diff --git a/lib/libpfctl/libpfctl.h b/lib/libpfctl/libpfctl.h --- a/lib/libpfctl/libpfctl.h +++ b/lib/libpfctl/libpfctl.h @@ -174,7 +174,12 @@ char overload_tblname[PF_TABLE_NAME_SIZE]; TAILQ_ENTRY(pfctl_rule) entries; - struct pfctl_pool rpool; + struct pfctl_pool nat; + union { + /* Alias old and new names. */ + struct pfctl_pool rpool; + struct pfctl_pool rdr; + }; uint64_t evaluations; uint64_t packets[2]; @@ -521,7 +526,7 @@ int pfctl_set_limit(struct pfctl_handle *h, const int index, const uint limit); int pfctl_get_limit(struct pfctl_handle *h, const int index, uint *limit); int pfctl_begin_addrs(struct pfctl_handle *h, uint32_t *ticket); -int pfctl_add_addr(struct pfctl_handle *h, const struct pfioc_pooladdr *pa); +int pfctl_add_addr(struct pfctl_handle *h, const struct pfioc_pooladdr *pa, int which); int pfctl_get_addrs(struct pfctl_handle *h, uint32_t ticket, uint32_t r_num, uint8_t r_action, const char *anchor, uint32_t *nr); int pfctl_get_addr(struct pfctl_handle *h, uint32_t ticket, uint32_t r_num, diff --git a/lib/libpfctl/libpfctl.c b/lib/libpfctl/libpfctl.c --- a/lib/libpfctl/libpfctl.c +++ b/lib/libpfctl/libpfctl.c @@ -731,7 +731,7 @@ strlcpy(rule->overload_tblname, nvlist_get_string(nvl, "overload_tblname"), PF_TABLE_NAME_SIZE); - pf_nvpool_to_pool(nvlist_get_nvlist(nvl, "rpool"), &rule->rpool); + pf_nvpool_to_pool(nvlist_get_nvlist(nvl, "rpool"), &rule->rdr); rule->evaluations = nvlist_get_number(nvl, "evaluations"); pf_nvuint_64_array(nvl, "packets", 2, rule->packets, NULL); @@ -1226,7 +1226,8 @@ snl_add_msg_attr_string(nw, PF_RT_TAGNAME, r->tagname); snl_add_msg_attr_string(nw, PF_RT_MATCH_TAGNAME, r->match_tagname); snl_add_msg_attr_string(nw, PF_RT_OVERLOAD_TBLNAME, r->overload_tblname); - snl_add_msg_attr_rpool(nw, PF_RT_RPOOL, &r->rpool); + snl_add_msg_attr_rpool(nw, PF_RT_RPOOL, &r->rdr); + snl_add_msg_attr_rpool(nw, PF_RT_NAT, &r->nat); snl_add_msg_attr_u32(nw, PF_RT_OS_FINGERPRINT, r->os_fingerprint); snl_add_msg_attr_u32(nw, PF_RT_RTABLEID, r->rtableid); snl_add_msg_attr_timeouts(nw, PF_RT_TIMEOUT, r->timeout); @@ -1596,7 +1597,7 @@ { .type = PF_RT_TAGNAME, .off = _OUT(r.tagname), .arg = (void *)PF_TAG_NAME_SIZE, .cb = snl_attr_copy_string }, { .type = PF_RT_MATCH_TAGNAME, .off = _OUT(r.match_tagname), .arg = (void *)PF_TAG_NAME_SIZE, .cb = snl_attr_copy_string }, { .type = PF_RT_OVERLOAD_TBLNAME, .off = _OUT(r.overload_tblname), .arg = (void *)PF_TABLE_NAME_SIZE, .cb = snl_attr_copy_string }, - { .type = PF_RT_RPOOL, .off = _OUT(r.rpool), .arg = &pool_parser, .cb = snl_attr_get_nested }, + { .type = PF_RT_RPOOL, .off = _OUT(r.rdr), .arg = &pool_parser, .cb = snl_attr_get_nested }, { .type = PF_RT_OS_FINGERPRINT, .off = _OUT(r.os_fingerprint), .cb = snl_attr_get_uint32 }, { .type = PF_RT_RTABLEID, .off = _OUT(r.rtableid), .cb = snl_attr_get_uint32 }, { .type = PF_RT_TIMEOUT, .off = _OUT(r.timeout), .arg = &timeout_parser, .cb = snl_attr_get_nested_timeouts }, @@ -1660,6 +1661,7 @@ { .type = PF_RT_ANCHOR_CALL, .off = _OUT(anchor_call), .arg = (void*)MAXPATHLEN, .cb = snl_attr_copy_string }, { .type = PF_RT_RCV_IFNAME, .off = _OUT(r.rcv_ifname), .arg = (void*)IFNAMSIZ, .cb = snl_attr_copy_string }, { .type = PF_RT_MAX_SRC_CONN, .off = _OUT(r.max_src_conn), .cb = snl_attr_get_uint32 }, + { .type = PF_RT_NAT, .off = _OUT(r.nat), .arg = &pool_parser, .cb = snl_attr_get_nested }, }; static struct snl_field_parser fp_getrule[] = {}; #undef _OUT @@ -2771,7 +2773,7 @@ } int -pfctl_add_addr(struct pfctl_handle *h, const struct pfioc_pooladdr *pa) +pfctl_add_addr(struct pfctl_handle *h, const struct pfioc_pooladdr *pa, int which __unused) { struct snl_writer nw; struct snl_errmsg_data e = {}; diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -1687,7 +1687,7 @@ /* callbacks for rule/nat/rdr/addr */ int -pfctl_add_pool(struct pfctl *pf, struct pfctl_pool *p, sa_family_t af) +pfctl_add_pool(struct pfctl *pf, struct pfctl_pool *p, sa_family_t af, int which) { struct pf_pooladdr *pa; int ret; @@ -1701,7 +1701,7 @@ TAILQ_FOREACH(pa, &p->list, entries) { memcpy(&pf->paddr.addr, pa, sizeof(struct pf_pooladdr)); if ((pf->opts & PF_OPT_NOACTION) == 0) { - if ((ret = pfctl_add_addr(pf->h, &pf->paddr)) != 0) + if ((ret = pfctl_add_addr(pf->h, &pf->paddr, which)) != 0) errc(1, ret, "DIOCADDADDR"); } } @@ -2045,7 +2045,7 @@ was_present = false; if ((pf->opts & PF_OPT_NOACTION) == 0) { - if (pfctl_add_pool(pf, &r->rpool, r->af)) + if (pfctl_add_pool(pf, &r->rpool, r->af, PF_RDR)) return (1); error = pfctl_add_rule_h(pf->h, r, anchor, name, ticket, pf->paddr.ticket); diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h --- a/sbin/pfctl/pfctl_parser.h +++ b/sbin/pfctl/pfctl_parser.h @@ -283,7 +283,7 @@ int pfctl_append_eth_rule(struct pfctl *, struct pfctl_eth_rule *, const char *); int pfctl_add_altq(struct pfctl *, struct pf_altq *); -int pfctl_add_pool(struct pfctl *, struct pfctl_pool *, sa_family_t); +int pfctl_add_pool(struct pfctl *, struct pfctl_pool *, sa_family_t, int); void pfctl_move_pool(struct pfctl_pool *, struct pfctl_pool *); void pfctl_clear_pool(struct pfctl_pool *); diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -782,7 +782,8 @@ char overload_tblname[PF_TABLE_NAME_SIZE]; TAILQ_ENTRY(pf_krule) entries; - struct pf_kpool rpool; + struct pf_kpool nat; + struct pf_kpool rdr; struct pf_counter_u64 evaluations; struct pf_counter_u64 packets[2]; @@ -1604,8 +1605,10 @@ struct pf_addr *src; /* src address */ struct pf_addr *dst; /* dst address */ - u_int16_t *sport; - u_int16_t *dport; + u_int16_t *sport; + u_int16_t *dport; + u_int16_t osport; + u_int16_t odport; struct pf_mtag *pf_mtag; struct pf_rule_actions act; @@ -2193,7 +2196,7 @@ TAILQ_HEAD(pf_altqqueue, pf_altq); VNET_DECLARE(struct pf_altqqueue, pf_altqs[4]); #define V_pf_altqs VNET(pf_altqs) -VNET_DECLARE(struct pf_kpalist, pf_pabuf); +VNET_DECLARE(struct pf_kpalist, pf_pabuf[2]); #define V_pf_pabuf VNET(pf_pabuf) VNET_DECLARE(u_int32_t, ticket_altqs_active); @@ -2525,6 +2528,20 @@ #endif /* _KERNEL */ #ifdef _KERNEL +struct pf_nl_pooladdr { + u_int32_t action; + u_int32_t ticket; + u_int32_t nr; + u_int32_t r_num; + u_int8_t r_action; + u_int8_t r_last; + u_int8_t af; + char anchor[MAXPATHLEN]; + struct pf_pooladdr addr; + /* Above this is identical to pfioc_pooladdr */ + int which; +}; + VNET_DECLARE(struct pf_kanchor_global, pf_anchors); #define V_pf_anchors VNET(pf_anchors) VNET_DECLARE(struct pf_kanchor, pf_main_anchor); @@ -2577,9 +2594,9 @@ int pf_ioctl_get_limit(int, unsigned int *); int pf_ioctl_set_limit(int, unsigned int, unsigned int *); int pf_ioctl_begin_addrs(uint32_t *); -int pf_ioctl_add_addr(struct pfioc_pooladdr *); -int pf_ioctl_get_addrs(struct pfioc_pooladdr *); -int pf_ioctl_get_addr(struct pfioc_pooladdr *); +int pf_ioctl_add_addr(struct pf_nl_pooladdr *); +int pf_ioctl_get_addrs(struct pf_nl_pooladdr *); +int pf_ioctl_get_addr(struct pf_nl_pooladdr *); int pf_ioctl_get_rulesets(struct pfioc_ruleset *); int pf_ioctl_get_ruleset(struct pfioc_ruleset *); diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -157,7 +157,7 @@ /* state tables */ VNET_DEFINE(struct pf_altqqueue, pf_altqs[4]); -VNET_DEFINE(struct pf_kpalist, pf_pabuf); +VNET_DEFINE(struct pf_kpalist, pf_pabuf[2]); VNET_DEFINE(struct pf_altqqueue *, pf_altqs_active); VNET_DEFINE(struct pf_altqqueue *, pf_altq_ifs_active); VNET_DEFINE(struct pf_altqqueue *, pf_altqs_inactive); @@ -333,8 +333,7 @@ static int pf_create_state(struct pf_krule *, struct pf_krule *, struct pf_krule *, struct pf_pdesc *, struct pf_ksrc_node *, struct pf_state_key *, - struct pf_state_key *, - u_int16_t, u_int16_t, int *, + struct pf_state_key *, int *, struct pf_kstate **, int, u_int16_t, u_int16_t, struct pf_krule_slist *, struct pf_udp_mapping *); static int pf_state_key_addr_setup(struct pf_pdesc *, @@ -1009,7 +1008,7 @@ struct pf_srchash *sh = NULL; KASSERT((rule->rule_flag & PFRULE_SRCTRACK || - rule->rpool.opts & PF_POOL_STICKYADDR), + rule->rdr.opts & PF_POOL_STICKYADDR), ("%s for non-tracking rule %p", __func__, rule)); if (*sn == NULL) @@ -1218,7 +1217,8 @@ TAILQ_INIT(&V_pf_altqs[1]); TAILQ_INIT(&V_pf_altqs[2]); TAILQ_INIT(&V_pf_altqs[3]); - TAILQ_INIT(&V_pf_pabuf); + TAILQ_INIT(&V_pf_pabuf[0]); + TAILQ_INIT(&V_pf_pabuf[1]); V_pf_altqs_active = &V_pf_altqs[0]; V_pf_altq_ifs_active = &V_pf_altqs[1]; V_pf_altqs_inactive = &V_pf_altqs[2]; @@ -4956,6 +4956,8 @@ sport = dport = 0; break; } + pd->osport = sport; + pd->odport = dport; r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); @@ -5291,7 +5293,7 @@ (pd->flags & PFDESC_TCP_NORM)))) { int action; action = pf_create_state(r, nr, a, pd, nsn, nk, sk, - sport, dport, &rewrite, sm, tag, bproto_sum, bip_sum, + &rewrite, sm, tag, bproto_sum, bip_sum, &match_rules, udp_mapping); if (action != PF_PASS) { pf_udp_mapping_release(udp_mapping); @@ -5346,8 +5348,7 @@ static int pf_create_state(struct pf_krule *r, struct pf_krule *nr, struct pf_krule *a, struct pf_pdesc *pd, struct pf_ksrc_node *nsn, struct pf_state_key *nk, - struct pf_state_key *sk, u_int16_t sport, - u_int16_t dport, int *rewrite, struct pf_kstate **sm, + struct pf_state_key *sk, int *rewrite, struct pf_kstate **sm, int tag, u_int16_t bproto_sum, u_int16_t bip_sum, struct pf_krule_slist *match_rules, struct pf_udp_mapping *udp_mapping) { @@ -5367,13 +5368,13 @@ } /* src node for filter rule */ if ((r->rule_flag & PFRULE_SRCTRACK || - r->rpool.opts & PF_POOL_STICKYADDR) && + r->rdr.opts & PF_POOL_STICKYADDR) && (sn_reason = pf_insert_src_node(&sn, r, pd->src, pd->af)) != 0) { REASON_SET(&reason, sn_reason); goto csfailed; } /* src node for translation rule */ - if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) && + if (nr != NULL && (nr->rdr.opts & PF_POOL_STICKYADDR) && (sn_reason = pf_insert_src_node(&nsn, nr, &sk->addr[pd->sidx], pd->af)) != 0 ) { REASON_SET(&reason, sn_reason); @@ -5511,7 +5512,9 @@ if (nr == NULL) { KASSERT((sk == NULL && nk == NULL), ("%s: nr %p sk %p, nk %p", __func__, nr, sk, nk)); - sk = pf_state_key_setup(pd, pd->src, pd->dst, sport, dport); + MPASS(pd->sport == NULL || (pd->osport == *pd->sport)); + MPASS(pd->dport == NULL || (pd->odport == *pd->dport)); + sk = pf_state_key_setup(pd, pd->src, pd->dst, pd->osport, pd->odport); if (sk == NULL) goto csfailed; nk = sk; @@ -7694,14 +7697,14 @@ if (r_rt == PF_DUPTO) { if ((pd->pf_mtag->flags & PF_MTAG_FLAG_DUPLICATED)) { if (s == NULL) { - ifp = r->rpool.cur->kif ? - r->rpool.cur->kif->pfik_ifp : NULL; + ifp = r->rdr.cur->kif ? + r->rdr.cur->kif->pfik_ifp : NULL; } else { ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL; /* If pfsync'd */ - if (ifp == NULL && r->rpool.cur != NULL) - ifp = r->rpool.cur->kif ? - r->rpool.cur->kif->pfik_ifp : NULL; + if (ifp == NULL && r->rdr.cur != NULL) + ifp = r->rdr.cur->kif ? + r->rdr.cur->kif->pfik_ifp : NULL; PF_STATE_UNLOCK(s); } if (ifp == oifp) { @@ -7741,9 +7744,9 @@ bzero(&naddr, sizeof(naddr)); if (s == NULL) { - if (TAILQ_EMPTY(&r->rpool.list)) { + if (TAILQ_EMPTY(&r->rdr.list)) { DPFPRINTF(PF_DEBUG_URGENT, - ("%s: TAILQ_EMPTY(&r->rpool.list)\n", __func__)); + ("%s: TAILQ_EMPTY(&r->rdr.list)\n", __func__)); SDT_PROBE1(pf, ip, route_to, drop, __LINE__); goto bad_locked; } @@ -7761,10 +7764,10 @@ ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL; kif = s->rt_kif; /* If pfsync'd */ - if (ifp == NULL && r->rpool.cur != NULL) { - ifp = r->rpool.cur->kif ? - r->rpool.cur->kif->pfik_ifp : NULL; - kif = r->rpool.cur->kif; + if (ifp == NULL && r->rdr.cur != NULL) { + ifp = r->rdr.cur->kif ? + r->rdr.cur->kif->pfik_ifp : NULL; + kif = r->rdr.cur->kif; } if (ifp != NULL && kif != NULL && r->rule_flag & PFRULE_IFBOUND && @@ -7963,14 +7966,14 @@ if (r_rt == PF_DUPTO) { if ((pd->pf_mtag->flags & PF_MTAG_FLAG_DUPLICATED)) { if (s == NULL) { - ifp = r->rpool.cur->kif ? - r->rpool.cur->kif->pfik_ifp : NULL; + ifp = r->rdr.cur->kif ? + r->rdr.cur->kif->pfik_ifp : NULL; } else { ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL; /* If pfsync'd */ - if (ifp == NULL && r->rpool.cur != NULL) - ifp = r->rpool.cur->kif ? - r->rpool.cur->kif->pfik_ifp : NULL; + if (ifp == NULL && r->rdr.cur != NULL) + ifp = r->rdr.cur->kif ? + r->rdr.cur->kif->pfik_ifp : NULL; PF_STATE_UNLOCK(s); } if (ifp == oifp) { @@ -8010,9 +8013,9 @@ bzero(&naddr, sizeof(naddr)); if (s == NULL) { - if (TAILQ_EMPTY(&r->rpool.list)) { + if (TAILQ_EMPTY(&r->rdr.list)) { DPFPRINTF(PF_DEBUG_URGENT, - ("%s: TAILQ_EMPTY(&r->rpool.list)\n", __func__)); + ("%s: TAILQ_EMPTY(&r->rdr.list)\n", __func__)); SDT_PROBE1(pf, ip6, route_to, drop, __LINE__); goto bad_locked; } @@ -8031,10 +8034,10 @@ ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL; kif = s->rt_kif; /* If pfsync'd */ - if (ifp == NULL && r->rpool.cur != NULL) { - ifp = r->rpool.cur->kif ? - r->rpool.cur->kif->pfik_ifp : NULL; - kif = r->rpool.cur->kif; + if (ifp == NULL && r->rdr.cur != NULL) { + ifp = r->rdr.cur->kif ? + r->rdr.cur->kif->pfik_ifp : NULL; + kif = r->rdr.cur->kif; } if (ifp != NULL && kif != NULL && r->rule_flag & PFRULE_IFBOUND && diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -100,7 +100,7 @@ SDT_PROBE_DEFINE2(pf, ioctl, nvchk, error, "int", "int"); static struct pf_kpool *pf_get_kpool(const char *, u_int32_t, u_int8_t, - u_int32_t, u_int8_t, u_int8_t, u_int8_t); + u_int32_t, u_int8_t, u_int8_t, u_int8_t, int); static void pf_mv_kpool(struct pf_kpalist *, struct pf_kpalist *); static void pf_empty_kpool(struct pf_kpalist *); @@ -430,12 +430,14 @@ static struct pf_kpool * pf_get_kpool(const char *anchor, u_int32_t ticket, u_int8_t rule_action, u_int32_t rule_number, u_int8_t r_last, u_int8_t active, - u_int8_t check_ticket) + u_int8_t check_ticket, int which) { struct pf_kruleset *ruleset; struct pf_krule *rule; int rs_num; + MPASS(which == PF_RDR || which == PF_NAT); + ruleset = pf_find_kruleset(anchor); if (ruleset == NULL) return (NULL); @@ -468,7 +470,10 @@ if (rule == NULL) return (NULL); - return (&rule->rpool); + if (which == PF_NAT) + return (&rule->nat); + else + return (&rule->rdr); } static void @@ -605,7 +610,7 @@ if (rule->rcv_kif) pfi_kkif_unref(rule->rcv_kif); pf_kanchor_remove(rule); - pf_empty_kpool(&rule->rpool.list); + pf_empty_kpool(&rule->rdr.list); pf_krule_free(rule); } @@ -1824,7 +1829,8 @@ struct pf_krule *rule; rule = malloc(sizeof(struct pf_krule), M_PFRULE, M_WAITOK | M_ZERO); - mtx_init(&rule->rpool.mtx, "pf_krule_pool", NULL, MTX_DEF); + mtx_init(&rule->nat.mtx, "pf_krule_nat_pool", NULL, MTX_DEF); + mtx_init(&rule->rdr.mtx, "pf_krule_rdr_pool", NULL, MTX_DEF); rule->timestamp = uma_zalloc_pcpu(pf_timestamp_pcpu_zone, M_WAITOK | M_ZERO); return (rule); @@ -1862,7 +1868,8 @@ counter_u64_free(rule->src_nodes); uma_zfree_pcpu(pf_timestamp_pcpu_zone, rule->timestamp); - mtx_destroy(&rule->rpool.mtx); + mtx_destroy(&rule->nat.mtx); + mtx_destroy(&rule->rdr.mtx); free(rule, M_PFRULE); } @@ -1966,7 +1973,7 @@ if (ret != 0) return (ret); - pf_pool_to_kpool(&rule->rpool, &krule->rpool); + pf_pool_to_kpool(&rule->rpool, &krule->rdr); /* Don't allow userspace to set evaluations, packets or bytes. */ /* kif, anchor, overload_tbl are not copied over. */ @@ -2096,7 +2103,8 @@ rule->src_nodes = counter_u64_alloc(M_WAITOK); rule->cuid = uid; rule->cpid = pid; - TAILQ_INIT(&rule->rpool.list); + TAILQ_INIT(&rule->rdr.list); + TAILQ_INIT(&rule->nat.list); PF_CONFIG_LOCK(); PF_RULES_WLOCK(); @@ -2194,13 +2202,15 @@ (rule->set_prio[0] > PF_PRIO_MAX || rule->set_prio[1] > PF_PRIO_MAX)) error = EINVAL; - TAILQ_FOREACH(pa, &V_pf_pabuf, entries) - if (pa->addr.type == PF_ADDR_TABLE) { - pa->addr.p.tbl = pfr_attach_table(ruleset, - pa->addr.v.tblname); - if (pa->addr.p.tbl == NULL) - error = ENOMEM; - } + for (int i = 0; i < 2; i++) { + TAILQ_FOREACH(pa, &V_pf_pabuf[i], entries) + if (pa->addr.type == PF_ADDR_TABLE) { + pa->addr.p.tbl = pfr_attach_table(ruleset, + pa->addr.v.tblname); + if (pa->addr.p.tbl == NULL) + error = ENOMEM; + } + } rule->overload_tbl = NULL; if (rule->overload_tblname[0]) { @@ -2212,14 +2222,15 @@ PFR_TFLAG_ACTIVE; } - pf_mv_kpool(&V_pf_pabuf, &rule->rpool.list); + pf_mv_kpool(&V_pf_pabuf[0], &rule->nat.list); + pf_mv_kpool(&V_pf_pabuf[1], &rule->rdr.list); if (((((rule->action == PF_NAT) || (rule->action == PF_RDR) || (rule->action == PF_BINAT)) && rule->anchor == NULL) || (rule->rt > PF_NOPFROUTE)) && - (TAILQ_FIRST(&rule->rpool.list) == NULL)) + (TAILQ_FIRST(&rule->rdr.list) == NULL)) error = EINVAL; - if (rule->action == PF_PASS && rule->rpool.opts & PF_POOL_STICKYADDR && + if (rule->action == PF_PASS && rule->rdr.opts & PF_POOL_STICKYADDR && !rule->keep_state) { error = EINVAL; } @@ -2230,7 +2241,8 @@ ERROUT(error); } - rule->rpool.cur = TAILQ_FIRST(&rule->rpool.list); + rule->nat.cur = TAILQ_FIRST(&rule->nat.list); + rule->rdr.cur = TAILQ_FIRST(&rule->rdr.list); TAILQ_INSERT_TAIL(ruleset->rules[rs_num].inactive.ptr, rule, entries); ruleset->rules[rs_num].inactive.rcount++; @@ -2538,7 +2550,8 @@ pf_ioctl_begin_addrs(uint32_t *ticket) { PF_RULES_WLOCK(); - pf_empty_kpool(&V_pf_pabuf); + pf_empty_kpool(&V_pf_pabuf[0]); + pf_empty_kpool(&V_pf_pabuf[1]); *ticket = ++V_ticket_pabuf; PF_RULES_WUNLOCK(); @@ -2546,12 +2559,14 @@ } int -pf_ioctl_add_addr(struct pfioc_pooladdr *pp) +pf_ioctl_add_addr(struct pf_nl_pooladdr *pp) { struct pf_kpooladdr *pa = NULL; struct pfi_kkif *kif = NULL; int error; + MPASS(pp->which == PF_RDR || pp->which == PF_NAT); + #ifndef INET if (pp->af == AF_INET) return (EAFNOSUPPORT); @@ -2596,7 +2611,8 @@ PF_RULES_WUNLOCK(); goto out; } - TAILQ_INSERT_TAIL(&V_pf_pabuf, pa, entries); + TAILQ_INSERT_TAIL(&V_pf_pabuf[pp->which == PF_RDR ? 1 : 0], + pa, entries); PF_RULES_WUNLOCK(); return (0); @@ -2607,19 +2623,21 @@ } int -pf_ioctl_get_addrs(struct pfioc_pooladdr *pp) +pf_ioctl_get_addrs(struct pf_nl_pooladdr *pp) { struct pf_kpool *pool; struct pf_kpooladdr *pa; PF_RULES_RLOCK_TRACKER; + MPASS(pp->which == PF_RDR || pp->which == PF_NAT); + pp->anchor[sizeof(pp->anchor) - 1] = 0; pp->nr = 0; PF_RULES_RLOCK(); pool = pf_get_kpool(pp->anchor, pp->ticket, pp->r_action, - pp->r_num, 0, 1, 0); + pp->r_num, 0, 1, 0, pp->which); if (pool == NULL) { PF_RULES_RUNLOCK(); return (EBUSY); @@ -2632,19 +2650,21 @@ } int -pf_ioctl_get_addr(struct pfioc_pooladdr *pp) +pf_ioctl_get_addr(struct pf_nl_pooladdr *pp) { struct pf_kpool *pool; struct pf_kpooladdr *pa; u_int32_t nr = 0; + MPASS(pp->which == PF_RDR || pp->which == PF_NAT); + PF_RULES_RLOCK_TRACKER; pp->anchor[sizeof(pp->anchor) - 1] = 0; PF_RULES_RLOCK(); pool = pf_get_kpool(pp->anchor, pp->ticket, pp->r_action, - pp->r_num, 0, 1, 1); + pp->r_num, 0, 1, 1, pp->which); if (pool == NULL) { PF_RULES_RUNLOCK(); return (EBUSY); @@ -3626,7 +3646,8 @@ newrule->src_nodes = counter_u64_alloc(M_WAITOK); newrule->cuid = td->td_ucred->cr_ruid; newrule->cpid = td->td_proc ? td->td_proc->p_pid : 0; - TAILQ_INIT(&newrule->rpool.list); + TAILQ_INIT(&newrule->nat.list); + TAILQ_INIT(&newrule->rdr.list); } #define ERROUT(x) ERROUT_IOCTL(DIOCCHANGERULE_error, x) @@ -3723,14 +3744,16 @@ error = ENOMEM; if (pf_kanchor_setup(newrule, ruleset, pcr->anchor_call)) error = EINVAL; - TAILQ_FOREACH(pa, &V_pf_pabuf, entries) - if (pa->addr.type == PF_ADDR_TABLE) { - pa->addr.p.tbl = - pfr_attach_table(ruleset, - pa->addr.v.tblname); - if (pa->addr.p.tbl == NULL) - error = ENOMEM; - } + for (int i = 0; i < 2; i++) { + TAILQ_FOREACH(pa, &V_pf_pabuf[i], entries) + if (pa->addr.type == PF_ADDR_TABLE) { + pa->addr.p.tbl = + pfr_attach_table(ruleset, + pa->addr.v.tblname); + if (pa->addr.p.tbl == NULL) + error = ENOMEM; + } + } newrule->overload_tbl = NULL; if (newrule->overload_tblname[0]) { @@ -3743,13 +3766,14 @@ PFR_TFLAG_ACTIVE; } - pf_mv_kpool(&V_pf_pabuf, &newrule->rpool.list); + pf_mv_kpool(&V_pf_pabuf[0], &newrule->nat.list); + pf_mv_kpool(&V_pf_pabuf[1], &newrule->rdr.list); if (((((newrule->action == PF_NAT) || (newrule->action == PF_RDR) || (newrule->action == PF_BINAT) || (newrule->rt > PF_NOPFROUTE)) && !newrule->anchor)) && - (TAILQ_FIRST(&newrule->rpool.list) == NULL)) + (TAILQ_FIRST(&newrule->rdr.list) == NULL)) error = EINVAL; if (error) { @@ -3759,9 +3783,11 @@ break; } - newrule->rpool.cur = TAILQ_FIRST(&newrule->rpool.list); + newrule->nat.cur = TAILQ_FIRST(&newrule->nat.list); + newrule->rdr.cur = TAILQ_FIRST(&newrule->rdr.list); } - pf_empty_kpool(&V_pf_pabuf); + pf_empty_kpool(&V_pf_pabuf[0]); + pf_empty_kpool(&V_pf_pabuf[1]); if (pcr->action == PF_CHANGE_ADD_HEAD) oldrule = TAILQ_FIRST( @@ -4390,22 +4416,35 @@ case DIOCADDADDR: { struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr; + struct pf_nl_pooladdr npp = {}; - error = pf_ioctl_add_addr(pp); + npp.which = PF_RDR; + memcpy(&npp, pp, sizeof(*pp)); + error = pf_ioctl_add_addr(&npp); break; } case DIOCGETADDRS: { struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr; + struct pf_nl_pooladdr npp = {}; + + npp.which = PF_RDR; + memcpy(&npp, pp, sizeof(*pp)); + error = pf_ioctl_get_addrs(&npp); + memcpy(pp, &npp, sizeof(*pp)); - error = pf_ioctl_get_addrs(pp); break; } case DIOCGETADDR: { struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr; + struct pf_nl_pooladdr npp = {}; + + npp.which = PF_RDR; + memcpy(&npp, pp, sizeof(*pp)); + error = pf_ioctl_get_addr(&npp); + memcpy(pp, &npp, sizeof(*pp)); - error = pf_ioctl_get_addr(pp); break; } @@ -4460,7 +4499,7 @@ ERROUT(EBUSY); pool = pf_get_kpool(pca->anchor, pca->ticket, pca->r_action, - pca->r_num, pca->r_last, 1, 1); + pca->r_num, pca->r_last, 1, 1, PF_RDR); if (pool == NULL) ERROUT(EBUSY); diff --git a/sys/netpfil/pf/pf_lb.c b/sys/netpfil/pf/pf_lb.c --- a/sys/netpfil/pf/pf_lb.c +++ b/sys/netpfil/pf/pf_lb.c @@ -149,8 +149,8 @@ if (r->action == PF_BINAT && pd->dir == PF_IN) { src = &r->dst; - if (r->rpool.cur != NULL) - xdst = &r->rpool.cur->addr; + if (r->rdr.cur != NULL) + xdst = &r->rdr.cur->addr; } else { src = &r->src; dst = &r->dst; @@ -241,7 +241,7 @@ * from the mapping. In this case we have to look up the src_node as * pf_map_addr would. */ - if (proto == IPPROTO_UDP && (r->rpool.opts & PF_POOL_ENDPI)) { + if (proto == IPPROTO_UDP && (r->rdr.opts & PF_POOL_ENDPI)) { struct pf_udp_endpoint_cmp udp_source; bzero(&udp_source, sizeof(udp_source)); @@ -253,8 +253,8 @@ PF_ACPY(naddr, &(*udp_mapping)->endpoints[1].addr, af); *nport = (*udp_mapping)->endpoints[1].port; /* Try to find a src_node as per pf_map_addr(). */ - if (*sn == NULL && r->rpool.opts & PF_POOL_STICKYADDR && - (r->rpool.opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) + if (*sn == NULL && r->rdr.opts & PF_POOL_STICKYADDR && + (r->rdr.opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) *sn = pf_find_src_node(saddr, r, af, &sh, 0); return (0); } else { @@ -362,7 +362,7 @@ tmp = cut; for (tmp -= 1; tmp >= low && tmp <= 0xffff; --tmp) { if (proto == IPPROTO_UDP && - (r->rpool.opts & PF_POOL_ENDPI)) { + (r->rdr.opts & PF_POOL_ENDPI)) { (*udp_mapping)->endpoints[1].port = htons(tmp); if (pf_udp_mapping_insert(*udp_mapping) == 0) { *nport = htons(tmp); @@ -378,7 +378,7 @@ } } - switch (r->rpool.opts & PF_POOL_TYPEMASK) { + switch (r->rdr.opts & PF_POOL_TYPEMASK) { case PF_POOL_RANDOM: case PF_POOL_ROUNDROBIN: /* @@ -420,13 +420,13 @@ uint16_t i, ahigh, cut; int ashift, psidshift; - ashift = 16 - r->rpool.mape.offset; - psidshift = ashift - r->rpool.mape.psidlen; - psmask = r->rpool.mape.psid & ((1U << r->rpool.mape.psidlen) - 1); + ashift = 16 - r->rdr.mape.offset; + psidshift = ashift - r->rdr.mape.psidlen; + psmask = r->rdr.mape.psid & ((1U << r->rdr.mape.psidlen) - 1); psmask = psmask << psidshift; highmask = (1U << psidshift) - 1; - ahigh = (1U << r->rpool.mape.offset) - 1; + ahigh = (1U << r->rdr.mape.offset) - 1; cut = arc4random() & ahigh; if (cut == 0) cut = 1; @@ -451,7 +451,7 @@ struct pf_addr *naddr, struct pfi_kkif **nkif, struct pf_addr *init_addr) { u_short reason = PFRES_MATCH; - struct pf_kpool *rpool = &r->rpool; + struct pf_kpool *rpool = &r->rdr; struct pf_addr *raddr = NULL, *rmask = NULL; mtx_lock(&rpool->mtx); @@ -626,13 +626,13 @@ struct pf_ksrc_node **sn) { u_short reason = 0; - struct pf_kpool *rpool = &r->rpool; + struct pf_kpool *rpool = &r->rdr; struct pf_srchash *sh = NULL; /* Try to find a src_node if none was given and this is a sticky-address rule. */ - if (*sn == NULL && r->rpool.opts & PF_POOL_STICKYADDR && - (r->rpool.opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) + if (*sn == NULL && r->rdr.opts & PF_POOL_STICKYADDR && + (r->rdr.opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) *sn = pf_find_src_node(saddr, r, af, &sh, false); /* If a src_node was found or explicitly given and it has a non-zero @@ -760,18 +760,18 @@ low = 1; high = 65535; } else { - low = r->rpool.proxy_port[0]; - high = r->rpool.proxy_port[1]; + low = r->rdr.proxy_port[0]; + high = r->rdr.proxy_port[1]; } - if (r->rpool.mape.offset > 0) { + if (r->rdr.mape.offset > 0) { if (pf_get_mape_sport(pd->af, pd->proto, r, saddr, sport, daddr, dport, naddr, nportp, sn, udp_mapping)) { DPFPRINTF(PF_DEBUG_MISC, ("pf: MAP-E port allocation (%u/%u/%u)" " failed\n", - r->rpool.mape.offset, - r->rpool.mape.psidlen, - r->rpool.mape.psid)); + r->rdr.mape.offset, + r->rdr.mape.psidlen, + r->rdr.mape.psid)); reason = PFRES_MAPFAILED; goto notrans; } @@ -779,7 +779,7 @@ daddr, dport, naddr, nportp, low, high, sn, udp_mapping)) { DPFPRINTF(PF_DEBUG_MISC, ("pf: NAT proxy port allocation (%u-%u) failed\n", - r->rpool.proxy_port[0], r->rpool.proxy_port[1])); + r->rdr.proxy_port[0], r->rdr.proxy_port[1])); reason = PFRES_MAPFAILED; goto notrans; } @@ -787,41 +787,41 @@ case PF_BINAT: switch (pd->dir) { case PF_OUT: - if (r->rpool.cur->addr.type == PF_ADDR_DYNIFTL){ + if (r->rdr.cur->addr.type == PF_ADDR_DYNIFTL){ switch (pd->af) { #ifdef INET case AF_INET: - if (r->rpool.cur->addr.p.dyn-> + if (r->rdr.cur->addr.p.dyn-> pfid_acnt4 < 1) { reason = PFRES_MAPFAILED; goto notrans; } PF_POOLMASK(naddr, - &r->rpool.cur->addr.p.dyn-> + &r->rdr.cur->addr.p.dyn-> pfid_addr4, - &r->rpool.cur->addr.p.dyn-> + &r->rdr.cur->addr.p.dyn-> pfid_mask4, saddr, AF_INET); break; #endif /* INET */ #ifdef INET6 case AF_INET6: - if (r->rpool.cur->addr.p.dyn-> + if (r->rdr.cur->addr.p.dyn-> pfid_acnt6 < 1) { reason = PFRES_MAPFAILED; goto notrans; } PF_POOLMASK(naddr, - &r->rpool.cur->addr.p.dyn-> + &r->rdr.cur->addr.p.dyn-> pfid_addr6, - &r->rpool.cur->addr.p.dyn-> + &r->rdr.cur->addr.p.dyn-> pfid_mask6, saddr, AF_INET6); break; #endif /* INET6 */ } } else PF_POOLMASK(naddr, - &r->rpool.cur->addr.v.a.addr, - &r->rpool.cur->addr.v.a.mask, saddr, + &r->rdr.cur->addr.v.a.addr, + &r->rdr.cur->addr.v.a.mask, saddr, pd->af); break; case PF_IN: @@ -866,27 +866,27 @@ reason = pf_map_addr_sn(pd->af, r, saddr, naddr, NULL, NULL, sn); if (reason != 0) goto notrans; - if ((r->rpool.opts & PF_POOL_TYPEMASK) == PF_POOL_BITMASK) - PF_POOLMASK(naddr, naddr, &r->rpool.cur->addr.v.a.mask, + if ((r->rdr.opts & PF_POOL_TYPEMASK) == PF_POOL_BITMASK) + PF_POOLMASK(naddr, naddr, &r->rdr.cur->addr.v.a.mask, daddr, pd->af); /* Do not change SCTP ports. */ if (pd->proto == IPPROTO_SCTP) break; - if (r->rpool.proxy_port[1]) { + if (r->rdr.proxy_port[1]) { uint32_t tmp_nport; tmp_nport = ((ntohs(dport) - ntohs(r->dst.port[0])) % - (r->rpool.proxy_port[1] - r->rpool.proxy_port[0] + - 1)) + r->rpool.proxy_port[0]; + (r->rdr.proxy_port[1] - r->rdr.proxy_port[0] + + 1)) + r->rdr.proxy_port[0]; /* Wrap around if necessary. */ if (tmp_nport > 65535) tmp_nport -= 65535; nport = htons((uint16_t)tmp_nport); - } else if (r->rpool.proxy_port[0]) - nport = htons(r->rpool.proxy_port[0]); + } else if (r->rdr.proxy_port[0]) + nport = htons(r->rdr.proxy_port[0]); else nport = dport; diff --git a/sys/netpfil/pf/pf_nl.h b/sys/netpfil/pf/pf_nl.h --- a/sys/netpfil/pf/pf_nl.h +++ b/sys/netpfil/pf/pf_nl.h @@ -262,6 +262,7 @@ PF_RT_ANCHOR_CALL = 72, /* string */ PF_RT_RCV_IFNAME = 73, /* string */ PF_RT_MAX_SRC_CONN = 74, /* u32 */ + PF_RT_NAT = 75, /* nested, pf_rpool_type_t */ }; enum pf_addrule_type_t { @@ -381,6 +382,7 @@ PF_AA_AF = 7, /* u8 */ PF_AA_ANCHOR = 8, /* string */ PF_AA_ADDR = 9, /* nested, pf_pooladdr */ + PF_AA_WHICH = 10, /* u32 */ }; enum pf_get_rulesets_types_t { diff --git a/sys/netpfil/pf/pf_nl.c b/sys/netpfil/pf/pf_nl.c --- a/sys/netpfil/pf/pf_nl.c +++ b/sys/netpfil/pf/pf_nl.c @@ -678,7 +678,7 @@ { .type = PF_RT_TAGNAME, .off = _OUT(tagname), .arg = (void *)PF_TAG_NAME_SIZE, .cb = nlattr_get_chara }, { .type = PF_RT_MATCH_TAGNAME, .off = _OUT(match_tagname), .arg = (void *)PF_TAG_NAME_SIZE, .cb = nlattr_get_chara }, { .type = PF_RT_OVERLOAD_TBLNAME, .off = _OUT(overload_tblname), .arg = (void *)PF_TABLE_NAME_SIZE, .cb = nlattr_get_chara }, - { .type = PF_RT_RPOOL, .off = _OUT(rpool), .arg = &pool_parser, .cb = nlattr_get_nested }, + { .type = PF_RT_RPOOL, .off = _OUT(rdr), .arg = &pool_parser, .cb = nlattr_get_nested }, { .type = PF_RT_OS_FINGERPRINT, .off = _OUT(os_fingerprint), .cb = nlattr_get_uint32 }, { .type = PF_RT_RTABLEID, .off = _OUT(rtableid), .cb = nlattr_get_uint32 }, { .type = PF_RT_TIMEOUT, .off = _OUT(timeout), .arg = &timeout_parser, .cb = nlattr_get_nested_timeouts }, @@ -732,6 +732,7 @@ { .type = PF_RT_DIVERT_PORT, .off = _OUT(divert.port), .cb = nlattr_get_uint16 }, { .type = PF_RT_RCV_IFNAME, .off = _OUT(rcv_ifname), .arg = (void *)IFNAMSIZ, .cb = nlattr_get_chara }, { .type = PF_RT_MAX_SRC_CONN, .off = _OUT(max_src_conn), .cb = nlattr_get_uint32 }, + { .type = PF_RT_NAT, .off = _OUT(nat), .arg = &pool_parser, .cb = nlattr_get_nested }, }; NL_DECLARE_ATTR_PARSER(rule_parser, nla_p_rule); #undef _OUT @@ -915,7 +916,8 @@ nlattr_add_string(nw, PF_RT_TAGNAME, rule->tagname); nlattr_add_string(nw, PF_RT_MATCH_TAGNAME, rule->match_tagname); nlattr_add_string(nw, PF_RT_OVERLOAD_TBLNAME, rule->overload_tblname); - nlattr_add_pool(nw, PF_RT_RPOOL, &rule->rpool); + nlattr_add_pool(nw, PF_RT_RPOOL, &rule->rdr); + nlattr_add_pool(nw, PF_RT_NAT, &rule->nat); nlattr_add_u32(nw, PF_RT_OS_FINGERPRINT, rule->os_fingerprint); nlattr_add_u32(nw, PF_RT_RTABLEID, rule->rtableid); nlattr_add_timeout(nw, PF_RT_TIMEOUT, rule->timeout); @@ -1528,7 +1530,7 @@ NL_DECLARE_ATTR_PARSER(pool_addr_parser, nla_p_pool_addr); #undef _OUT -#define _OUT(_field) offsetof(struct pfioc_pooladdr, _field) +#define _OUT(_field) offsetof(struct pf_nl_pooladdr, _field) static const struct nlattr_parser nla_p_add_addr[] = { { .type = PF_AA_ACTION, .off = _OUT(action), .cb = nlattr_get_uint32 }, { .type = PF_AA_TICKET, .off = _OUT(ticket), .cb = nlattr_get_uint32 }, @@ -1539,6 +1541,7 @@ { .type = PF_AA_AF, .off = _OUT(af), .cb = nlattr_get_uint8 }, { .type = PF_AA_ANCHOR, .off = _OUT(anchor), .arg = (void *)MAXPATHLEN, .cb = nlattr_get_chara }, { .type = PF_AA_ADDR, .off = _OUT(addr), .arg = &pool_addr_parser, .cb = nlattr_get_nested }, + { .type = PF_AA_WHICH, .off = _OUT(which), .cb = nlattr_get_uint32 }, }; static const struct nlfield_parser nlf_p_add_addr[] = {}; #undef _OUT @@ -1547,13 +1550,16 @@ static int pf_handle_add_addr(struct nlmsghdr *hdr, struct nl_pstate *npt) { - struct pfioc_pooladdr attrs = { 0 }; + struct pf_nl_pooladdr attrs = { 0 }; int error; error = nl_parse_nlmsg(hdr, &add_addr_parser, npt, &attrs); if (error != 0) return (error); + if (attrs.which == 0) + attrs.which = PF_RDR; + error = pf_ioctl_add_addr(&attrs); return (error); @@ -1562,7 +1568,7 @@ static int pf_handle_get_addrs(struct nlmsghdr *hdr, struct nl_pstate *npt) { - struct pfioc_pooladdr attrs = { 0 }; + struct pf_nl_pooladdr attrs = { 0 }; struct nl_writer *nw = npt->nw; struct genlmsghdr *ghdr_new; int error; @@ -1571,6 +1577,9 @@ if (error != 0) return (error); + if (attrs.which == 0) + attrs.which = PF_RDR; + error = pf_ioctl_get_addrs(&attrs); if (error != 0) return (error); @@ -1596,7 +1605,7 @@ static int pf_handle_get_addr(struct nlmsghdr *hdr, struct nl_pstate *npt) { - struct pfioc_pooladdr attrs = { 0 }; + struct pf_nl_pooladdr attrs = { 0 }; struct nl_writer *nw = npt->nw; struct genlmsghdr *ghdr_new; int error; @@ -1605,6 +1614,9 @@ if (error != 0) return (error); + if (attrs.which == 0) + attrs.which = PF_RDR; + error = pf_ioctl_get_addr(&attrs); if (error != 0) return (error); diff --git a/sys/netpfil/pf/pf_nv.c b/sys/netpfil/pf/pf_nv.c --- a/sys/netpfil/pf/pf_nv.c +++ b/sys/netpfil/pf/pf_nv.c @@ -563,7 +563,7 @@ if (! nvlist_exists_nvlist(nvl, "rpool")) ERROUT(EINVAL); PFNV_CHK(pf_nvpool_to_pool(nvlist_get_nvlist(nvl, "rpool"), - &rule->rpool)); + &rule->rdr)); PFNV_CHK(pf_nvuint32(nvl, "os_fingerprint", &rule->os_fingerprint)); @@ -721,7 +721,7 @@ nvlist_add_string(nvl, "match_tagname", rule->match_tagname); nvlist_add_string(nvl, "overload_tblname", rule->overload_tblname); - tmp = pf_pool_to_nvpool(&rule->rpool); + tmp = pf_pool_to_nvpool(&rule->rdr); if (tmp == NULL) goto error; nvlist_add_nvlist(nvl, "rpool", tmp);