Differential D38025 Diff 119138 sys/netpfil/pf/pf_ioctl.c

Changeset View

Standalone View

sys/netpfil/pf/pf_ioctl.c

Show First 20 Lines • Show All 378 Lines • ▼ Show 20 Lines	#endif
my_timeout[PFTM_FRAG] = PFTM_FRAG_VAL;		my_timeout[PFTM_FRAG] = PFTM_FRAG_VAL;
my_timeout[PFTM_INTERVAL] = PFTM_INTERVAL_VAL;		my_timeout[PFTM_INTERVAL] = PFTM_INTERVAL_VAL;
my_timeout[PFTM_SRC_NODE] = PFTM_SRC_NODE_VAL;		my_timeout[PFTM_SRC_NODE] = PFTM_SRC_NODE_VAL;
my_timeout[PFTM_TS_DIFF] = PFTM_TS_DIFF_VAL;		my_timeout[PFTM_TS_DIFF] = PFTM_TS_DIFF_VAL;
my_timeout[PFTM_ADAPTIVE_START] = PFSTATE_ADAPT_START;		my_timeout[PFTM_ADAPTIVE_START] = PFSTATE_ADAPT_START;
my_timeout[PFTM_ADAPTIVE_END] = PFSTATE_ADAPT_END;		my_timeout[PFTM_ADAPTIVE_END] = PFSTATE_ADAPT_END;

V_pf_status.debug = PF_DEBUG_URGENT;		V_pf_status.debug = PF_DEBUG_URGENT;
		/*
		* XXX This is different than in OpenBSD where reassembly is enabled by
		* defult. In FreeBSD we expect people to still use scrub rules and
		* switch to the new syntax later. Only when they switch they must
		* explicitly enable reassemle. We could change the default once the
		* scrub rule functionality is hopefully removed some day in future.
		*/
		V_pf_status.reass = 0;

V_pf_pfil_hooked = false;		V_pf_pfil_hooked = false;
V_pf_pfil_eth_hooked = false;		V_pf_pfil_eth_hooked = false;

/* XXX do our best to avoid a conflict */		/* XXX do our best to avoid a conflict */
V_pf_status.hostid = arc4random();		V_pf_status.hostid = arc4random();

for (int i = 0; i < PFRES_MAX; i++)		for (int i = 0; i < PFRES_MAX; i++)
▲ Show 20 Lines • Show All 905 Lines • ▼ Show 20 Lines	pf_hash_rule_rolling(MD5_CTX ctx, struct pf_krule rule)
PF_MD5_UPD(rule, proto);		PF_MD5_UPD(rule, proto);
PF_MD5_UPD(rule, type);		PF_MD5_UPD(rule, type);
PF_MD5_UPD(rule, code);		PF_MD5_UPD(rule, code);
PF_MD5_UPD(rule, flags);		PF_MD5_UPD(rule, flags);
PF_MD5_UPD(rule, flagset);		PF_MD5_UPD(rule, flagset);
PF_MD5_UPD(rule, allow_opts);		PF_MD5_UPD(rule, allow_opts);
PF_MD5_UPD(rule, rt);		PF_MD5_UPD(rule, rt);
PF_MD5_UPD(rule, tos);		PF_MD5_UPD(rule, tos);
		PF_MD5_UPD(rule, scrub_flags);
		PF_MD5_UPD(rule, min_ttl);
		PF_MD5_UPD(rule, set_tos);
if (rule->anchor != NULL)		if (rule->anchor != NULL)
PF_MD5_UPD_STR(rule, anchor->path);		PF_MD5_UPD_STR(rule, anchor->path);
}		}

static void		static void
pf_hash_rule(struct pf_krule *rule)		pf_hash_rule(struct pf_krule *rule)
{		{
MD5_CTX ctx;		MD5_CTX ctx;
▲ Show 20 Lines • Show All 4,304 Lines • ▼ Show 20 Lines	case DIOCCLRIFFLAG: {
io->pfiio_name[sizeof(io->pfiio_name) - 1] = '\0';		io->pfiio_name[sizeof(io->pfiio_name) - 1] = '\0';

PF_RULES_WLOCK();		PF_RULES_WLOCK();
error = pfi_clear_flags(io->pfiio_name, io->pfiio_flags);		error = pfi_clear_flags(io->pfiio_name, io->pfiio_flags);
PF_RULES_WUNLOCK();		PF_RULES_WUNLOCK();
break;		break;
}		}

		case DIOCSETREASS: {
		u_int32_t reass = (u_int32_t )addr;

		V_pf_status.reass = *reass & (PF_REASS_ENABLED\|PF_REASS_NODF);
		kpUnsubmitted Done Inline Actions `V_pf_status.reass = reass & PF_REASS_ENABLED`? If nothing else that prevents us from accidentally setting random flags briefly, which might turn into a very difficult to debug race condition years down the line. kp:* `V_pf_status.reass = *reass & PF_REASS_ENABLED`? If nothing else that prevents us from…
		vegeta_tuxpowered.netAuthorUnsubmitted Done Inline Actions That would rather be V_pf_status.reass = reass & (PF_REASS_ENABLED\|PF_REASS_NODF); vegeta_tuxpowered.net:* That would rather be ``` V_pf_status.reass = *reass & (PF_REASS_ENABLED\|PF_REASS_NODF); ```
		/* Removal of DF flag without reassembly enabled is not a
		* valid combination. Disable reassembly in such case. */
		if (!(V_pf_status.reass & PF_REASS_ENABLED))
		V_pf_status.reass = 0;
		break;
		}

default:		default:
error = ENODEV;		error = ENODEV;
break;		break;
}		}
fail:		fail:
if (sx_xlocked(&pf_ioctl_lock))		if (sx_xlocked(&pf_ioctl_lock))
sx_xunlock(&pf_ioctl_lock);		sx_xunlock(&pf_ioctl_lock);
CURVNET_RESTORE();		CURVNET_RESTORE();
Show All 28 Lines	pfsync_state_export(struct pfsync_state sp, struct pf_kstate st)
if (sp->expire <= time_uptime)		if (sp->expire <= time_uptime)
sp->expire = htonl(0);		sp->expire = htonl(0);
else		else
sp->expire = htonl(sp->expire - time_uptime);		sp->expire = htonl(sp->expire - time_uptime);

sp->direction = st->direction;		sp->direction = st->direction;
sp->log = st->log;		sp->log = st->log;
sp->timeout = st->timeout;		sp->timeout = st->timeout;
sp->state_flags = st->state_flags;		sp->state_flags_compat = st->state_flags;
		sp->state_flags = htons(st->state_flags);
if (st->src_node)		if (st->src_node)
sp->sync_flags \|= PFSYNC_FLAG_SRCNODE;		sp->sync_flags \|= PFSYNC_FLAG_SRCNODE;
if (st->nat_src_node)		if (st->nat_src_node)
sp->sync_flags \|= PFSYNC_FLAG_NATSRCNODE;		sp->sync_flags \|= PFSYNC_FLAG_NATSRCNODE;

sp->id = st->id;		sp->id = st->id;
sp->creatorid = st->creatorid;		sp->creatorid = st->creatorid;
pf_state_peer_hton(&st->src, &sp->src);		pf_state_peer_hton(&st->src, &sp->src);
▲ Show 20 Lines • Show All 47 Lines • ▼ Show 20 Lines	pf_state_export(struct pf_state_export sp, struct pf_kstate st)
if (sp->expire <= time_uptime)		if (sp->expire <= time_uptime)
sp->expire = htonl(0);		sp->expire = htonl(0);
else		else
sp->expire = htonl(sp->expire - time_uptime);		sp->expire = htonl(sp->expire - time_uptime);

sp->direction = st->direction;		sp->direction = st->direction;
sp->log = st->log;		sp->log = st->log;
sp->timeout = st->timeout;		sp->timeout = st->timeout;
		/* 8 bits for old peers, 16 bits for new peers */
		sp->state_flags_compat = st->state_flags;
sp->state_flags = st->state_flags;		sp->state_flags = st->state_flags;
if (st->src_node)		if (st->src_node)
sp->sync_flags \|= PFSYNC_FLAG_SRCNODE;		sp->sync_flags \|= PFSYNC_FLAG_SRCNODE;
if (st->nat_src_node)		if (st->nat_src_node)
sp->sync_flags \|= PFSYNC_FLAG_NATSRCNODE;		sp->sync_flags \|= PFSYNC_FLAG_NATSRCNODE;

sp->id = st->id;		sp->id = st->id;
sp->creatorid = st->creatorid;		sp->creatorid = st->creatorid;
▲ Show 20 Lines • Show All 79 Lines • ▼ Show 20 Lines	if (nvl == NULL)
ERROUT(ENOMEM);		ERROUT(ENOMEM);

nvlist_add_bool(nvl, "running", V_pf_status.running);		nvlist_add_bool(nvl, "running", V_pf_status.running);
nvlist_add_number(nvl, "since", V_pf_status.since);		nvlist_add_number(nvl, "since", V_pf_status.since);
nvlist_add_number(nvl, "debug", V_pf_status.debug);		nvlist_add_number(nvl, "debug", V_pf_status.debug);
nvlist_add_number(nvl, "hostid", V_pf_status.hostid);		nvlist_add_number(nvl, "hostid", V_pf_status.hostid);
nvlist_add_number(nvl, "states", V_pf_status.states);		nvlist_add_number(nvl, "states", V_pf_status.states);
nvlist_add_number(nvl, "src_nodes", V_pf_status.src_nodes);		nvlist_add_number(nvl, "src_nodes", V_pf_status.src_nodes);
		nvlist_add_number(nvl, "reass", V_pf_status.reass);
nvlist_add_bool(nvl, "syncookies_active",		nvlist_add_bool(nvl, "syncookies_active",
V_pf_status.syncookies_active);		V_pf_status.syncookies_active);

/* counters */		/* counters */
error = pf_add_status_counters(nvl, "counters", V_pf_status.counters,		error = pf_add_status_counters(nvl, "counters", V_pf_status.counters,
PFRES_MAX, pf_reasons);		PFRES_MAX, pf_reasons);
if (error != 0)		if (error != 0)
ERROUT(error);		ERROUT(error);
▲ Show 20 Lines • Show All 1,025 Lines • Show Last 20 Lines