pfr_mask
, AF_INET
, ke
->pfrke_net
);
1119 w
->pfrw_dyn
->pfid_addr4
= *SUNION2PF(
1120 &ke
->pfrke_sa
, AF_INET
);
1121 w
->pfrw_dyn
->pfid_mask4
= *SUNION2PF(
1122 &pfr_mask
, AF_INET
);
1123 } else if (ke
->pfrke_af
== AF_INET6
) {
1124 if (w
->pfrw_dyn
->pfid_acnt6
++ > 0)
1126 pfr_prepare_network(&pfr_mask
, AF_INET6
, ke
->pfrke_net
);
1127 w
->pfrw_dyn
->pfid_addr6
= *SUNION2PF(
1128 &ke
->pfrke_sa
, AF_INET6
);
1129 w
->pfrw_dyn
->pfid_mask6
= *SUNION2PF(
1130 &pfr_mask
, AF_INET6
);
1138 pfr_clr_tables(struct pfr_table
*filter
, int *ndel
, int flags
)
1140 struct pfr_ktableworkq workq
;
1141 struct pfr_ktable
*p
;
1144 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1146 ACCEPT_FLAGS(flags
, PFR_FLAG_ATOMIC
| PFR_FLAG_DUMMY
|
1148 if (pfr_fix_anchor(filter
->pfrt_anchor
))
1150 if (pfr_table_count(filter
, flags
) < 0)
1154 RB_FOREACH(p
, pfr_ktablehead
, &pfr_ktables
) {
1155 if (pfr_skip_table(filter
, p
, flags
))
1157 if (strcmp(p
->pfrkt_anchor
, PF_RESERVED_ANCHOR
) == 0)
1159 if (!(p
->pfrkt_flags
& PFR_TFLAG_ACTIVE
))
1161 p
->pfrkt_nflags
= p
->pfrkt_flags
& ~PFR_TFLAG_ACTIVE
;
1162 SLIST_INSERT_HEAD(&workq
, p
, pfrkt_workq
);
1165 if (!(flags
& PFR_FLAG_DUMMY
)) {
1166 pfr_setflags_ktables(&workq
);
1174 pfr_add_tables(struct pfr_table
*tbl
, int size
, int *nadd
, int flags
)
1176 struct pfr_ktableworkq addq
, changeq
;
1177 struct pfr_ktable
*p
, *q
, *r
, key
;
1178 int i
, rv
, xadd
= 0;
1179 u_int64_t tzero
= pf_time_second();
1181 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1183 ACCEPT_FLAGS(flags
, PFR_FLAG_ATOMIC
| PFR_FLAG_DUMMY
);
1185 SLIST_INIT(&changeq
);
1186 for (i
= 0; i
< size
; i
++) {
1187 if (COPYIN(tbl
+i
, &key
.pfrkt_t
, sizeof (key
.pfrkt_t
), flags
))
1189 if (pfr_validate_table(&key
.pfrkt_t
, PFR_TFLAG_USRMASK
,
1190 flags
& PFR_FLAG_USERIOCTL
))
1192 key
.pfrkt_flags
|= PFR_TFLAG_ACTIVE
;
1193 p
= RB_FIND(pfr_ktablehead
, &pfr_ktables
, &key
);
1195 p
= pfr_create_ktable(&key
.pfrkt_t
, tzero
, 1);
1198 SLIST_FOREACH(q
, &addq
, pfrkt_workq
) {
1199 if (!pfr_ktable_compare(p
, q
))
1202 SLIST_INSERT_HEAD(&addq
, p
, pfrkt_workq
);
1204 if (!key
.pfrkt_anchor
[0])
1207 /* find or create root table */
1208 bzero(key
.pfrkt_anchor
, sizeof (key
.pfrkt_anchor
));
1209 r
= RB_FIND(pfr_ktablehead
, &pfr_ktables
, &key
);
1214 SLIST_FOREACH(q
, &addq
, pfrkt_workq
) {
1215 if (!pfr_ktable_compare(&key
, q
)) {
1220 key
.pfrkt_flags
= 0;
1221 r
= pfr_create_ktable(&key
.pfrkt_t
, 0, 1);
1224 SLIST_INSERT_HEAD(&addq
, r
, pfrkt_workq
);
1226 } else if (!(p
->pfrkt_flags
& PFR_TFLAG_ACTIVE
)) {
1227 SLIST_FOREACH(q
, &changeq
, pfrkt_workq
)
1228 if (!pfr_ktable_compare(&key
, q
))
1230 p
->pfrkt_nflags
= (p
->pfrkt_flags
&
1231 ~PFR_TFLAG_USRMASK
) | key
.pfrkt_flags
;
1232 SLIST_INSERT_HEAD(&changeq
, p
, pfrkt_workq
);
1238 if (!(flags
& PFR_FLAG_DUMMY
)) {
1239 pfr_insert_ktables(&addq
);
1240 pfr_setflags_ktables(&changeq
);
1242 pfr_destroy_ktables(&addq
, 0);
1247 pfr_destroy_ktables(&addq
, 0);
1252 pfr_del_tables(struct pfr_table
*tbl
, int size
, int *ndel
, int flags
)
1254 struct pfr_ktableworkq workq
;
1255 struct pfr_ktable
*p
, *q
, key
;
1258 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1260 ACCEPT_FLAGS(flags
, PFR_FLAG_ATOMIC
| PFR_FLAG_DUMMY
);
1262 for (i
= 0; i
< size
; i
++) {
1263 if (COPYIN(tbl
+i
, &key
.pfrkt_t
, sizeof (key
.pfrkt_t
), flags
))
1265 if (pfr_validate_table(&key
.pfrkt_t
, 0,
1266 flags
& PFR_FLAG_USERIOCTL
))
1268 p
= RB_FIND(pfr_ktablehead
, &pfr_ktables
, &key
);
1269 if (p
!= NULL
&& (p
->pfrkt_flags
& PFR_TFLAG_ACTIVE
)) {
1270 SLIST_FOREACH(q
, &workq
, pfrkt_workq
)
1271 if (!pfr_ktable_compare(p
, q
))
1273 p
->pfrkt_nflags
= p
->pfrkt_flags
& ~PFR_TFLAG_ACTIVE
;
1274 SLIST_INSERT_HEAD(&workq
, p
, pfrkt_workq
);
1281 if (!(flags
& PFR_FLAG_DUMMY
)) {
1282 pfr_setflags_ktables(&workq
);
1290 pfr_get_tables(struct pfr_table
*filter
, struct pfr_table
*tbl
, int *size
,
1293 struct pfr_ktable
*p
;
1296 ACCEPT_FLAGS(flags
, PFR_FLAG_ALLRSETS
);
1297 if (pfr_fix_anchor(filter
->pfrt_anchor
))
1299 n
= nn
= pfr_table_count(filter
, flags
);
1306 RB_FOREACH(p
, pfr_ktablehead
, &pfr_ktables
) {
1307 if (pfr_skip_table(filter
, p
, flags
))
1311 if (COPYOUT(&p
->pfrkt_t
, tbl
++, sizeof (*tbl
), flags
))
1315 printf("pfr_get_tables: corruption detected (%d).\n", n
);
1323 pfr_get_tstats(struct pfr_table
*filter
, struct pfr_tstats
*tbl
, int *size
,
1326 struct pfr_ktable
*p
;
1327 struct pfr_ktableworkq workq
;
1329 u_int64_t tzero
= pf_time_second();
1331 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1333 /* XXX PFR_FLAG_CLSTATS disabled */
1334 ACCEPT_FLAGS(flags
, PFR_FLAG_ATOMIC
| PFR_FLAG_ALLRSETS
);
1335 if (pfr_fix_anchor(filter
->pfrt_anchor
))
1337 n
= nn
= pfr_table_count(filter
, flags
);
1345 RB_FOREACH(p
, pfr_ktablehead
, &pfr_ktables
) {
1346 if (pfr_skip_table(filter
, p
, flags
))
1350 if (COPYOUT(&p
->pfrkt_ts
, tbl
++, sizeof (*tbl
), flags
)) {
1353 SLIST_INSERT_HEAD(&workq
, p
, pfrkt_workq
);
1355 if (flags
& PFR_FLAG_CLSTATS
)
1356 pfr_clstats_ktables(&workq
, tzero
,
1357 flags
& PFR_FLAG_ADDRSTOO
);
1359 printf("pfr_get_tstats: corruption detected (%d).\n", n
);
1367 pfr_clr_tstats(struct pfr_table
*tbl
, int size
, int *nzero
, int flags
)
1369 struct pfr_ktableworkq workq
;
1370 struct pfr_ktable
*p
, key
;
1372 u_int64_t tzero
= pf_time_second();
1374 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1376 ACCEPT_FLAGS(flags
, PFR_FLAG_ATOMIC
| PFR_FLAG_DUMMY
|
1379 for (i
= 0; i
< size
; i
++) {
1380 if (COPYIN(tbl
+i
, &key
.pfrkt_t
, sizeof (key
.pfrkt_t
), flags
))
1382 if (pfr_validate_table(&key
.pfrkt_t
, 0, 0))
1384 p
= RB_FIND(pfr_ktablehead
, &pfr_ktables
, &key
);
1386 SLIST_INSERT_HEAD(&workq
, p
, pfrkt_workq
);
1390 if (!(flags
& PFR_FLAG_DUMMY
)) {
1391 pfr_clstats_ktables(&workq
, tzero
, flags
& PFR_FLAG_ADDRSTOO
);
1399 pfr_set_tflags(struct pfr_table
*tbl
, int size
, int setflag
, int clrflag
,
1400 int *nchange
, int *ndel
, int flags
)
1402 struct pfr_ktableworkq workq
;
1403 struct pfr_ktable
*p
, *q
, key
;
1404 int i
, xchange
= 0, xdel
= 0;
1406 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1408 ACCEPT_FLAGS(flags
, PFR_FLAG_ATOMIC
| PFR_FLAG_DUMMY
);
1409 if ((setflag
& ~PFR_TFLAG_USRMASK
) ||
1410 (clrflag
& ~PFR_TFLAG_USRMASK
) ||
1411 (setflag
& clrflag
))
1414 for (i
= 0; i
< size
; i
++) {
1415 if (COPYIN(tbl
+i
, &key
.pfrkt_t
, sizeof (key
.pfrkt_t
), flags
))
1417 if (pfr_validate_table(&key
.pfrkt_t
, 0,
1418 flags
& PFR_FLAG_USERIOCTL
))
1420 p
= RB_FIND(pfr_ktablehead
, &pfr_ktables
, &key
);
1421 if (p
!= NULL
&& (p
->pfrkt_flags
& PFR_TFLAG_ACTIVE
)) {
1422 p
->pfrkt_nflags
= (p
->pfrkt_flags
| setflag
) &
1424 if (p
->pfrkt_nflags
== p
->pfrkt_flags
)
1426 SLIST_FOREACH(q
, &workq
, pfrkt_workq
)
1427 if (!pfr_ktable_compare(p
, q
))
1429 SLIST_INSERT_HEAD(&workq
, p
, pfrkt_workq
);
1430 if ((p
->pfrkt_flags
& PFR_TFLAG_PERSIST
) &&
1431 (clrflag
& PFR_TFLAG_PERSIST
) &&
1432 !(p
->pfrkt_flags
& PFR_TFLAG_REFERENCED
))
1440 if (!(flags
& PFR_FLAG_DUMMY
)) {
1441 pfr_setflags_ktables(&workq
);
1443 if (nchange
!= NULL
)
1451 pfr_ina_begin(struct pfr_table
*trs
, u_int32_t
*ticket
, int *ndel
, int flags
)
1453 struct pfr_ktableworkq workq
;
1454 struct pfr_ktable
*p
;
1455 struct pf_ruleset
*rs
;
1458 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1460 ACCEPT_FLAGS(flags
, PFR_FLAG_DUMMY
);
1461 rs
= pf_find_or_create_ruleset(trs
->pfrt_anchor
);
1465 RB_FOREACH(p
, pfr_ktablehead
, &pfr_ktables
) {
1466 if (!(p
->pfrkt_flags
& PFR_TFLAG_INACTIVE
) ||
1467 pfr_skip_table(trs
, p
, 0))
1469 p
->pfrkt_nflags
= p
->pfrkt_flags
& ~PFR_TFLAG_INACTIVE
;
1470 SLIST_INSERT_HEAD(&workq
, p
, pfrkt_workq
);
1473 if (!(flags
& PFR_FLAG_DUMMY
)) {
1474 pfr_setflags_ktables(&workq
);
1476 *ticket
= ++rs
->tticket
;
1479 pf_remove_if_empty_ruleset(rs
);
1486 pfr_ina_define(struct pfr_table
*tbl
, struct pfr_addr
*addr
, int size
,
1487 int *nadd
, int *naddr
, u_int32_t ticket
, int flags
)
1489 struct pfr_ktableworkq tableq
;
1490 struct pfr_kentryworkq addrq
;
1491 struct pfr_ktable
*kt
, *rt
, *shadow
, key
;
1492 struct pfr_kentry
*p
;
1494 struct pf_ruleset
*rs
;
1495 int i
, rv
, xadd
= 0, xaddr
= 0;
1497 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1499 ACCEPT_FLAGS(flags
, PFR_FLAG_DUMMY
| PFR_FLAG_ADDRSTOO
);
1500 if (size
&& !(flags
& PFR_FLAG_ADDRSTOO
))
1502 if (pfr_validate_table(tbl
, PFR_TFLAG_USRMASK
,
1503 flags
& PFR_FLAG_USERIOCTL
))
1505 rs
= pf_find_ruleset(tbl
->pfrt_anchor
);
1506 if (rs
== NULL
|| !rs
->topen
|| ticket
!= rs
->tticket
)
1508 tbl
->pfrt_flags
|= PFR_TFLAG_INACTIVE
;
1509 SLIST_INIT(&tableq
);
1510 kt
= RB_FIND(pfr_ktablehead
, &pfr_ktables
, (struct pfr_ktable
*)tbl
);
1512 kt
= pfr_create_ktable(tbl
, 0, 1);
1515 SLIST_INSERT_HEAD(&tableq
, kt
, pfrkt_workq
);
1517 if (!tbl
->pfrt_anchor
[0])
1520 /* find or create root table */
1521 bzero(&key
, sizeof (key
));
1522 strlcpy(key
.pfrkt_name
, tbl
->pfrt_name
,
1523 sizeof (key
.pfrkt_name
));
1524 rt
= RB_FIND(pfr_ktablehead
, &pfr_ktables
, &key
);
1526 kt
->pfrkt_root
= rt
;
1529 rt
= pfr_create_ktable(&key
.pfrkt_t
, 0, 1);
1531 pfr_destroy_ktables(&tableq
, 0);
1534 SLIST_INSERT_HEAD(&tableq
, rt
, pfrkt_workq
);
1535 kt
->pfrkt_root
= rt
;
1536 } else if (!(kt
->pfrkt_flags
& PFR_TFLAG_INACTIVE
))
1539 shadow
= pfr_create_ktable(tbl
, 0, 0);
1540 if (shadow
== NULL
) {
1541 pfr_destroy_ktables(&tableq
, 0);
1545 for (i
= 0; i
< size
; i
++) {
1546 if (COPYIN(addr
+i
, &ad
, sizeof (ad
), flags
))
1548 if (pfr_validate_addr(&ad
))
1550 if (pfr_lookup_addr(shadow
, &ad
, 1) != NULL
)
1552 p
= pfr_create_kentry(&ad
, 0);
1555 if (pfr_route_kentry(shadow
, p
)) {
1556 pfr_destroy_kentry(p
);
1559 SLIST_INSERT_HEAD(&addrq
, p
, pfrke_workq
);
1562 if (!(flags
& PFR_FLAG_DUMMY
)) {
1563 if (kt
->pfrkt_shadow
!= NULL
)
1564 pfr_destroy_ktable(kt
->pfrkt_shadow
, 1);
1565 kt
->pfrkt_flags
|= PFR_TFLAG_INACTIVE
;
1566 pfr_insert_ktables(&tableq
);
1567 shadow
->pfrkt_cnt
= (flags
& PFR_FLAG_ADDRSTOO
) ?
1568 xaddr
: NO_ADDRESSES
;
1569 kt
->pfrkt_shadow
= shadow
;
1571 pfr_clean_node_mask(shadow
, &addrq
);
1572 pfr_destroy_ktable(shadow
, 0);
1573 pfr_destroy_ktables(&tableq
, 0);
1574 pfr_destroy_kentries(&addrq
);
1582 pfr_destroy_ktable(shadow
, 0);
1583 pfr_destroy_ktables(&tableq
, 0);
1584 pfr_destroy_kentries(&addrq
);
1589 pfr_ina_rollback(struct pfr_table
*trs
, u_int32_t ticket
, int *ndel
, int flags
)
1591 struct pfr_ktableworkq workq
;
1592 struct pfr_ktable
*p
;
1593 struct pf_ruleset
*rs
;
1596 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1598 ACCEPT_FLAGS(flags
, PFR_FLAG_DUMMY
);
1599 rs
= pf_find_ruleset(trs
->pfrt_anchor
);
1600 if (rs
== NULL
|| !rs
->topen
|| ticket
!= rs
->tticket
)
1603 RB_FOREACH(p
, pfr_ktablehead
, &pfr_ktables
) {
1604 if (!(p
->pfrkt_flags
& PFR_TFLAG_INACTIVE
) ||
1605 pfr_skip_table(trs
, p
, 0))
1607 p
->pfrkt_nflags
= p
->pfrkt_flags
& ~PFR_TFLAG_INACTIVE
;
1608 SLIST_INSERT_HEAD(&workq
, p
, pfrkt_workq
);
1611 if (!(flags
& PFR_FLAG_DUMMY
)) {
1612 pfr_setflags_ktables(&workq
);
1614 pf_remove_if_empty_ruleset(rs
);
1622 pfr_ina_commit(struct pfr_table
*trs
, u_int32_t ticket
, int *nadd
,
1623 int *nchange
, int flags
)
1625 struct pfr_ktable
*p
, *q
;
1626 struct pfr_ktableworkq workq
;
1627 struct pf_ruleset
*rs
;
1628 int xadd
= 0, xchange
= 0;
1629 u_int64_t tzero
= pf_time_second();
1631 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1633 ACCEPT_FLAGS(flags
, PFR_FLAG_ATOMIC
| PFR_FLAG_DUMMY
);
1634 rs
= pf_find_ruleset(trs
->pfrt_anchor
);
1635 if (rs
== NULL
|| !rs
->topen
|| ticket
!= rs
->tticket
)
1639 RB_FOREACH(p
, pfr_ktablehead
, &pfr_ktables
) {
1640 if (!(p
->pfrkt_flags
& PFR_TFLAG_INACTIVE
) ||
1641 pfr_skip_table(trs
, p
, 0))
1643 SLIST_INSERT_HEAD(&workq
, p
, pfrkt_workq
);
1644 if (p
->pfrkt_flags
& PFR_TFLAG_ACTIVE
)
1650 if (!(flags
& PFR_FLAG_DUMMY
)) {
1651 for (p
= SLIST_FIRST(&workq
); p
!= NULL
; p
= q
) {
1652 q
= SLIST_NEXT(p
, pfrkt_workq
);
1653 pfr_commit_ktable(p
, tzero
);
1656 pf_remove_if_empty_ruleset(rs
);
1660 if (nchange
!= NULL
)
1667 pfr_commit_ktable(struct pfr_ktable
*kt
, u_int64_t tzero
)
1669 struct pfr_ktable
*shadow
= kt
->pfrkt_shadow
;
1672 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1674 if (shadow
->pfrkt_cnt
== NO_ADDRESSES
) {
1675 if (!(kt
->pfrkt_flags
& PFR_TFLAG_ACTIVE
))
1676 pfr_clstats_ktable(kt
, tzero
, 1);
1677 } else if (kt
->pfrkt_flags
& PFR_TFLAG_ACTIVE
) {
1678 /* kt might contain addresses */
1679 struct pfr_kentryworkq addrq
, addq
, changeq
, delq
, garbageq
;
1680 struct pfr_kentry
*p
, *q
, *next
;
1683 pfr_enqueue_addrs(shadow
, &addrq
, NULL
, 0);
1686 SLIST_INIT(&changeq
);
1688 SLIST_INIT(&garbageq
);
1689 pfr_clean_node_mask(shadow
, &addrq
);
1690 for (p
= SLIST_FIRST(&addrq
); p
!= NULL
; p
= next
) {
1691 next
= SLIST_NEXT(p
, pfrke_workq
); /* XXX */
1692 pfr_copyout_addr(&ad
, p
);
1693 q
= pfr_lookup_addr(kt
, &ad
, 1);
1695 if (q
->pfrke_not
!= p
->pfrke_not
)
1696 SLIST_INSERT_HEAD(&changeq
, q
,
1699 SLIST_INSERT_HEAD(&garbageq
, p
, pfrke_workq
);
1701 p
->pfrke_tzero
= tzero
;
1702 SLIST_INSERT_HEAD(&addq
, p
, pfrke_workq
);
1705 pfr_enqueue_addrs(kt
, &delq
, NULL
, ENQUEUE_UNMARKED_ONLY
);
1706 pfr_insert_kentries(kt
, &addq
, tzero
);
1707 pfr_remove_kentries(kt
, &delq
);
1708 pfr_clstats_kentries(&changeq
, tzero
, INVERT_NEG_FLAG
);
1709 pfr_destroy_kentries(&garbageq
);
1711 /* kt cannot contain addresses */
1712 SWAP(struct radix_node_head
*, kt
->pfrkt_ip4
,
1714 SWAP(struct radix_node_head
*, kt
->pfrkt_ip6
,
1716 SWAP(int, kt
->pfrkt_cnt
, shadow
->pfrkt_cnt
);
1717 pfr_clstats_ktable(kt
, tzero
, 1);
1719 nflags
= ((shadow
->pfrkt_flags
& PFR_TFLAG_USRMASK
) |
1720 (kt
->pfrkt_flags
& PFR_TFLAG_SETMASK
) | PFR_TFLAG_ACTIVE
) &
1721 ~PFR_TFLAG_INACTIVE
;
1722 pfr_destroy_ktable(shadow
, 0);
1723 kt
->pfrkt_shadow
= NULL
;
1724 pfr_setflags_ktable(kt
, nflags
);
1728 pfr_validate_table(struct pfr_table
*tbl
, int allowedflags
, int no_reserved
)
1732 if (!tbl
->pfrt_name
[0])
1734 if (no_reserved
&& strcmp(tbl
->pfrt_anchor
, PF_RESERVED_ANCHOR
) == 0)
1736 if (tbl
->pfrt_name
[PF_TABLE_NAME_SIZE
-1])
1738 for (i
= strlen(tbl
->pfrt_name
); i
< PF_TABLE_NAME_SIZE
; i
++)
1739 if (tbl
->pfrt_name
[i
])
1741 if (pfr_fix_anchor(tbl
->pfrt_anchor
))
1743 if (tbl
->pfrt_flags
& ~allowedflags
)
1749 * Rewrite anchors referenced by tables to remove slashes
1750 * and check for validity.
1753 pfr_fix_anchor(char *anchor
)
1755 size_t siz
= MAXPATHLEN
;
1758 if (anchor
[0] == '/') {
1764 while (*++path
== '/')
1766 bcopy(path
, anchor
, siz
- off
);
1767 memset(anchor
+ siz
- off
, 0, off
);
1769 if (anchor
[siz
- 1])
1771 for (i
= strlen(anchor
); i
< (int)siz
; i
++)
1778 pfr_table_count(struct pfr_table
*filter
, int flags
)
1780 struct pf_ruleset
*rs
;
1782 if (flags
& PFR_FLAG_ALLRSETS
)
1783 return (pfr_ktable_cnt
);
1784 if (filter
->pfrt_anchor
[0]) {
1785 rs
= pf_find_ruleset(filter
->pfrt_anchor
);
1786 return ((rs
!= NULL
) ? rs
->tables
: -1);
1788 return (pf_main_ruleset
.tables
);
1792 pfr_skip_table(struct pfr_table
*filter
, struct pfr_ktable
*kt
, int flags
)
1794 if (flags
& PFR_FLAG_ALLRSETS
)
1796 if (strcmp(filter
->pfrt_anchor
, kt
->pfrkt_anchor
))
1802 pfr_insert_ktables(struct pfr_ktableworkq
*workq
)
1804 struct pfr_ktable
*p
;
1806 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1808 SLIST_FOREACH(p
, workq
, pfrkt_workq
)
1809 pfr_insert_ktable(p
);
1813 pfr_insert_ktable(struct pfr_ktable
*kt
)
1815 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1817 RB_INSERT(pfr_ktablehead
, &pfr_ktables
, kt
);
1819 if (kt
->pfrkt_root
!= NULL
)
1820 if (!kt
->pfrkt_root
->pfrkt_refcnt
[PFR_REFCNT_ANCHOR
]++)
1821 pfr_setflags_ktable(kt
->pfrkt_root
,
1822 kt
->pfrkt_root
->pfrkt_flags
|PFR_TFLAG_REFDANCHOR
);
1826 pfr_setflags_ktables(struct pfr_ktableworkq
*workq
)
1828 struct pfr_ktable
*p
, *q
;
1830 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1832 for (p
= SLIST_FIRST(workq
); p
; p
= q
) {
1833 q
= SLIST_NEXT(p
, pfrkt_workq
);
1834 pfr_setflags_ktable(p
, p
->pfrkt_nflags
);
1839 pfr_setflags_ktable(struct pfr_ktable
*kt
, int newf
)
1841 struct pfr_kentryworkq addrq
;
1843 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1845 if (!(newf
& PFR_TFLAG_REFERENCED
) &&
1846 !(newf
& PFR_TFLAG_PERSIST
))
1847 newf
&= ~PFR_TFLAG_ACTIVE
;
1848 if (!(newf
& PFR_TFLAG_ACTIVE
))
1849 newf
&= ~PFR_TFLAG_USRMASK
;
1850 if (!(newf
& PFR_TFLAG_SETMASK
)) {
1851 RB_REMOVE(pfr_ktablehead
, &pfr_ktables
, kt
);
1852 if (kt
->pfrkt_root
!= NULL
)
1853 if (!--kt
->pfrkt_root
->pfrkt_refcnt
[PFR_REFCNT_ANCHOR
])
1854 pfr_setflags_ktable(kt
->pfrkt_root
,
1855 kt
->pfrkt_root
->pfrkt_flags
&
1856 ~PFR_TFLAG_REFDANCHOR
);
1857 pfr_destroy_ktable(kt
, 1);
1861 if (!(newf
& PFR_TFLAG_ACTIVE
) && kt
->pfrkt_cnt
) {
1862 pfr_enqueue_addrs(kt
, &addrq
, NULL
, 0);
1863 pfr_remove_kentries(kt
, &addrq
);
1865 if (!(newf
& PFR_TFLAG_INACTIVE
) && kt
->pfrkt_shadow
!= NULL
) {
1866 pfr_destroy_ktable(kt
->pfrkt_shadow
, 1);
1867 kt
->pfrkt_shadow
= NULL
;
1869 kt
->pfrkt_flags
= newf
;
1873 pfr_clstats_ktables(struct pfr_ktableworkq
*workq
, u_int64_t tzero
, int recurse
)
1875 struct pfr_ktable
*p
;
1877 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1879 SLIST_FOREACH(p
, workq
, pfrkt_workq
)
1880 pfr_clstats_ktable(p
, tzero
, recurse
);
1884 pfr_clstats_ktable(struct pfr_ktable
*kt
, u_int64_t tzero
, int recurse
)
1886 struct pfr_kentryworkq addrq
;
1888 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1891 pfr_enqueue_addrs(kt
, &addrq
, NULL
, 0);
1892 pfr_clstats_kentries(&addrq
, tzero
, 0);
1894 bzero(kt
->pfrkt_packets
, sizeof (kt
->pfrkt_packets
));
1895 bzero(kt
->pfrkt_bytes
, sizeof (kt
->pfrkt_bytes
));
1896 kt
->pfrkt_match
= kt
->pfrkt_nomatch
= 0;
1897 kt
->pfrkt_tzero
= tzero
;
1901 pfr_create_ktable(struct pfr_table
*tbl
, u_int64_t tzero
, int attachruleset
)
1903 struct pfr_ktable
*kt
;
1904 struct pf_ruleset
*rs
;
1906 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1908 kt
= pool_get(&pfr_ktable_pl
, PR_WAITOK
);
1911 bzero(kt
, sizeof (*kt
));
1914 if (attachruleset
) {
1915 rs
= pf_find_or_create_ruleset(tbl
->pfrt_anchor
);
1917 pfr_destroy_ktable(kt
, 0);
1924 if (!rn_inithead((void **)&kt
->pfrkt_ip4
,
1925 offsetof(struct sockaddr_in
, sin_addr
) * 8) ||
1926 !rn_inithead((void **)&kt
->pfrkt_ip6
,
1927 offsetof(struct sockaddr_in6
, sin6_addr
) * 8)) {
1928 pfr_destroy_ktable(kt
, 0);
1931 kt
->pfrkt_tzero
= tzero
;
1937 pfr_destroy_ktables(struct pfr_ktableworkq
*workq
, int flushaddr
)
1939 struct pfr_ktable
*p
, *q
;
1941 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1943 for (p
= SLIST_FIRST(workq
); p
; p
= q
) {
1944 q
= SLIST_NEXT(p
, pfrkt_workq
);
1945 pfr_destroy_ktable(p
, flushaddr
);
1950 pfr_destroy_ktable(struct pfr_ktable
*kt
, int flushaddr
)
1952 struct pfr_kentryworkq addrq
;
1954 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1957 pfr_enqueue_addrs(kt
, &addrq
, NULL
, 0);
1958 pfr_clean_node_mask(kt
, &addrq
);
1959 pfr_destroy_kentries(&addrq
);
1961 if (kt
->pfrkt_ip4
!= NULL
)
1962 _FREE((caddr_t
)kt
->pfrkt_ip4
, M_RTABLE
);
1963 if (kt
->pfrkt_ip6
!= NULL
)
1964 _FREE((caddr_t
)kt
->pfrkt_ip6
, M_RTABLE
);
1965 if (kt
->pfrkt_shadow
!= NULL
)
1966 pfr_destroy_ktable(kt
->pfrkt_shadow
, flushaddr
);
1967 if (kt
->pfrkt_rs
!= NULL
) {
1968 kt
->pfrkt_rs
->tables
--;
1969 pf_remove_if_empty_ruleset(kt
->pfrkt_rs
);
1971 pool_put(&pfr_ktable_pl
, kt
);
1975 pfr_ktable_compare(struct pfr_ktable
*p
, struct pfr_ktable
*q
)
1979 if ((d
= strncmp(p
->pfrkt_name
, q
->pfrkt_name
, PF_TABLE_NAME_SIZE
)))
1981 return (strcmp(p
->pfrkt_anchor
, q
->pfrkt_anchor
));
1985 pfr_lookup_table(struct pfr_table
*tbl
)
1987 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
1989 /* struct pfr_ktable start like a struct pfr_table */
1990 return (RB_FIND(pfr_ktablehead
, &pfr_ktables
,
1991 (struct pfr_ktable
*)tbl
));
1995 pfr_match_addr(struct pfr_ktable
*kt
, struct pf_addr
*a
, sa_family_t af
)
1997 struct pfr_kentry
*ke
= NULL
;
2000 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
2002 if (!(kt
->pfrkt_flags
& PFR_TFLAG_ACTIVE
) && kt
->pfrkt_root
!= NULL
)
2003 kt
= kt
->pfrkt_root
;
2004 if (!(kt
->pfrkt_flags
& PFR_TFLAG_ACTIVE
))
2010 pfr_sin
.sin_addr
.s_addr
= a
->addr32
[0];
2011 ke
= (struct pfr_kentry
*)rn_match(&pfr_sin
, kt
->pfrkt_ip4
);
2012 if (ke
&& KENTRY_RNF_ROOT(ke
))
2018 bcopy(a
, &pfr_sin6
.sin6_addr
, sizeof (pfr_sin6
.sin6_addr
));
2019 ke
= (struct pfr_kentry
*)rn_match(&pfr_sin6
, kt
->pfrkt_ip6
);
2020 if (ke
&& KENTRY_RNF_ROOT(ke
))
2025 match
= (ke
&& !ke
->pfrke_not
);
2029 kt
->pfrkt_nomatch
++;
2034 pfr_update_stats(struct pfr_ktable
*kt
, struct pf_addr
*a
, sa_family_t af
,
2035 u_int64_t len
, int dir_out
, int op_pass
, int notrule
)
2037 struct pfr_kentry
*ke
= NULL
;
2039 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
2041 if (!(kt
->pfrkt_flags
& PFR_TFLAG_ACTIVE
) && kt
->pfrkt_root
!= NULL
)
2042 kt
= kt
->pfrkt_root
;
2043 if (!(kt
->pfrkt_flags
& PFR_TFLAG_ACTIVE
))
2049 pfr_sin
.sin_addr
.s_addr
= a
->addr32
[0];
2050 ke
= (struct pfr_kentry
*)rn_match(&pfr_sin
, kt
->pfrkt_ip4
);
2051 if (ke
&& KENTRY_RNF_ROOT(ke
))
2057 bcopy(a
, &pfr_sin6
.sin6_addr
, sizeof (pfr_sin6
.sin6_addr
));
2058 ke
= (struct pfr_kentry
*)rn_match(&pfr_sin6
, kt
->pfrkt_ip6
);
2059 if (ke
&& KENTRY_RNF_ROOT(ke
))
2066 if ((ke
== NULL
|| ke
->pfrke_not
) != notrule
) {
2067 if (op_pass
!= PFR_OP_PASS
)
2068 printf("pfr_update_stats: assertion failed.\n");
2069 op_pass
= PFR_OP_XPASS
;
2071 kt
->pfrkt_packets
[dir_out
][op_pass
]++;
2072 kt
->pfrkt_bytes
[dir_out
][op_pass
] += len
;
2073 if (ke
!= NULL
&& op_pass
!= PFR_OP_XPASS
) {
2074 ke
->pfrke_packets
[dir_out
][op_pass
]++;
2075 ke
->pfrke_bytes
[dir_out
][op_pass
] += len
;
2080 pfr_attach_table(struct pf_ruleset
*rs
, char *name
)
2082 struct pfr_ktable
*kt
, *rt
;
2083 struct pfr_table tbl
;
2084 struct pf_anchor
*ac
= rs
->anchor
;
2086 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
2088 bzero(&tbl
, sizeof (tbl
));
2089 strlcpy(tbl
.pfrt_name
, name
, sizeof (tbl
.pfrt_name
));
2091 strlcpy(tbl
.pfrt_anchor
, ac
->path
, sizeof (tbl
.pfrt_anchor
));
2092 kt
= pfr_lookup_table(&tbl
);
2094 kt
= pfr_create_ktable(&tbl
, pf_time_second(), 1);
2098 bzero(tbl
.pfrt_anchor
, sizeof (tbl
.pfrt_anchor
));
2099 rt
= pfr_lookup_table(&tbl
);
2101 rt
= pfr_create_ktable(&tbl
, 0, 1);
2103 pfr_destroy_ktable(kt
, 0);
2106 pfr_insert_ktable(rt
);
2108 kt
->pfrkt_root
= rt
;
2110 pfr_insert_ktable(kt
);
2112 if (!kt
->pfrkt_refcnt
[PFR_REFCNT_RULE
]++)
2113 pfr_setflags_ktable(kt
, kt
->pfrkt_flags
|PFR_TFLAG_REFERENCED
);
2118 pfr_detach_table(struct pfr_ktable
*kt
)
2120 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
2122 if (kt
->pfrkt_refcnt
[PFR_REFCNT_RULE
] <= 0)
2123 printf("pfr_detach_table: refcount = %d.\n",
2124 kt
->pfrkt_refcnt
[PFR_REFCNT_RULE
]);
2125 else if (!--kt
->pfrkt_refcnt
[PFR_REFCNT_RULE
])
2126 pfr_setflags_ktable(kt
, kt
->pfrkt_flags
&~PFR_TFLAG_REFERENCED
);
2130 pfr_pool_get(struct pfr_ktable
*kt
, int *pidx
, struct pf_addr
*counter
,
2131 struct pf_addr
**raddr
, struct pf_addr
**rmask
, sa_family_t af
)
2133 struct pfr_kentry
*ke
, *ke2
;
2134 struct pf_addr
*addr
;
2135 union sockaddr_union mask
;
2136 int idx
= -1, use_counter
= 0;
2138 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
2141 addr
= (struct pf_addr
*)&pfr_sin
.sin_addr
;
2142 else if (af
== AF_INET6
)
2143 addr
= (struct pf_addr
*)&pfr_sin6
.sin6_addr
;
2147 if (!(kt
->pfrkt_flags
& PFR_TFLAG_ACTIVE
) && kt
->pfrkt_root
!= NULL
)
2148 kt
= kt
->pfrkt_root
;
2149 if (!(kt
->pfrkt_flags
& PFR_TFLAG_ACTIVE
))
2154 if (counter
!= NULL
&& idx
>= 0)
2160 ke
= pfr_kentry_byidx(kt
, idx
, af
);
2162 kt
->pfrkt_nomatch
++;
2165 pfr_prepare_network(&pfr_mask
, af
, ke
->pfrke_net
);
2166 *raddr
= SUNION2PF(&ke
->pfrke_sa
, af
);
2167 *rmask
= SUNION2PF(&pfr_mask
, af
);
2170 /* is supplied address within block? */
2171 if (!PF_MATCHA(0, *raddr
, *rmask
, counter
, af
)) {
2172 /* no, go to next block in table */
2177 PF_ACPY(addr
, counter
, af
);
2179 /* use first address of block */
2180 PF_ACPY(addr
, *raddr
, af
);
2183 if (!KENTRY_NETWORK(ke
)) {
2184 /* this is a single IP address - no possible nested block */
2185 PF_ACPY(counter
, addr
, af
);
2191 /* we don't want to use a nested block */
2193 ke2
= (struct pfr_kentry
*)rn_match(&pfr_sin
,
2195 else if (af
== AF_INET6
)
2196 ke2
= (struct pfr_kentry
*)rn_match(&pfr_sin6
,
2199 return (-1); /* never happens */
2200 /* no need to check KENTRY_RNF_ROOT() here */
2202 /* lookup return the same block - perfect */
2203 PF_ACPY(counter
, addr
, af
);
2209 /* we need to increase the counter past the nested block */
2210 pfr_prepare_network(&mask
, AF_INET
, ke2
->pfrke_net
);
2211 PF_POOLMASK(addr
, addr
, SUNION2PF(&mask
, af
), &pfr_ffaddr
, af
);
2213 if (!PF_MATCHA(0, *raddr
, *rmask
, addr
, af
)) {
2214 /* ok, we reached the end of our main block */
2215 /* go to next block in table */
2224 pfr_kentry_byidx(struct pfr_ktable
*kt
, int idx
, int af
)
2226 struct pfr_walktree w
;
2228 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
2230 bzero(&w
, sizeof (w
));
2231 w
.pfrw_op
= PFRW_POOL_GET
;
2237 (void) kt
->pfrkt_ip4
->rnh_walktree(kt
->pfrkt_ip4
,
2239 return (w
.pfrw_kentry
);
2243 (void) kt
->pfrkt_ip6
->rnh_walktree(kt
->pfrkt_ip6
,
2245 return (w
.pfrw_kentry
);
2253 pfr_dynaddr_update(struct pfr_ktable
*kt
, struct pfi_dynaddr
*dyn
)
2255 struct pfr_walktree w
;
2257 lck_mtx_assert(pf_lock
, LCK_MTX_ASSERT_OWNED
);
2259 bzero(&w
, sizeof (w
));
2260 w
.pfrw_op
= PFRW_DYNADDR_UPDATE
;
2263 dyn
->pfid_acnt4
= 0;
2264 dyn
->pfid_acnt6
= 0;
2265 if (!dyn
->pfid_af
|| dyn
->pfid_af
== AF_INET
)
2266 (void) kt
->pfrkt_ip4
->rnh_walktree(kt
->pfrkt_ip4
,
2268 if (!dyn
->pfid_af
|| dyn
->pfid_af
== AF_INET6
)
2269 (void) kt
->pfrkt_ip6
->rnh_walktree(kt
->pfrkt_ip6
,
projects / apple / xnu.git / blob